Skip to content

Update the template to support extraVolumes & extraVolumeMounts field for AdmissionWebhooks Job Manifest #13031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Pravin-Kumar-GitHub opened this issue Mar 24, 2025 · 4 comments
Open

Update the template to support extraVolumes & extraVolumeMounts field for AdmissionWebhooks Job Manifest #13031

Pravin-Kumar-GitHub opened this issue Mar 24, 2025 · 4 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@Pravin-Kumar-GitHub
Copy link

We were trying to disable the AutoMountServiceAccountToken for the Admissions Webhook Create Secret and Patch Webhook jobs. However, when we set AMT to False, the job fails unless we set the ExtraVol and ExtraVolMounts. However, it seems that the two attributes are not included within the templates.

Current Kubernetes version which we're using is 1.30.9

https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml

https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml

Is there a way to include extraVolume & extraVolumeMounts in the template for future helm versions? Is there an alternative method to resolve this?
@Pravin-Kumar-GitHub Pravin-Kumar-GitHub added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 24, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Mar 24, 2025
@Gacko
Copy link
Member

Gacko commented Mar 24, 2025
edited
Loading

I assume your cloud provider is recommending disabling automountServiceAccountToken, right? This recommendation is made for people having it enabled, because this is the default, but not needing API server access. These jobs in fact need API server access, so disabling it and manually implementing the service account token mounting is just making the maintenance of your deployment unnecessarily more complex.

Still I understand your issue and the need for such volumes if the automountServiceAccountToken is disabled. Unfortunately we currently do not have the capacity to implement such a feature.

I therefore can only propose 3 solutions to you:

  • Use CertManager and disable the whole Webhook Patch Job.
  • Keep automountServiceAccountToken enabled and ignore the alert.
  • Provide a PR to implement such a feature.

@arjunbabuust
Copy link

Hi @Gacko

Could you please explain the steps to submit a PR for this Change Request?

@arjunbnair97 arjunbnair97 mentioned this issue Mar 30, 2025
Closed
9 tasks
@arjunbnair97
Copy link

Added PR: #13127

FYI @Gacko @Pravin-Kumar-GitHub

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
[SIG Network] Ingress NGINX
Status: No status
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Gacko @k8s-ci-robot @arjunbnair97 @Pravin-Kumar-GitHub @arjunbabuust