Vault Agent Injector leader election for HA in Kubernetes

dlmonagas · April 25, 2022, 2:41am

Hi all,

After enabling the leaderElector option on Helm Chart, Does anyone know why the second agent (pod) is constantly trying to get information from de Kubernetes cluster nodes?

Here are some logs from Kubernetes Audit on AWS EKS 1.20:

{
    "kind": "Event",
    "apiVersion": "audit.k8s.io/v1",
    "level": "Request",
    "auditID": "b00969a3-0af0-42ee-8cad-5c586aed3c54",
    "stage": "ResponseComplete",
    "requestURI": "/api/v1/nodes/ip-10-22-2-28.us-east-2.compute.internal",
    "verb": "get",
    "user": {
        "username": "system:serviceaccount:default:injection-agent-injector",
        "uid": "006c1be9-b49d-4f42-a362-0c2b74e3b612",
        "groups": [
            "system:serviceaccounts",
            "system:serviceaccounts:default",
            "system:authenticated"
        ]
    },
    "sourceIPs": [
        "10.22.3.84"
    ],
    "userAgent": "vault-k8s/v0.0.0 (linux/amd64) kubernetes/$Format",
    "objectRef": {
        "resource": "nodes",
        "name": "ip-10-22-2-28.us-east-2.compute.internal",
        "apiVersion": "v1"
    },
    "responseStatus": {
        "metadata": {},
        "status": "Failure",
        "reason": "Forbidden",
        "code": 403
    },
    "requestReceivedTimestamp": "2022-04-25T02:23:18.881221Z",
    "stageTimestamp": "2022-04-25T02:23:18.881621Z",
    "annotations": {
        "authentication.k8s.io/legacy-token": "system:serviceaccount:default:injection-agent-injector",
        "authorization.k8s.io/decision": "forbid",
        "authorization.k8s.io/reason": ""
    }
}

{
    "kind": "Event",
    "apiVersion": "audit.k8s.io/v1",
    "level": "Request",
    "auditID": "1d92dc9c-ee27-4e82-ab89-615028945a1f",
    "stage": "ResponseComplete",
    "requestURI": "/api/v1/nodes/ip-10-22-2-28.us-east-2.compute.internal",
    "verb": "get",
    "user": {
        "username": "system:serviceaccount:default:injection-agent-injector",
        "uid": "006c1be9-b49d-4f42-a362-0c2b74e3b612",
        "groups": [
            "system:serviceaccounts",
            "system:serviceaccounts:default",
            "system:authenticated"
        ]
    },
    "sourceIPs": [
        "10.22.3.84"
    ],
    "userAgent": "vault-k8s/v0.0.0 (linux/amd64) kubernetes/$Format",
    "objectRef": {
        "resource": "nodes",
        "name": "ip-10-22-2-28.us-east-2.compute.internal",
        "apiVersion": "v1"
    },
    "responseStatus": {
        "metadata": {},
        "status": "Failure",
        "reason": "Forbidden",
        "code": 403
    },
    "requestReceivedTimestamp": "2022-04-25T02:23:36.058352Z",
    "stageTimestamp": "2022-04-25T02:23:36.058727Z",
    "annotations": {
        "authentication.k8s.io/legacy-token": "system:serviceaccount:default:injection-agent-injector",
        "authorization.k8s.io/decision": "forbid",
        "authorization.k8s.io/reason": ""
    }
}

Part of the configuration that I’m using on Helm values.yaml file:

  leaderElector:
    enabled: true

  replicas: 2
  failurePolicy: "Fail"

Could someone explain this?

Best,

Daniel LM

tvoran · May 11, 2022, 5:34am

I wonder if this is something to do with affinity checking in k8s, since the default affinity for multiple replicas of the injector is set to run each replica on a different k8s node. But as far as I know the vault-k8s injector isn’t querying k8s nodes directly.

Topic		Replies	Views
Issue with vault agent injector - pods not getting init container if 1 of 2 injectors restarts Vault	1	374	October 11, 2023
Vault Agent Deployment - Pod not initiating Vault	2	1037	September 21, 2021
Vault Agent Injector not injecting secrets into EKS pods Vault	1	72	July 16, 2024
Vault Agent Injector is not able to intercept pod Vault k8s	1	140	May 21, 2024
Can't get vault-agent-init container to get a secret from Vault Vault k8s , vault	1	3213	September 28, 2021

Vault Agent Injector leader election for HA in Kubernetes

Related topics