azure-workload-identity icon indicating copy to clipboard operation
azure-workload-identity copied to clipboard
verified publisher icon Azure

Make namespaceSelector and scope for the MutatingWebhookConfiguration user-configurable

Open tkent opened this issue 3 years ago • 0 comments

Is your feature request related to a problem? Please describe.

Currently the helm chart allows the objectSelector of the MutatingWebhookConfiguration to be user specified. This is very useful to ensure that the cluster continues to operate correctly when failurePolicy=Fail and azure-workload-identity pods are not running. As long as you ensure certain labels are only set on the pods that require azure-workload-identity and you define the selector, you're good to go.

However, there are two additional useful configurations, namespaceSelector and scope, which allow you exclude namespaces from evaluation. This is useful when it comes to the kube-system namespace and for pods where you can't easily control their labels.

It would be great if these were also user configurable.

Describe alternatives you've considered

We can ensure all pods that rely on the admission controller have labels that match an objectSelector of our choosing. While this works, it doesn't guarantee the AC won't be applied to pods in a namespace where we don't want it, like kube-system.

Additional context

In #516, I asked to make the failurePolicy of the MutatingWebhookConfiguration configurable (thanks for doing that, btw).

However, I failed to ask to make this request at the same time. I haven't actually run into a problem yet, but I'd like to never have it come up.

tkent avatar Sep 14 '22 16:09 tkent