Why set namespace with kustomize for cluster-scoped Mutating|ValidatingWebhookConfiguration?

[davidxia]

What broke? What's expected?

What "broke"

Why does kubebuilder use a namespace kustomization transformer to set a namespace for Mutating|ValidatingWebhookConfiguration if these are cluster-scoped resources? Code here

Isn't this unnecessary?

What's expected

IIUC, lines of code above shouldn't exist as they don't do anything?

Expected output

# the following config is for teaching kustomize where to look at when substituting vars.
# It requires kustomize v2.1.0 or newer to work properly.
nameReference:
- kind: Service
  version: v1
  fieldSpecs:
  - kind: MutatingWebhookConfiguration
    group: admissionregistration.k8s.io
    path: webhooks/clientConfig/service/name
  - kind: ValidatingWebhookConfiguration
    group: admissionregistration.k8s.io
    path: webhooks/clientConfig/service/name

varReference:
- path: metadata/annotations

Actual output

# the following config is for teaching kustomize where to look at when substituting vars.
# It requires kustomize v2.1.0 or newer to work properly.
nameReference:
- kind: Service
  version: v1
  fieldSpecs:
  - kind: MutatingWebhookConfiguration
    group: admissionregistration.k8s.io
    path: webhooks/clientConfig/service/name
  - kind: ValidatingWebhookConfiguration
    group: admissionregistration.k8s.io
    path: webhooks/clientConfig/service/name

namespace:
- kind: MutatingWebhookConfiguration
  group: admissionregistration.k8s.io
  path: webhooks/clientConfig/service/namespace
  create: true
- kind: ValidatingWebhookConfiguration
  group: admissionregistration.k8s.io
  path: webhooks/clientConfig/service/namespace
  create: true

varReference:
- path: metadata/annotations

Reproducing this issue

Run kubebuilder create webhook --group batch --version v1 --kind CronJob --defaulting --programmatic-validation as described in Implementing defaulting/validating webhooks.

KubeBuilder (CLI) Version

4.0.0

PROJECT version

3

Plugin versions

go.kubebuilder.io/v4

Other versions

go 1.22.2
sigs.k8s.io/controller-runtime v0.18.2

kubectl version
Client Version: v1.29.3
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.3-gke.1282000

Extra Labels

/kind cleanup

[davidxia]

created this issue at the request of kubernetes-sigs/controller-tools#999 (comment) despite the issue template saying to create issues in controller-tools 🤷‍♂️

[camilamacedo86]

It is not related to controller-tools at all.
Since the scaffold was implemented in Kubebuilder it has the namespaces transforms.
See: a3e6e25

However, it seems that is a bug and the code is unnecessary.
To fix it is required to:

• 1 : Change the kubebuilder template:

  kubebuilder/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/webhook/kustomizeconfig.go

  Lines 47 to 69 in e82127c

  	const kustomizeConfigWebhookTemplate = `# the following config is for teaching kustomize where to look at when substituting nameReference.
  	# It requires kustomize v2.1.0 or newer to work properly.
  	nameReference:
  	- kind: Service
  	version: v1
  	fieldSpecs:
  	- kind: MutatingWebhookConfiguration
  	group: admissionregistration.k8s.io
  	path: webhooks/clientConfig/service/name
  	- kind: ValidatingWebhookConfiguration
  	group: admissionregistration.k8s.io
  	path: webhooks/clientConfig/service/name
  	namespace:
  	- kind: MutatingWebhookConfiguration
  	group: admissionregistration.k8s.io
  	path: webhooks/clientConfig/service/namespace
  	create: true
  	- kind: ValidatingWebhookConfiguration
  	group: admissionregistration.k8s.io
  	path: webhooks/clientConfig/service/namespace
  	create: true
  	`

• 2 - Run make generate to ensure that all samples and docs will properly updated

Please, feel free to open PR with the change.

[davidxia]

@camilamacedo86 thanks, I'll attempt!

[davidxia]

Closing as it's not a bug. These lines are setting the K8s Service's namespace not that of the Mutating|ValidatingWebhookConfiguration.

These lines

kubebuilder/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/webhook/kustomizeconfig.go

Lines 60 to 68 in e82127c

	namespace:
	- kind: MutatingWebhookConfiguration
	group: admissionregistration.k8s.io
	path: webhooks/clientConfig/service/namespace
	create: true
	- kind: ValidatingWebhookConfiguration
	group: admissionregistration.k8s.io
	path: webhooks/clientConfig/service/namespace
	create: true

are needed to update the Mutating|ValidatingWebhookConfiguration's webhooks/0/clientConfig/service/namespace value

kubebuilder/testdata/project-v4/config/webhook/manifests.yaml

Lines 2 to 13 in f1a4328

	apiVersion: admissionregistration.k8s.io/v1
	kind: MutatingWebhookConfiguration
	metadata:
	name: mutating-webhook-configuration
	webhooks:
	- admissionReviewVersions:
	- v1
	clientConfig:
	service:
	name: webhook-service
	namespace: system
	path: /mutate-crew-testproject-org-v1-admiral

with that from here

kubebuilder/testdata/project-v4/config/default/kustomization.yaml

Line 2 in f1a4328

namespace: project-v4-system

(Not sure why the path in kustomizeconfig.yaml doesn't have an array index path segment.)

Without these lines, the namespace value will always be system.