Allow custom annotations

Question

Allow custom annotations

Closed this issue 2 years ago · 5 comments

Hi

So far, we can only set these common annotations in deployments:

Helper

{{- /* Pod annotations commonly used in agents */ -}}
{{- define "common.pod.annotations" -}}
agentVersion: {{ .agentConfig.tag }}
{{- /* Openshift does not allow seccomp - So we don't add seccomp in openshift case */ -}}
{{- /* From k8s 1.19 and up we use the seccomp in securityContext so no need for it here, in case of template we don't know the version so we fall back to annotation */ -}}
{{- if and (not (contains "openshift" (include "get.platform" .))) (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) }}
seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }}
{{- end }}
{{- if .Values.podAnnotations.apparmor }}
container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name" . }}:
{{ toYaml .Values.podAnnotations.apparmor | indent 2 }}
{{- end }}
{{- end -}}

Deployment

annotations:
{{ include "common.pod.annotations" $config | indent 8 }}

It would be nice to be able to add custom annotations. In my case, I want to configure the mutating webhook of Bank-Vaults through the annotations to inject my Cloudguard credentials retrieved from Vault directly into the pods.

Would it be possible to implement this?

Thanks a lot.

Greetings.

Answer 1 · 2022-10-06T07:45:48.000Z

Hi @GonCuesMa,

Thanks for bringing up this use-case. Indeed, it seems useful and shouldn't be difficult to implement. Will try to add it soon.

Answer 2 · 2022-10-06T13:44:01.000Z

Hi @GonCuesMa,

Thanks for bringing up this use-case. Indeed, it seems useful and shouldn't be difficult to implement. Will try to add it soon.

Great! Thanks a lot!

Answer 3 · 2022-10-19T13:08:45.000Z

Resolved by #101

Answer 4 · 2022-11-28T09:29:45.000Z

Hi @GonCuesMa, just to make sure you noticed the change.

Answer 5 · 2022-11-28T10:08:16.000Z

Hi @chkp-dorcohen !

Yes, I'm using version 2.15.1 and everything works great! Thanks!

PD: I've been able to inject my Cloudguard credentials retrieved from Vault using the following pod annotations:

podAnnotations:
  custom:
    vault.security.banzaicloud.io/vault-addr: "https://vault.vault:8200"
    vault.security.banzaicloud.io/vault-role: "default"
    vault.security.banzaicloud.io/vault-skip-verify: "false"
    vault.security.banzaicloud.io/vault-tls-secret: "vault-tls"
    vault.security.banzaicloud.io/vault-agent: "false"
    vault.security.banzaicloud.io/vault-path: "kubernetes"
    vault.security.banzaicloud.io/vault-namespace: "vault"