optional and configurable list of matchConditions (#27)

Author: buildwithnirmal

chart/templates/webhook.yaml

@@ -131,3 +131,7 @@ webhooks:
   timeoutSeconds: 10
   failurePolicy: Fail
   reinvocationPolicy: Never
+  {{- with .Values.webhook.matchConditions }}
+  matchConditions:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}

chart/values.yaml

@@ -62,6 +62,15 @@ pdb:
   maxUnavailable: ""
 
 webhook:
+  # -- Match conditions for webhooks can be used for fine-grained request filtering. Docs: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions
+  matchConditions: []
+  # -- Examples from documentation:
+  # -- - name: 'exclude-leases' # Each match condition must have a unique name
+  # --   expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # Match non-lease resources.
+  # -- - name: 'exclude-kubelet-requests'
+  # --   expression: '!("system:nodes" in request.userInfo.groups)' # Match requests made by non-node users.
+  # -- - name: 'rbac' # Skip RBAC requests, which are handled by the second webhook.
+  # --   expression: 'request.resource.group != "rbac.authorization.k8s.io"'
   certManager:
     # -- Whether to use cert-manager to manage webhook tls
     enabled: false