windows-gmsa
windows-gmsa copied to clipboard
kubernetes-sigs
Enhancement request: admission webhook expression filter
issue
gmsa admission webhook intercepts everything, including pods that have nothing to do with gmsa.
the gmsa mutating webhook has no object selector / match expressions. it may be preferable to incorporate a few filters as this chart moves forward with k8s.
the easy move forward might be something like an objectSelector that matches a label like gmsa-mutate: true
a more hands-free future solution could leverage match conditions testing existence of spec securityContext.windowsOptions.gmsaCredentialSpecName
references
took a look at - https://github.com/kubernetes-sigs/windows-gmsa/pull/145/files. good. this mostly circumvents the issue.
last year k8s added enhancement to support expression filters in webhooks https://github.com/kubernetes/enhancements/issues/3716, marked stable in v1.30+
k8s docs object filter - start here: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector, fancy new CEL expressions (1.30+): https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions
