Open micke-post opened 9 months ago
prometherion
commented
9 months ago is there a way to target or exclude individual namespaces for the additionalMetadata property in capsule?
No, there's no chance of achieving this. This is definitely a very subtle domain logic we cannot abstract in Capsule, thus I suggest you rely on specific policy engines, like Kyverno unless the community pushes to achieve this.
micke-post
commented
9 months ago Alright, got it. Thanks for the information!
prometherion
commented
9 months ago I'm reopening this just to allow people to comment on it and share their interest in this feature.
bsctl
commented
9 months ago @prometherion @maxgio92 Revamping the interest for external policy engine, natively with Validating Admission Policy feature set (still beta).
Hi, we recently came across a conceptional issue with namespace annotations. In our clusters we are using linkerd as service mesh. To ensure that all tenants are properly meshed, we automatically annotate all namespaces by setting the linkerd.io/inject annotation in the additionalMetadata property of the tenants.
Which works perfectly, but recently we came across an issue where a tenant tried to deploy an nginx ingress controller. The issue basically is that linkerd interferes with the startup procedure because it prevents a short-lived container from properly terminating when starting nginx, so the recommendation is to not set the linkerd annotation on the nginx namespaces.
There are probably ways around this specific issue, but generally speaking - is there a way to target or exclude individual namespaces for the additionalMetadata property in capsule? From what I can tell after reading the docs it seems to be all or none.