Specifically, "A webhook is flagged if scope is *. Or, a webhook is flagged if scope is Namespaced and includes kube-system and kube-node-lease".
If a webhook is intercepting any resources in system-managed namespaces, or certain types of resources, GKE considers this unsafe and recommends that you update the webhooks to avoid intercepting these resources.
Is your feature request related to a problem? Please describe.
We received a suggestion in GKE that the
vault-agent-injector-cfg
was "Intercepting resources in the kube-system namespace" and linked to their docs at https://cloud.google.com/kubernetes-engine/docs/how-to/optimize-webhooks#unsafe-webhooks for resolution.Specifically, "A webhook is flagged if scope is *. Or, a webhook is flagged if scope is Namespaced and includes
kube-system
andkube-node-lease
".Describe the solution you'd like
If I'm understanding correctly, should an optional rule
scope
be added to theMutatingWebhookConfiguration
? https://github.com/hashicorp/vault-helm/blob/36dafa02c09eb24afb07de9895ff734b8e3bfd6a/templates/injector-mutating-webhook.yaml#L34-L38Describe alternatives you've considered None
Additional context None