You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Currently the helm chart allows the objectSelector of the MutatingWebhookConfiguration to be user specified. This is very useful to ensure that the cluster continues to operate correctly when failurePolicy=Fail and azure-workload-identity pods are not running. As long as you ensure certain labels are only set on the pods that require azure-workload-identity and you define the selector, you're good to go.
However, there are two additional useful configurations, namespaceSelector and scope, which allow you exclude namespaces from evaluation. This is useful when it comes to the kube-system namespace and for pods where you can't easily control their labels.
It would be great if these were also user configurable.
Describe alternatives you've considered
We can ensure all pods that rely on the admission controller have labels that match an objectSelector of our choosing. While this works, it doesn't guarantee the AC won't be applied to pods in a namespace where we don't want it, like kube-system.
Additional context
In #516, I asked to make the failurePolicy of the MutatingWebhookConfiguration configurable (thanks for doing that, btw).
However, I failed to ask to make this request at the same time. I haven't actually run into a problem yet, but I'd like to never have it come up.
The text was updated successfully, but these errors were encountered:
Making sure that the webhook pod itself is always excluded in the MutatingWebhookConfiguration would be a sensible default for the Helm chart.
I had the issue today that no new pods would get scheduled because failurePolicy=Fail was set and there were no running wi-webhook pods running, resulting in a catch-22.
Is your feature request related to a problem? Please describe.
Currently the helm chart allows the
objectSelector
of theMutatingWebhookConfiguration
to be user specified. This is very useful to ensure that the cluster continues to operate correctly whenfailurePolicy=Fail
andazure-workload-identity
pods are not running. As long as you ensure certain labels are only set on the pods that requireazure-workload-identity
and you define the selector, you're good to go.However, there are two additional useful configurations,
namespaceSelector
andscope
, which allow you exclude namespaces from evaluation. This is useful when it comes to thekube-system
namespace and for pods where you can't easily control their labels.It would be great if these were also user configurable.
Describe alternatives you've considered
We can ensure all pods that rely on the admission controller have labels that match an
objectSelector
of our choosing. While this works, it doesn't guarantee the AC won't be applied to pods in a namespace where we don't want it, likekube-system
.Additional context
In #516, I asked to make the
failurePolicy
of theMutatingWebhookConfiguration
configurable (thanks for doing that, btw).However, I failed to ask to make this request at the same time. I haven't actually run into a problem yet, but I'd like to never have it come up.
The text was updated successfully, but these errors were encountered: