We use vault in our environment and when we enable linkerd cni, the vault init container is unable to connect because the network is unavailable inside the pod. If we use linkerd without linkerd-cni, the vault container is able to connect just fine.
We have tried it on the latest version of linkerd. There is a vault agent that is injecting a vault init container and it is trying to connect to external vault server.
Right. If the CNI sets up iptables before the vault initcontainer runs, there’s no proxy to manage those connections so they can’t succeed.
There’s an open PR to support the new Kubernetes sidecar containers, which will support running the proxy before other initcontainers (like vault). This will fix your problem once it’s merged (if your cluster administrator has enabled sidecar container support).
Alternatively, there are some workarounds listed here. Hope this helps!