What this PR does / why we need it:
This change is mostly relevant for deployments without a virtual Garden cluster: In this case, the admission controller needed cluster-wide list/watch permissions for secrets. Restricting the cache to the --webhook-config-namespace namespace eliminates this requirement.
Special notes for your reviewer:
/cc @ialidzhikov thanks for noticing.
Release note:
The requirement for the admission controller to need cluster-wide read permissions for secrets has been dropped.
How to categorize this PR?
/area security /kind enhancement
What this PR does / why we need it: This change is mostly relevant for deployments without a virtual Garden cluster: In this case, the admission controller needed cluster-wide list/watch permissions for secrets. Restricting the cache to the
--webhook-config-namespacenamespace eliminates this requirement.Special notes for your reviewer: /cc @ialidzhikov thanks for noticing.
Release note: