github-actions[bot]
commented
1 year ago This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 90 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 30 days. Thank you for your contributions.
Request Summary: After experiencing issues caused by the OPA webhooks during upgrades or significant changes, it could be worthwhile adding a note about the webhooks deployed with the OPA Gatekeeper chart.
It is common to add an exemption of namespaces from OPA (
kube-system,cattle-system, etc.) this can be done in two approaches:admission.gatekeeper.sh/ignore)On it's own (b) still sends the request to the webhook for these namespaces, requiring a timeout period to be met before failing-open on the request. This is inefficient as all requests are still sent from kube-apiserver->OPA for evaluation before being classified as exempt.
By labeling the namespace (a), the outbound request to the webhook is avoided by the kube-apiserver, this can improve performance under normal operation as well as improve resiliency during upgrades or times of turbulence.
These options are not obvious without reading the OPA docs closely, therefore we could avoid future issues by noting this.
Details: