docs: add AKS admission enforcer to known issues (#534)

* Update known-issues.md Added known issue as discussed here: #525 * Update docs/book/src/known-issues.md Co-authored-by: Anish Ramasekar <[email protected]> * Update docs/book/src/known-issues.md Co-authored-by: Anish Ramasekar <[email protected]> Co-authored-by: Anish Ramasekar <[email protected]>
Azure · Aug 22, 2022 · 229c2b4 · 229c2b4
1 parent 2f3ef7c
commit 229c2b4
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/docs/book/src/known-issues.md b/docs/book/src/known-issues.md
@@ -57,3 +57,9 @@ URI="https://graph.microsoft.com/v1.0/servicePrincipals/${APPLICATION_OBJECT_ID}
 BODY="{'principalId':'${APPLICATION_OBJECT_ID}','resourceId':'${GRAPH_RESOURCE_ID}','appRoleId':'${APPLICATION_READWRITE_ALL_ID}'}"
 az rest --method post --uri "${URI}" --body "${BODY}" --headers "Content-Type=application/json"
 ```
+
+### Environment variables not injected into pods deployed in the kube-system namespace in an AKS cluster
+
+To protect the stability of the system and prevent custom admission controllers from impacting internal services in the kube-system, namespace AKS has an Admissions Enforcer, which automatically excludes kube-system and AKS internal namespaces. Refer to [doc](https://docs.microsoft.com/en-us/azure/aks/faq#can-admission-controller-webhooks-impact-kube-system-and-internal-aks-namespaces) for more details.
+
+If you're deploying a pod in the `kube-system` namespace of an AKS cluster and need the environment variables, projected service account token volume injected by the Azure Workload Identity Mutating Webhook, add the `"admissions.enforcer/disabled": "true"` label or annotation in the [MutatingWebhookConfiguration](https://github.com/Azure/azure-workload-identity/blob/8644a217f09902fa1ac63e05cf04d9a3f3f1ebc3/deploy/azure-wi-webhook.yaml#L206-L235).