Open GeekWolfBoy opened 8 months ago
As the title,we can't set webhookConfiguration.failurePolicy.pods=Ignore ,and we found it's template be hard code:
apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: kruise-mutating-webhook-configuration webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-pod failurePolicy: Fail name: mpod.kb.io namespaceSelector: matchExpressions: - key: control-plane operator: DoesNotExist rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE resources: - pods sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-v1alpha1-advancedcronjob failurePolicy: Fail name: madvancedcronjob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - advancedcronjobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-v1alpha1-broadcastjob failurePolicy: Fail name: mbroadcastjob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - broadcastjobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-v1alpha1-cloneset failurePolicy: Fail name: mcloneset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - clonesets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-v1alpha1-containerrecreaterequest failurePolicy: Fail name: mcontainerrecreaterequest.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - containerrecreaterequests sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-v1alpha1-daemonset failurePolicy: Fail name: mdaemonset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - daemonsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-v1alpha1-imagelistpulljob failurePolicy: Fail name: mimagelistpulljob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - imagelistpulljobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-v1alpha1-imagepulljob failurePolicy: Fail name: mimagepulljob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - imagepulljobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-v1alpha1-nodeimage failurePolicy: Fail name: mnodeimage.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - nodeimages sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-v1alpha1-sidecarset failurePolicy: Fail name: msidecarset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - sidecarsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-statefulset failurePolicy: Fail name: mstatefulset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 - v1beta1 operations: - CREATE - UPDATE resources: - statefulsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /mutate-apps-kruise-io-v1alpha1-uniteddeployment failurePolicy: Fail name: muniteddeployment.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - uniteddeployments sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: kruise-validating-webhook-configuration webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-deployment failurePolicy: Fail name: vbuiltindeployment.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists rules: - apiGroups: - apps apiVersions: - v1 operations: - DELETE resources: - deployments sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-replicaset failurePolicy: Fail name: vbuiltinreplicaset.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists rules: - apiGroups: - apps apiVersions: - v1 operations: - DELETE resources: - replicasets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-statefulset failurePolicy: Fail name: vbuiltinstatefulset.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists rules: - apiGroups: - apps apiVersions: - v1 operations: - DELETE resources: - statefulsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-customresourcedefinition failurePolicy: Fail name: vcustomresourcedefinition.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists rules: - apiGroups: - apiextensions.k8s.io apiVersions: - v1 - v1beta1 operations: - DELETE resources: - customresourcedefinitions sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-namespace failurePolicy: Fail name: vnamespace.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists rules: - apiGroups: - "" apiVersions: - v1 operations: - DELETE resources: - namespaces sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-pod failurePolicy: Fail name: vpod.kb.io namespaceSelector: matchExpressions: - key: control-plane operator: DoesNotExist rules: - apiGroups: - "" apiVersions: - v1 operations: - UPDATE - DELETE resources: - pods sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-pod failurePolicy: Fail name: vpodeviction.kb.io namespaceSelector: matchExpressions: - key: control-plane operator: DoesNotExist rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE resources: - pods/eviction sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-resourcedistribution failurePolicy: Fail name: vresourcedistribution.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - resourcedistributions sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-workloadspread failurePolicy: Fail name: vworkloadspread.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - workloadspreads sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-advancedcronjob failurePolicy: Fail name: vadvancedcronjob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - advancedcronjobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-broadcastjob failurePolicy: Fail name: vbroadcastjob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - broadcastjobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-cloneset failurePolicy: Fail name: vcloneset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE - DELETE resources: - clonesets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-daemonset failurePolicy: Fail name: vdaemonset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - daemonsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-imagelistpulljob failurePolicy: Fail name: vimagelistpulljob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - imagelistpulljobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-imagepulljob failurePolicy: Fail name: vimagepulljob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - imagepulljobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-nodeimage failurePolicy: Fail name: vnodeimage.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - nodeimages sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-persistentpodstate failurePolicy: Fail name: vpersistentpodstate.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - persistentpodstates sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-podprobemarker failurePolicy: Fail name: vpodprobemarker.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - podprobemarkers sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-policy-kruise-io-podunavailablebudget failurePolicy: Fail name: vpodunavailablebudget.kb.io rules: - apiGroups: - policy.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - podunavailablebudgets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-sidecarset failurePolicy: Fail name: vsidecarset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - sidecarsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-statefulset failurePolicy: Fail name: vstatefulset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 - v1beta1 operations: - CREATE - UPDATE - DELETE resources: - statefulsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: kruise-system path: /validate-apps-kruise-io-v1alpha1-uniteddeployment failurePolicy: Fail name: vuniteddeployment.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE - DELETE resources: - uniteddeployments sideEffects: None
As the title,we can't set webhookConfiguration.failurePolicy.pods=Ignore ,and we found it's template be hard code: