Webhook skips volume/mount patching when env vars are inherited from parent pod (driver → executor) #286
Description
Description
In our environment, we use driver pod with IRSA-related environment variables (AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE) and volume mounts injected by the EKS Pod Identity Webhook.
When driver launches executor pods, it automatically copies all environment variables from the driver into each executor pod. This results in executors inheriting the IRSA environment variables even though they do not have the required projected service account token volume.
Expected Behavior
Even if the env vars are already present (inherited), the webhook should ensure the required volume and mount are added if they are missing.
Impact
This affects workloads such as Spark where: the driver is patched correctly by the webhook
executor pods inherit env vars from the driver
the webhook incorrectly assumes the executors already have the correct IRSA setup
This leads to inconsistent IRSA setup across pods in the same job.
Proposed Fix
Modify the skip logic to also check whether the token volume mount exists, instead of only checking env vars.
For example:
Only skip if both
the env vars are present, and
the volume + mount are already present
Please advise