Excluding custom resources via rules in Validating & Mutating web-hook configuration is getting overriden with default config

[rnachire]

Excluding custom resources via rules in Validating & Mutating web-hook configuration is getting overriden with default config

we have tried to adding rules to apply the validating & mutating webhook of policy.sigstore.dev with namespaceselector policy.sigstore.dev/include label and rules were empty by default.

we tried to add the rules to go via admission controller only for well known k8s objects such as deployments, statefulsets, daemonsets, cronjobs, jobs, pods only but not for custom resources. But when we add these objects explicitly in the rules they are getting overriden with default ones. Is there a way to exclude few resources since the Objectselector is not sufficient for our usecases.

namespaceSelector: matchExpressions:

• key: webhooks.knative.dev/exclude operator: DoesNotExist
• key: policy.sigstore.dev/include operator: In values:
• "true" objectSelector: {} rules:

apiGroups: "" apiVersions: v1 operations: CREATE UPDATE DELETE resources: pods pods/status scope: '' apiGroups: apps apiVersions: v1 operations: CREATE UPDATE DELETE resources: deployments deployments/status scope: '' ..... Main usecase is, we want to start with image sign verification only for well known objects mentioned above not for the custom resources. The problem with object selector is when we use matchexpressions NOT IN condition then also it is taken into effect for custom resources but it is considered for the deployments or pods. Could you please let us know if there is way to exclude the all the custom resources in someway. Let us know, if you need any further info required.

we could see ./policy-controller/pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go:48 it is mentioned, how to exclucde them.