diff --git a/daprdocs/content/en/concepts/dapr-services/sidecar-injector.md b/daprdocs/content/en/concepts/dapr-services/sidecar-injector.md index 242af6a373f..4d3178e9385 100644 --- a/daprdocs/content/en/concepts/dapr-services/sidecar-injector.md +++ b/daprdocs/content/en/concepts/dapr-services/sidecar-injector.md @@ -11,3 +11,50 @@ When running Dapr in [Kubernetes mode]({{% ref kubernetes %}}), a pod is created The sidecar injector service is deployed as part of `dapr init -k`, or via the Dapr Helm charts. For more information on running Dapr on Kubernetes, visit the [Kubernetes hosting page]({{% ref kubernetes %}}). +## Authorized service accounts + +The sidecar injector's admission webhook only processes requests from authorized Kubernetes service accounts. This controls which controllers and service accounts are allowed to trigger sidecar injection when creating or updating pods. + +By default, the injector authorizes a set of well-known Kubernetes controllers (such as `replicaset-controller`, `deployment-controller`, `statefulset-controller`, and others), as well as users in the `system:masters` group. You can authorize additional service accounts by configuring the `dapr_sidecar_injector.allowedServiceAccounts` Helm value. + +If a pod creation request comes from a service account that is not authorized, the injector skips sidecar injection for that pod silently. + +### Configuration + +Service accounts are specified in `namespace:name` format. Multiple entries can be comma-separated. Glob patterns are supported using Go's [`path.Match`](https://pkg.go.dev/path#Match) syntax: + +| Pattern | Description | Example | +|---------|-------------|---------| +| `*` | Matches any sequence of characters | `my-ns:*` matches all service accounts in `my-ns` | +| `?` | Matches any single character | `staging-?:*` matches `staging-1`, `staging-a`, etc. | +| `[...]` | Matches a character class | `proj-*:sa-[abc]*` matches service accounts starting with `sa-a`, `sa-b`, or `sa-c` | + +### Examples + +Configure via Helm: + +```bash +helm install dapr dapr/dapr --namespace dapr-system \ + --set dapr_sidecar_injector.allowedServiceAccounts="my-namespace:my-service-account,team-*:deploy-*" +``` + +Or in a Helm values file: + +```yaml +dapr_sidecar_injector: + allowedServiceAccounts: "my-namespace:my-service-account,team-*:deploy-*" +``` + +Pattern examples: + +| Pattern | Matches | +|---------|---------| +| `my-ns:my-sa` | Exact match: service account `my-sa` in namespace `my-ns` | +| `my-ns:*` | All service accounts in namespace `my-ns` | +| `team-*:deploy-*` | Service accounts starting with `deploy-` in namespaces starting with `team-` | +| `*:*` | All service accounts in all namespaces | + +{{% alert title="Note" color="primary" %}} +The `dapr_sidecar_injector.allowedServiceAccountsPrefixNames` Helm value is deprecated. Migrate your entries to `dapr_sidecar_injector.allowedServiceAccounts` using glob patterns instead (for example, `my-ns:my-prefix*` replaces the previous prefix-matching behavior). The deprecated value still functions but logs a deprecation warning. +{{% /alert %}} + diff --git a/daprdocs/content/en/operations/troubleshooting/common_issues.md b/daprdocs/content/en/operations/troubleshooting/common_issues.md index e912891895c..3e6749becd5 100644 --- a/daprdocs/content/en/operations/troubleshooting/common_issues.md +++ b/daprdocs/content/en/operations/troubleshooting/common_issues.md @@ -271,24 +271,28 @@ Microsoft Content Filter is disabled when the output is "Success". ## Admission webhook denied the request -You may encounter an error similar to the one below due to admission webhook having an allowlist for service accounts to create or modify resources. +You may encounter an error similar to the one below because the sidecar injector's admission webhook only processes requests from authorized service accounts. The service account that created the pod is not in the injector's allowlist. ``` root:[dapr]$ kubectl run -i --tty --rm debug --image=busybox --restart=Never -- sh Error from server: admission webhook "sidecar-injector.dapr.io" denied the request: service account 'user-xdd5l' not on the list of allowed controller accounts ``` -To resolve this error, you should create a `clusterrolebind` for the current user: +To resolve this error, either: -```bash -kubectl create clusterrolebinding dapr- --clusterrole=dapr-operator-admin --user -``` +1. Add the service account to the injector's authorized list by configuring the `dapr_sidecar_injector.allowedServiceAccounts` Helm value. Glob patterns are supported (for example, `my-namespace:*` to authorize all service accounts in a namespace). See the [Sidecar Injector documentation]({{% ref "sidecar-injector" %}}) for details. -You can run the below command to get all users in your cluster: +2. Or, create a `clusterrolebinding` for the current user: -```bash -kubectl config get-users -``` + ```bash + kubectl create clusterrolebinding dapr- --clusterrole=dapr-operator-admin --user + ``` + + You can run the below command to get all users in your cluster: + + ```bash + kubectl config get-users + ``` You may learn more about webhooks [here](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).