diff --git a/README.md b/README.md index e69de29..1b9f3ba 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,34 @@ +# Volume Initializer + +# Introduction +This project delivers a [mutating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook) that can be used to initialize the pvc volumes of pod by injecting init containers into the pod. + +The pvc volumes will be mounted to the injected init containers, you can do anything you want to the volumes, such as changing the ownership/permissions/contents of the volumes, just before your original container starts. + +One typical usecase is using it to change the ownership/permissions of the volumes because your original containers are not running as root and unable to write data into the volumes. + +# Installation + +## Deploy CRD +``` +make install +``` + +## Deploy CR +Create a volume initializer yaml and apply it. + +Take [this](config/samples/storage.kubesphere.io_v1alpha1_initializer.yaml) for example. + +## Deploy webhook +``` +kubectl apply -f deploy/webhook-deployment.yaml +``` + +## Test +Create pod with pvc volumes to test. + +Take [this](config/samples/mongo-test.yaml) for example. + +# Limitations +- If the pvc matches multiple pvcMatchers and init containers, only the first init container will be injected. + diff --git a/config/samples/mongo-test.yaml b/config/samples/mongo-test.yaml new file mode 100644 index 0000000..130690d --- /dev/null +++ b/config/samples/mongo-test.yaml @@ -0,0 +1,80 @@ +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: mongodb-test + labels: + app: mongodb-test +spec: + replicas: 1 + selector: + matchLabels: + app: mongodb-test + template: + metadata: + creationTimestamp: null + labels: + app: mongodb-test + spec: + containers: + - name: container-tle280 + image: 'registry.cn-hangzhou.aliyuncs.com/stoneshiyunify/mongodb:4.2.4-debian-10-r0' + ports: + - name: http-27017 + containerPort: 27017 + protocol: TCP + resources: + limits: + cpu: '1' + memory: 1Gi + requests: + cpu: '1' + memory: 1Gi + volumeMounts: + - name: ttt + mountPath: /bitnami/ttt + - name: mongodb + mountPath: /bitnami/mongodb + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + imagePullPolicy: IfNotPresent + restartPolicy: Always + terminationGracePeriodSeconds: 30 + dnsPolicy: ClusterFirst + serviceAccountName: default + serviceAccount: default + securityContext: {} + schedulerName: default-scheduler + volumeClaimTemplates: + - kind: PersistentVolumeClaim + apiVersion: v1 + metadata: + name: ttt + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: local-path2 + volumeMode: Filesystem + - kind: PersistentVolumeClaim + apiVersion: v1 + metadata: + name: mongodb + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: local-path + volumeMode: Filesystem + serviceName: mongodb-u8yi + podManagementPolicy: OrderedReady + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: 0 + revisionHistoryLimit: 10 diff --git a/pkg/webhook/pod.go b/pkg/webhook/pod.go index 2d52003..2a7abde 100644 --- a/pkg/webhook/pod.go +++ b/pkg/webhook/pod.go @@ -143,7 +143,7 @@ func (a *Admitter) Decide(ctx context.Context, reqInfo *ReqInfo) *admissionv1.Ad return toV1AdmissionResponse(err) } if pvcInitContainer == nil { - klog.Infof("no initContainer found for pvc %s", pvc.Name) + klog.Infof("no initContainer matches pvc %s", pvc.Name) continue } if pvcInitContainer.MountPathRoot == "" {