Kubernetes native sidecar not supported

[YvesZelros]

Describe the bug

AWI remove the field restartPolicy on init containers that break the support of Kubernetes native sidecar

Steps To Reproduce

apiVersion: apps/v1
kind: Deployment
metadata:
  name: simple-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: simple-deployment
  template:
    metadata:
      labels:
        app: simple-deployment
        azure.workload.identity/use: "true"
    spec:
      initContainers:
        - command:
            - "/bin/sh"
            - "-c"
            - "while true; do echo 'hello from init'; sleep 1; done"
          image: busybox
          name: init
          restartPolicy: Always
      containers:
        - command:
            - "/bin/sh"
            - "-c"
            - "while true; do echo 'hello from main'; sleep 1; done"
          image: busybox
          name: main

Expected behavior

The main container must be running and not waiting the end of the init container as the init container is a native sidecar (restartPolicy = Always).

Logs
NAME READY STATUS RESTARTS AGE
simple-deployment-7854b77d4b-hbs7r 0/1 Init:0/1 0 3m35s

Environment

• Kubernetes version (use kubectl version): Server Version: v1.29.2
• Cloud provider or hardware configuration: AKS

Additional context
istio/istio#49221

[YvesZelros]

@aramase
Same issue was occur on amazon-eks-pod-identity-webhook but it's already fixed aws/amazon-eks-pod-identity-webhook#209.
It's not to push pressure on AKS team ;-)

Fix require to updates k8s.io libraries to v0.29.x

[aramase]

Thanks for reporting the issue. I have a PR open to update the deps: #1292.

[eplightning]

Any chance of getting a new release soon and deploying that on AKS? This is blocking us from using new sidecar functionality.

[mikec-greene]

Is it possible to get an ETA on when we might see this appearing in AKS? We're also blocked from using native sidecars in Istio, many thanks.

[rene-bos]

The PR which fixes this issue (#1292) has already been released in v1.3.0 on the 6th of June. So you can already install it in your AKS cluster 😄.

[mikec-greene]

Great thanks @rene-bos! I missed it in the changelog. We use the integrated --enable-workload-identity install method and are still on v1.2.2. I can't seem to find any docs to say which AKS release version it will be included in, we are on 1.29.4 already so I will keep an eye out for updates.

[zadigus]

The problem is still there on AKS 1.30.2. I freshly deployed a new cluster with an application using workload identities together with istio and native sidecars. I am still getting the error

Pod "some-pod-name" is invalid:
[spec.initContainers[1].lifecycle: Forbidden: may not be set for init
containers without restartPolicy=Always,
spec.initContainers[1].readinessProbe: Forbidden: may not be set for
init containers without restartPolicy=Always,
spec.initContainers[1].startupProbe: Forbidden: may not be set for init
containers without restartPolicy=Always]