Set mutating webhook rules scope to Namespaced

Subject: Setting the scope for mutating webhooks rules Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. Solution: Setting the scope to Namespaced for both webhooks Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes #12193 Signed-off-by: f.medini <f.medini@nyris.io>
linkerd · Mar 25, 2024 · 44e6544 · 44e6544
1 parent 6eeaea4
commit 44e6544
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 0 deletions.
diff --git a/charts/linkerd-control-plane/templates/proxy-injector-rbac.yaml b/charts/linkerd-control-plane/templates/proxy-injector-rbac.yaml
@@ -115,5 +115,6 @@ webhooks:
     apiGroups: [""]
     apiVersions: ["v1"]
     resources: ["pods", "services"]
+    scope: "Namespaced"
   sideEffects: None
   timeoutSeconds: {{ .Values.proxyInjector.timeoutSeconds | default 10 }}
diff --git a/jaeger/charts/linkerd-jaeger/templates/rbac.yaml b/jaeger/charts/linkerd-jaeger/templates/rbac.yaml
@@ -150,6 +150,7 @@ webhooks:
     apiGroups: [""]
     apiVersions: ["v1"]
     resources: ["pods"]
+    scope: "Namespaced"
   sideEffects: None
 {{ if .Values.jaeger.enabled -}}
 ---

diff --git a/viz/charts/linkerd-viz/templates/tap-injector-rbac.yaml b/viz/charts/linkerd-viz/templates/tap-injector-rbac.yaml
@@ -102,4 +102,5 @@ webhooks:
     apiGroups: [""]
     apiVersions: ["v1"]
     resources: ["pods"]
+    scope: "Namespaced"
   sideEffects: None