Description of problem: kubevirt/CNV datavolume importer pod inability to disable sidecar injection if namespace has sidecar injection enabled but VM Template does NOT Version-Release number of selected component (if applicable): OCP 4.4 CN 2.3.0 How reproducible: always Steps to Reproduce: 1. Annotate namespace for sidecar injection 2. create VM template utilizing a datavolume and disable sidecar injection. 3.Apply the template. 4. the Import pod comes up and has the sidecar injected. Actual results: Expected results: The expected result is NOT to have the sidecar injected into the importer pod Additional info:
(In reply to Nabeel Cocker from comment #0) > Description of problem: > kubevirt/CNV datavolume importer pod inability to disable sidecar injection > if namespace has sidecar injection enabled but VM Template does NOT > > > > > > Version-Release number of selected component (if applicable): > OCP 4.4 > CN 2.3.0 > > How reproducible: > always > > Steps to Reproduce: > 1. Annotate namespace for sidecar injection > 2. create VM template utilizing a datavolume and disable sidecar injection. Can you explain how sidecar injection is disabled in the VM by providing an example VM.yaml file with the needed elements to do this?
issue is if namespace has SM enabled it will default inject sidecar with all pods , if cu has a requirement to run Container & CVN VM under one project with namespace has Service Mesh enabled , datavolume importer-pod should have it disabled or some logic to check that its an importer pod & will be Terminated once import is complete & no need to inject sidecar , due to sidecar injection it's never deleted post import & stays there we may have scenario where need to run container & cnv in same namespace tested in lab Env & with SM enabled in namespace, CNV (cdi) importer pod has envoy proxy sidecar injected & pod never terminate post import filed upstream bug https://github.com/kubevirt/containerized-data-importer/issues/1449
CNV-6812 PR (https://github.com/kubevirt/containerized-data-importer/pull/1480) adds the ability to pass specific annotations (defined in the DV or PVC) to the transfer Pods. The one relevant annotation here is: sidecar.istio.io/inject: "false" The fix was manually tested and documented in CNV-8332, on upstream CDI v1.27.0.
Test on the AspenMesh cluster with latest cdi, annotation for sidecar works well. Steps for verifying the bz: $ oc label namespace default istio-injection=enabled $ oc get namespace default -L istio-injection NAME STATUS AGE ISTIO-INJECTION default Active 6d8h enabled $ cat << EOF | oc create -f - apiVersion: cdi.kubevirt.io/v1beta1 kind: DataVolume metadata: name: test-dv2 annotations: sidecar.istio.io/inject: "false" spec: source: http: url: "http://$url/Fedora-Cloud-Base-33-1.2.x86_64.qcow2" pvc: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi EOF $ oc get dv NAME PHASE PROGRESS RESTARTS AGE test-dv2 Succeeded 100.0% 20m If create the dv without the annotation(sidecar.istio.io/inject: "false"), got crashed for the importer pod $ oc get pod NAME READY STATUS RESTARTS AGE importer-test-dv1 1/2 CrashLoopBackOff 25 105m $ oc get dv NAME PHASE PROGRESS RESTARTS AGE test-dv1 ImportInProgress N/A 111m seems it's better to report a new bug for the pod crash without annotation
Clearing an old needinfo. The priority was indeed raised as requested.
@Anil, here is the bug https://bugzilla.redhat.com/show_bug.cgi?id=1914833
@Adam, does this need to be documented in the 2.6 release notes? It came up in my search because of the requires_doc_text? flag. Thanks!
Pan, it seems we should have documented the annotation in the product docs but it was missed. I've added a Jira issue for 4.8 to address this. In the meantime we should probably add a release note based on the information here: https://github.com/kubevirt/containerized-data-importer/pull/1582/files#diff-23cd4e72d9bb3385a6eac8d37b4b09fde064018ba2ae1f329f7064cb80d28a6cR35
@alitke Thanks for the info! Can you clarify what we should document specifically? Would it be a new/changed feature (for storage) that the "sidecar.istio.io/inject: "false" annotation disables sidecar injection to the pod"?
Pan, we are waiting on a decision whether to annotate this by default. If we do it by default then I suppose no documentation is needed at this time (in 4.8 we would then want to document the option for users who may need to override the default). If the default is not altered then perhaps a release note NEW would be in order to explain how this annotation can be used to disable the injection. Arnon, please advise once we have a decision re: the default behavior so Pan knows how to proceed with documentation. We will also need to know when it is planned to be delivered.
Pan, Adam, I will sure update once we approve and target the PR with default sidecar.istio.io/inject: "false" annotation for CDI transfer pods.
keeping the needinfo for the pending update.
PR added for Bug 1914833 to set default sidecar.istio.io/inject: "false" annotation for CDI transfer pods.
I added a release note (in the technical changes section) to reflect the new default. PR: https://github.com/openshift/openshift-docs/pull/29654 I am waiting for Arnon to approve it. In the meantime, @Yan, can you please also review this release note PR from a QE perspective? (This PR also covers CNV-9456, where I have also requested your review.) Thanks!
Added comments in the PR. thanks
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 2.6.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0799