func()

in pkg/webhook/sidecar_spec.go [149:202]

• 42 lines of code
• 11 McCabe index (conditional complexity)

func (si *SidecarInjector) GetMetadataPrefetchSidecarContainerSpec(pod *corev1.Pod, c *Config) corev1.Container {
	if pod == nil {
		klog.Warning("failed to get metadata prefetch container spec: pod is nil")

		return corev1.Container{}
	}
	limits, requests := prepareResourceList(c)

	// The sidecar container follows Restricted Pod Security Standard,
	// see https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
	container := corev1.Container{
		Name:            MetadataPrefetchSidecarName,
		Image:           c.ContainerImage,
		ImagePullPolicy: corev1.PullPolicy(c.ImagePullPolicy),
		SecurityContext: GetSecurityContext(),
		Resources: corev1.ResourceRequirements{
			Limits:   limits,
			Requests: requests,
		},
		VolumeMounts: []corev1.VolumeMount{},
	}

	for _, v := range pod.Spec.Volumes {
		isGcsFuseCSIVolume, isDynamicMount, volumeAttributes, err := si.isGcsFuseCSIVolume(v, pod.Namespace)
		if err != nil {
			klog.Errorf("failed to determine if %s is a GcsFuseCSI backed volume: %v", v.Name, err)
		}

		if isDynamicMount {
			klog.Warningf("dynamic mount set for %s, this is not supported for metadata prefetch. skipping volume", v.Name)

			continue
		}

		if isGcsFuseCSIVolume {
			enableMetaPrefetchRaw, ok := volumeAttributes[gcsFuseMetadataPrefetchOnMountVolumeAttribute]
			// We disable metadata prefetch by default, so we skip injection of volume mount when not set.
			if !ok {
				continue
			}

			enableMetaPrefetch, err := ParseBool(enableMetaPrefetchRaw)
			if err != nil {
				klog.Errorf(`failed to determine if metadata prefetch is needed for volume "%s": %v`, v.Name, err)
			}

			if enableMetaPrefetch {
				container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{Name: v.Name, MountPath: filepath.Join("/volumes/", v.Name), ReadOnly: true})
			}
		}
	}

	return container
}