Injector is skipping Contour and Envoy pods

[stefanprodan]

Bug Report

What is the issue?

Contour 1.1.0 comes with header mutation support so I tried to run it inside linkerd but the injector skips both contour and envoy pods.

How can it be reproduced?

• install Contour
• enable injection on projectcontour ns
• restart pods

Logs, error output, etc

time="2020-01-10T12:10:56Z" level=info msg="running version stable-2.6.1"
time="2020-01-10T12:10:56Z" level=info msg="waiting for caches to sync"
time="2020-01-10T12:10:56Z" level=info msg="caches synced"
time="2020-01-10T12:10:56Z" level=info msg="starting admin server on :9995"
time="2020-01-10T12:10:56Z" level=info msg="listening at :8443"
time="2020-01-10T12:12:42Z" level=info msg="received admission review request 806457ab-33a2-11ea-922a-023bc7a3941a"
time="2020-01-10T12:12:42Z" level=info msg="received pod/contour-54fcc8d966-"
time="2020-01-10T12:12:42Z" level=info msg="skipped pod/contour-54fcc8d966-: pod has a sidecar injected already"
time="2020-01-10T12:12:42Z" level=info msg="received admission review request 807053ff-33a2-11ea-922a-023bc7a3941a"
time="2020-01-10T12:12:42Z" level=info msg="received pod/contour-54fcc8d966-"
time="2020-01-10T12:12:42Z" level=info msg="skipped pod/contour-54fcc8d966-: pod has a sidecar injected already"
time="2020-01-10T12:12:44Z" level=info msg="received admission review request 819a1587-33a2-11ea-922a-023bc7a3941a"
time="2020-01-10T12:12:44Z" level=info msg="received pod/envoy-"
time="2020-01-10T12:12:44Z" level=info msg="skipped pod/envoy-: pod has a sidecar injected already"
time="2020-01-10T12:12:53Z" level=info msg="received admission review request 87524abb-33a2-11ea-922a-023bc7a3941a"
time="2020-01-10T12:12:53Z" level=info msg="received pod/envoy-"
time="2020-01-10T12:12:53Z" level=info msg="skipped pod/envoy-: pod has a sidecar injected already"
time="2020-01-10T12:17:02Z" level=info msg="received admission review request 1bf1b902-33a3-11ea-922a-023bc7a3941a"
time="2020-01-10T12:17:02Z" level=info msg="received pod/contour-54fcc8d966-"
time="2020-01-10T12:17:02Z" level=info msg="skipped pod/contour-54fcc8d966-: pod has a sidecar injected already"
time="2020-01-10T12:17:03Z" level=info msg="received admission review request 1bfe3d83-33a3-11ea-922a-023bc7a3941a"
time="2020-01-10T12:17:03Z" level=info msg="received pod/contour-54fcc8d966-"
time="2020-01-10T12:17:03Z" level=info msg="skipped pod/contour-54fcc8d966-: pod has a sidecar injected already"
time="2020-01-10T12:17:13Z" level=info msg="received admission review request 2232ca65-33a3-11ea-922a-023bc7a3941a"
time="2020-01-10T12:17:13Z" level=info msg="received pod/envoy-"
time="2020-01-10T12:17:13Z" level=info msg="skipped pod/envoy-: pod has a sidecar injected already"
time="2020-01-10T12:17:13Z" level=info msg="received admission review request 224afe06-33a3-11ea-922a-023bc7a3941a"
time="2020-01-10T12:17:13Z" level=info msg="received pod/envoy-"
time="2020-01-10T12:17:13Z" level=info msg="skipped pod/envoy-: pod has a sidecar injected already"

linkerd check output

kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version

linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ control plane PodSecurityPolicies exist

linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ controller pod is running
√ can initialize the client
√ can query the control plane API

linkerd-api
-----------
√ control plane pods are ready
√ control plane self-check
√ [kubernetes] control plane can talk to Kubernetes
√ [prometheus] control plane can talk to Prometheus
√ no invalid service profiles

linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date

control-plane-version
---------------------
√ control plane is up-to-date
√ control plane and cli versions match

Status check results are √

Environment

• Kubernetes Version: 1.14
• Cluster Environment: EKS
• Host OS:
• Linkerd version: stable-2.6.1

Possible solution

Additional context

[stefanprodan]

So after removing contour and envoy from:

func HasExistingSidecars(podSpec *corev1.PodSpec) bool {
	for _, container := range podSpec.Containers {
		if strings.HasPrefix(container.Image, "gcr.io/linkerd-io/proxy:") ||
			strings.HasPrefix(container.Image, "gcr.io/istio-release/proxyv2:") ||
			strings.HasPrefix(container.Image, "docker.io/envoyproxy/envoy-alpine:") ||
			container.Name == k8s.ProxyContainerName ||
			container.Name == "istio-proxy" {
			return true
		}
	}

	for _, ic := range podSpec.InitContainers {
		if strings.HasPrefix(ic.Image, "gcr.io/linkerd-io/proxy-init:") ||
			strings.HasPrefix(ic.Image, "gcr.io/istio-release/proxy_init:") ||
			ic.Name == "linkerd-init" ||
			ic.Name == "istio-init" {
			return true
		}
	}

	return false
}

The linkerd-proxy from the envoy pod crashes at startup with:

time="2020-01-10T14:03:44Z" level=info msg="running version stable-2.6.1"
time="2020-01-10T14:03:44Z" level=info msg="Using with pre-existing key: /var/run/linkerd/identity/end-entity/key.p8"
time="2020-01-10T14:03:44Z" level=info msg="Using with pre-existing CSR: /var/run/linkerd/identity/end-entity/key.p8"
Invalid configuration: invalid environment variable

[arminbuerkle]

@stefanprodan Invalid configuration: invalid environment variable can be fixed by setting automountServiceAccountToken: true in the envoy daemonset.

[arminbuerkle]

can be fixed by setting automountServiceAccountToken: true in the envoy daemonset.

The better solution is to add a proper service account to envoy.

---

I submitted a PR to remove the envoy/contour restrictions.