-
Notifications
You must be signed in to change notification settings - Fork 732
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to configure webhook matching rules for subresources #1087
Comments
We've done some preliminary digging on this. So far, it looks like subresources are supported, as long as the specific subresource is supported by ValidatingWebhookConfiguation and validating webhooks generally. Steps to get specific subresources:
I tried this out for
|
Thanks @maxsmythe ! It did work! |
What about the status subresource? It seems like some subresources are commonly accessed and others are obscure I like saying "worse is better" and requiring subresources to be explicitly added in order to be watched, unless we get more requests for watching subresources. It might be useful to provide some documentation / example around this, though, to make the pattern more salient. |
"worse is better" is definitely safer in terms of policy not interfering with cluster operations. I wonder if we could include certain common subresources that may be important "/scale", and maybe "/status" Being concerned about policy against open-policy-agent/gatekeeper-library#45 Where apparently changing status can have some effect on the state of the world. I'm wondering how/if status updates are subject to the VWH when modified via the status subresource. |
Found this issue #1056 but it's not clear to me if other subresrouces are supported or not. e.g. /scale
If it is supported, how to configure it?
The text was updated successfully, but these errors were encountered: