implicit initContainer, added by jkube-volume-permission enricher, could brake deployment

[vantonov1]

Describe the bug

jkube-volume-permission adds init container to deployment with busybox as image, if there is a volume mounted. This is implicit, so really hard to predict.

Problem is that docker hub has rate limit. So, just by adding volume mount to a few deployments you could have broken release - pods not starting because busybox could not be downloaded.

For me, it is quite dangerous behavior, and should be switched off by default.

Eclipse JKube version

1.11.0

Component

Kubernetes Maven Plugin

Apache Maven version

3.8.3

Gradle version

None

Steps to reproduce

1. Create project with dozens of services, referring common resource fragment (deployment.yml)
2. Add persistentVolumeClaim and volumeMount to deployment.yml
3. mvn k8s:resource k8s:apply
4. kubectl get pod

Expected behavior

It COULD happens that you get ImagePullBackOff on some pod.

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

1.25.3

Environment

Linux

Eclipse JKube Logs

No response

Sample Reproducer Project

No response

Additional context

No response

[rohanKanojia]

@vantonov1 Do you think this is related to #1179 ?

[vantonov1]

Yes, it is related. But #1179 was closed with "you could switch it off, if you know."
Problem is - no one knows :).
So, people get problems in production again and again. It is good functionality, but please, switch it off by default.

[manusa]

To disable the enricher you should configure the plugin as:

<plugin>
    <groupId>org.eclipse.jkube</groupId>
    <artifactId>kubernetes-maven-plugin</artifactId>
    <version>1.14.0</version>
    <configuration>
        <enricher>
            <excludes>
                <exclude>jkube-volume-permission</exclude>
            </excludes>
        </enricher>
    </configuration>
</plugin>

The other option would be to switch the permission enricher base image to something else that has the chmod command tool available and which is not subject to pull rate-limits.

[rohanKanojia]

@manusa : I think @vantonov1 is requesting to remove this enricher from the default profile as it can cause issues in production.

[vantonov1]

Yes, exactly. You could disable the enricher. AFTER you have failed release )

[rohanKanojia]

AFTER you have failed release

Could you please elaborate on this point?

[vantonov1]

I have dozens of services and decided to mount a volume to all. Everything was good on stage, but deployed to production we get couple of pod in ImagePullBackOff state - just because busybox could not be downloaded (rate limit, yes)

[manusa]

As a workaround for this very specific problem, we could consider using something different than busybox as the image for the volume-permission enricher init container that is not rate-limited by Docker.

[manusa]

I believe that this can be closed by #2570