search

operator-framework / operator-lifecycle-manager

A management framework for extending Kubernetes with Operators
https://olm.operatorframework.io
Apache License 2.0
1.72k stars 545 forks source link

How to scope MutatingWebhookConfiguration to another namespace #1906

Open balpert89 opened 3 years ago

balpert89 commented 3 years ago

Configuration

How to scope MutatingWebhookConfiguration to another namespace?

What did you do? I have created a MutatingWebhook with the operator-sdk CLI, deployed it manually which works. Deploying the operator including the webhook with OLM injects a namespaceSelector to the resulting MutatingWebhookConfiguration.

What did you expect to see? This is not a bug, but I cannot find the location that I have to change so the Webhook can be used in all namespaces, not only in the operator namespace.

What did you see instead? Under which circumstances? The webhook is only triggered when I changes are done in the same namespace like the operator.

Environment

Additional context

MutatingWebhookConfiguration

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  generateName: mpod.kb.io-
  labels:
    olm.owner: helloworld.v2.0.39-feature-openshift-4.6
    olm.owner.kind: ClusterServiceVersion
    olm.owner.namespace: operators
    olm.webhook-description-generate-name: mpod.kb.io
    olm.webhook-description-hash: 749df8fdbd
  name: mpod.kb.io-8lwql
webhooks:
- admissionReviewVersions:
  - v1beta1
  - v1
  clientConfig:
    caBundle: LS0tLS...
    service:
      name: helloworld-operator-service
      namespace: operators
      path: /mutate-v1-pod
      port: 443
  failurePolicy: Ignore
  matchPolicy: Equivalent
  name: mpod.kb.io
  namespaceSelector:
    matchLabels:
      olm.operatorgroup.uid/ba7410a0-d81c-46e1-a63a-f37d4626f64d: ""
  objectSelector: {}
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10

I want to have the following to appear in webhooks.namespaceSelector:

webhooks:
-  namespaceSelector: {}

Excerpt of ClusterServiceVersion

spec:
  webhookdefinitions:
  - admissionReviewVersions:
    - v1beta1
    - v1
    containerPort: 443
    deploymentName: helloworld-operator
    failurePolicy: Ignore
    generateName: mpod.kb.io
    rules:
    - apiGroups:
      - ""
      apiVersions:
      - v1
      operations:
      - CREATE
      resources:
      - pods
    sideEffects: None
    targetPort: 9443
    type: MutatingAdmissionWebhook
    webhookPath: /mutate-v1-pod
awgreene commented 3 years ago

Hello @balpert89,

Thanks for using OLM and for submitting this issue.

As described in the OLM Webhook Docs, webhooks shipped with operators are scoped to the TargetNamespaces defined by the OperatorGroup. I suspect that you are creating the Operator in an OperatorGroup that is scoped to a set of namespaces.

If you wish for your webhook to intercept pod create commands in all namespaces you will need to install the operator in an AllNamespace OperatorGroup.

If you are already using an AllNAmespace OperatorGroup, please share the steps to reproduce the error.