Closed dprotaso closed 7 months ago
Triage required from @Azure/aks-pm
cc @ImJasonH
Triage required from @Azure/aks-pm
The selector is not necessary to be added be added manually as it will be added automatically, but I believe from the issue in knative the issue was the two reconciliations conflicting.
Seems it has been solved there, is there something we can do to help further?
@samkreter
Seems it has been solved there, is there something we can do to help further?
Pushing the resolution of this on each project doesn't scale in my opinion. What we've done in Knative is a workaround.
is there something we can do to help further?
I'd recommend stop mutating the webhook spec
Action required from @Azure/aks-pm
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Issue needing attention of @Azure/aks-leads
Hi there,
Our corporate security policy requires us to scan all images that we currently run, including images we don't control the life-cycle for. This includes all the images in the kube-system namespace for aks. We tried to implement a solution that utilizes a webhook to automatically change the registry of any pod in a namespace to a private one, and then we built some automation to mirror images. But because of this issue, we are unable to implement this for the kube-system namespace.
That is to say, I understand why it's implemented like this, but I would like the option to turn it off. Will this be addressed in the future?
This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.
This issue will now be closed because it hasn't had any activity for 15 days after stale. dprotaso feel free to comment again on the next 7 days to reopen or open a new issue after that time if you still have a question/issue or suggestion.
Reopen please? It's still an issue.
@Azure/aks-leads can you re-open this issue?
Based on this PR, https://github.com/knative/pkg/pull/1949, it appears this is no longer an issue with knative/tekton
Issues like kubeflow, https://github.com/kubeflow/pipelines/issues/5244, (use of the control-plane label by other projects) we will remove in a upcoming update by relying on "managedby: aks" as our label for protecting namespaces from webhook changes.
For the issue mentioned by @tomwganem -- you can use the label/annotation admissions.enforcer/disabled: true to allow your webhook to operate on kube-system and other AKS managed namespaces, but this is not recommended
Any other scenarios that remain a problem?
Turns out Knative doesn't run on AKS 1.17 because there's some Azure component that's mutating our webhooks which we did not expect.
See https://github.com/knative/pkg/issues/1590 for details.
I read https://docs.microsoft.com/en-us/azure/aks/faq#can-i-use-admission-controller-webhooks-on-aks and I'm curious why the selector like
is necessary when the question states https://docs.microsoft.com/en-us/azure/aks/faq#can-admission-controller-webhooks-impact-kube-system-and-internal-aks-namespaces
Since there's an Admissions Enforcer preventing these kube-system and AKS namespaces modifications is it necessary to mutate our webhook definitions?
This behaviour could break other projects & products who don't expect these external mutations - ie. Tekton CD is broken as well