Hi, We are using vault-k8s to inject vault-agents in our pods and it works fine but there is a problematic use case and I am not sure how to solve it:
When draining a node the injector might get relocated, if for any reason a pod starts at this exact moment it will not have the vault agent and fails, is there a way to tell my pods to never starts if the injector is not running ?
Hey @schmurfy,
You can edit the injector mutating webhook configuration to Fail whenever the mutating webhook call itself fails. By default this is set to Ignore.
Please do keep in mind that you should scope the configuration only to a specific namespace and/or resources to prevent all your workloads (including the injector) from starting.