diff --git a/pkg/webhook/injection.go b/pkg/webhook/injection.go index 799d2f7c..e8f01711 100644 --- a/pkg/webhook/injection.go +++ b/pkg/webhook/injection.go @@ -84,6 +84,16 @@ func (si *SidecarInjector) injectMetadataPrefetchSidecarContainer(pod *corev1.Po var containerSpec corev1.Container var index int + // Let's check our sidecar is not present anywhere before injecting. + // This means we wont support the privately hosted sidecar image feature for this sidecar. + _, presentInContainerList := containerPresent(pod.Spec.Containers, SidecarMetadataPrefetchName) + _, presentInInitContainerList := containerPresent(pod.Spec.InitContainers, SidecarMetadataPrefetchName) + if presentInContainerList || presentInInitContainerList { + klog.Infof(`%s sidecar is already injected in pod "%s", skipping injection...`, SidecarMetadataPrefetchName, pod.Name) + + return + } + if supportsNativeSidecar { containerSpec = si.GetNativeMetadataPrefetchSidecarContainerSpec(pod, config) index = getInjectIndexAfterContainer(pod.Spec.InitContainers, SidecarContainerName) diff --git a/pkg/webhook/sidecar_spec.go b/pkg/webhook/sidecar_spec.go index 2caab57a..485da04e 100644 --- a/pkg/webhook/sidecar_spec.go +++ b/pkg/webhook/sidecar_spec.go @@ -21,6 +21,7 @@ import ( "path/filepath" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" "k8s.io/klog/v2" "k8s.io/utils/ptr" ) @@ -129,8 +130,21 @@ func (si *SidecarInjector) GetNativeMetadataPrefetchSidecarContainerSpec(pod *co return container } +func getMetadataPrefetchContainerResources() (corev1.ResourceList, corev1.ResourceList) { + c := &Config{ + CPURequest: resource.MustParse("10m"), + CPULimit: resource.MustParse("50m"), + MemoryRequest: resource.MustParse("10Mi"), + MemoryLimit: resource.MustParse("100Mi"), + EphemeralStorageRequest: resource.MustParse("10Mi"), + EphemeralStorageLimit: resource.MustParse("10Mi"), + } + + return prepareResourceList(c) +} + func (si *SidecarInjector) GetMetadataPrefetchSidecarContainerSpec(pod *corev1.Pod, c *Config) corev1.Container { - limits, requests := prepareResourceList(c) + limits, requests := getMetadataPrefetchContainerResources() // The sidecar container follows Restricted Pod Security Standard, // see https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted @@ -155,7 +169,6 @@ func (si *SidecarInjector) GetMetadataPrefetchSidecarContainerSpec(pod *corev1.P "--v=5", }, Resources: corev1.ResourceRequirements{ - // We should change these resources. Limits: limits, Requests: requests, },