From d379001223d168a4c81bba745ae2a607ed2638ce Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Tue, 29 Sep 2020 09:31:01 +0200 Subject: [PATCH] Disable istio injection for scan/parser/hook pods --- .../controllers/execution/scans/hook_reconciler.go | 3 +++ .../controllers/execution/scans/parse_reconciler.go | 3 +++ .../controllers/execution/scans/scan_reconciler.go | 10 ++++++++++ 3 files changed, 16 insertions(+) diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go index 28e0d4ee..7dcbb231 100644 --- a/operator/controllers/execution/scans/hook_reconciler.go +++ b/operator/controllers/execution/scans/hook_reconciler.go @@ -376,6 +376,9 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook, Annotations: map[string]string{ "auto-discovery.experimental.securecodebox.io/ignore": "true", }, + Labels: map[string]string{ + "sidecar.istio.io/inject": "false", + }, }, Spec: corev1.PodSpec{ ServiceAccountName: serviceAccountName, diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go index 09a88bd3..0d99dcbd 100644 --- a/operator/controllers/execution/scans/parse_reconciler.go +++ b/operator/controllers/execution/scans/parse_reconciler.go @@ -94,6 +94,9 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { Annotations: map[string]string{ "auto-discovery.experimental.securecodebox.io/ignore": "true", }, + Labels: map[string]string{ + "sidecar.istio.io/inject": "false", + }, }, Spec: corev1.PodSpec{ RestartPolicy: corev1.RestartPolicyNever, diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go index e8c7a65f..6eca8c14 100644 --- a/operator/controllers/execution/scans/scan_reconciler.go +++ b/operator/controllers/execution/scans/scan_reconciler.go @@ -187,6 +187,16 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e }, }) + // Ensuring that istio doesn't inject a sidecar proxy. + // This currently messes with + if job.Spec.Template.ObjectMeta.Labels != nil { + job.Spec.Template.ObjectMeta.Labels["sidecar.istio.io/inject"] = "true" + } else { + job.Spec.Template.ObjectMeta.Labels = map[string]string{ + "sidecar.istio.io/inject": "false", + } + } + // merging volume mounts (for the primary scanner container) from ScanType (if existing) with standard results volume mount if job.Spec.Template.Spec.Containers[0].VolumeMounts == nil || len(job.Spec.Template.Spec.Containers[0].VolumeMounts) == 0 { job.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{}