Admission webhook to use `reinvocationPolicy: IfNeeded` because of unknown admissions webhook ordering

[berndverst]

I'm one of the maintainers of Dapr (https://dapr.io) which is available as a managed extension for AKS and for ACA.

Dapr has a mutating admission webhook which modifies the container spec of a deployment object to add the Dapr sidecar as an additional container.

The problem with mutating admission webhooks is that the ordering is not guaranteed. It is critical that the environment variables injected by the Workload Identity mutating admissions webhook also get injected into the Dapr sidecar.

Therefore, can you please advice whether you are specifying the "reinvocationPolicy: IfNeeded" option for the Workload Identity webhook? This would retrigger the webhook in the case that the Workload Identity webhook was applied first, then Dapr's sidecar injector webhook got triggered second. What we would want to see in this case is that the Workload Identity Admissions Webhook gets triggered again.

Please see https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy

[berndverst]

Perhaps nothing need to be done here, but instead in the AKS workload identity extension / option the yaml needs to be updated.

Regardless, it would be good to update samples to specify the reinvocationPolicy as well as many Dapr users will also want to use workload identity, and the authentication happens in the sidecar which itself is injected via admissions webhook.

[berndverst]

Here is the Dapr sidecar injector / mutating admissions webhook by the way: https://github.com/dapr/dapr/tree/master/pkg/injector

And some more sources: https://docs.dapr.io https://learn.microsoft.com/en-us/azure/aks/dapr https://learn.microsoft.com/en-us/azure/container-apps/dapr-overview?tabs=bicep1%2Cyaml