Set proxy-injector, tap-injector and jaeger-injector mutating webhook rules scope to Namespaced #12195
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mdnfiras
force-pushed
the
feature/webhooks-scope-namespaced
branch
2 times, most recently
from
961815f
to
28880c2
Compare
alpeb
reviewed
Mar 7, 2024
|
... and also please address the DCO |
mdnfiras
force-pushed
the
feature/webhooks-scope-namespaced
branch
3 times, most recently
from
44e6544
to
50af07d
Compare
|
@alpeb |
Subject: Setting the scope for mutating webhooks rules Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced, and kube-system and kube-node-lease namespaces are not excluded using namespaceSelector. Solution: Setting the scope to Namespaced for both webhooks, and the user can set the namespaceSelector in the helm values. Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes linkerd#12193 Signed-off-by: f.medini <f.medini@nyris.io>
mdnfiras
force-pushed
the
feature/webhooks-scope-namespaced
branch
from
50af07d
to
5e93d04
Compare
alpeb
reviewed
Mar 26, 2024
mdnfiras
changed the title
alpeb
approved these changes
Mar 28, 2024
the-wondersmith
pushed a commit
to the-wondersmith/linkerd2
that referenced
this pull request
Apr 24, 2024
… rules scope to Namespaced (linkerd#12195) * Set mutating webhook rules scope to Namespaced Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced, and kube-system and kube-node-lease namespaces are not excluded using namespaceSelector. Solution: Setting the scope to Namespaced for all webhooks, and the user can set the namespaceSelector in the helm values. Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources. Fixes linkerd#12193 --------- Signed-off-by: f.medini <f.medini@nyris.io> Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io> Signed-off-by: Mark S <the@wondersmith.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Subject: Setting the scope for mutating webhooks rules
Problem: The linkerd-proxy-injector-webhook-config, linkerd-jaeger-injector-webhook-config, and linkerd-tap-injector-webhook-config mutating webhooks raise a warning on GKE that says "Update webhook to no longer intercept system requests." in the GCP console recommendation section. This is because the scope is set to *. This also happens if scope is Namespaced, and kube-system and kube-node-lease namespaces are not excluded using namespaceSelector.
Solution: Setting the scope to Namespaced for all webhooks, and the user can set the namespaceSelector in the helm values.
Validation: This should not change the webhooks behaviour as all webhooks are triggered only by pod/service creation requests, and pods/services are namespaced resources.
Fixes #12193