This changes the startup code for the secret store to not try to create the namespace as a way to check if it exists. Now it will only attempt if the namespace does not already exist. Submitting a create request can trigger admission webhooks. If there are namespace policies for jspolicy already deployed this can cause jspolicy to not be able to come back up if the deployment were scaled down or if no pods are running for some other reason. Without this change, the only way to recover is to delete any mutating/validating webhooks on namespaces* pointing to jspolicy and then the jspolicy pods will be able to start.
NOTE: In some cases namespae webhooks might exclude or only include certain namespaces. However the jspolicy namespace creation has no labels applied at submission time so label filters cannot exclude it appropriately if that is how the policies were set up. Inclusion filters of course would be less likely to be a problem.
This changes the startup code for the secret store to not try to create the namespace as a way to check if it exists. Now it will only attempt if the namespace does not already exist. Submitting a create request can trigger admission webhooks. If there are namespace policies for jspolicy already deployed this can cause jspolicy to not be able to come back up if the deployment were scaled down or if no pods are running for some other reason. Without this change, the only way to recover is to delete any mutating/validating webhooks on namespaces* pointing to jspolicy and then the jspolicy pods will be able to start.
NOTE: In some cases namespae webhooks might exclude or only include certain namespaces. However the jspolicy namespace creation has no labels applied at submission time so label filters cannot exclude it appropriately if that is how the policies were set up. Inclusion filters of course would be less likely to be a problem.