When using the kops-installed EKS Pod Identity Webhook in combination with other features, we observed circular-dependency issues, preventing clusters from being provisioned without manual intervention.
For example, when installing a CNI in the cluster, the Pod Identity Webhook may not function until the CNI is installed, but the CNI control plane is blocked on the Pod Identity Webhook because it is a Fail mutating webhook.
We should pull these changes into the kops-managed amazon-eks-pod-identity-webhook, as this would allow users to extensibly define pods that should skip the blocking webhook.
/kind feature
Fail
mutating webhook.amazon-eks-pod-identity-webhook
repository which adds a canonical tag for excluding certain pods from the webhook: https://github.com/aws/amazon-eks-pod-identity-webhook/pull/216amazon-eks-pod-identity-webhook
, as this would allow users to extensibly define pods that should skip the blocking webhook.