Issue with vault agent injector - pods not getting init container if 1 of 2 injectors restarts

kyleherrmann1 · October 4, 2023, 8:28pm

We’ve deployed the vault agent injector into kubernetes and set it to 2 replicas and are using the default value from the helm chart:

  leaderElector:
    enabled: true

Whenever the cluster takes a node offline, where an injector pod lives, it appears that all of our application pods that also restart during this time fail to get an init container injected into the pod, which puts those pods into a CLB situation until they are deleted.

kyleherrmann1 · October 11, 2023, 4:11pm

Ultimately, the workaround is to set the webhook failurePolicy to Fail from Ignore. This ensures that pods don’t get scheduled until the webhook is successful. And a pod without secrets is generally useless, so this seems like a reasonable workaround.

Topic		Replies	Views
Prevent pod scheduling without injector Vault k8s , vault	1	292	March 22, 2022
Vault init container injection fails intermittently Vault vault	1	341	November 24, 2023
Vault Agent Injector is not able to intercept pod Vault k8s	1	121	May 21, 2024
Vault-agent-injector fails if replicas > 1 Vault vault	2	214	October 2, 2023
Error: Vault agent injector Vault k8s	0	383	July 27, 2020

Issue with vault agent injector - pods not getting init container if 1 of 2 injectors restarts

Related topics