Scope StatefulSet mutating webhook to MOCO resources#882
Conversation
There was a problem hiding this comment.
Pull request overview
Scopes the StatefulSet mutating webhook to MOCO-managed StatefulSets by applying an objectSelector, reducing blast radius when the webhook is unavailable.
Changes:
- Add a strategic merge patch to set
objectSelector.matchLabelson the StatefulSet mutating webhook. - Wire the patch into
config/webhook/kustomization.yamlso it’s applied during manifest generation.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| config/webhook/patches/statefulset_webhook_objectselector.yaml | Adds an objectSelector to limit which StatefulSets the mutating webhook applies to. |
| config/webhook/kustomization.yaml | Applies the new patch during Kustomize builds of webhook manifests. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| patchesStrategicMerge: | ||
| - patches/statefulset_webhook_objectselector.yaml |
There was a problem hiding this comment.
patchesStrategicMerge is the legacy Kustomize mechanism and is discouraged in favor of patches with an explicit target (kind/name/field selectors), which tends to be clearer and more robust as configurations evolve. Consider switching to patches: with a target that selects kind: MutatingWebhookConfiguration and name: mutating-webhook-configuration.
| patchesStrategicMerge: | |
| - patches/statefulset_webhook_objectselector.yaml | |
| patches: | |
| - path: patches/statefulset_webhook_objectselector.yaml | |
| target: | |
| kind: MutatingWebhookConfiguration | |
| name: mutating-webhook-configuration |
There was a problem hiding this comment.
Currently, this project uses legacy patchesStrategicMerge. I have a plan to create a PR that apply kustomize edit fix after this PR.
arosh
force-pushed
the
statefulset-mutating-webhook
branch
from
4c0897b to
2678da3
Compare
Signed-off-by: sho-iizuka <sho-iizuka@cybozu.co.jp>
…ctory to avoid WebhookInstallOptions.Paths Signed-off-by: sho-iizuka <sho-iizuka@cybozu.co.jp>
arosh
force-pushed
the
statefulset-mutating-webhook
branch
from
2678da3 to
0935992
Compare
1 participant
Summary
Add a Kustomize patch that applies an
objectSelectorto the StatefulSet mutating webhook, so only MOCO-created StatefulSets are targeted and non-MOCO users are unaffected.Background
The StatefulSet mutating webhook currently applies cluster-wide. As mentioned at https://habr.com/ru/companies/flant/articles/969520/, if the MOCO webhook is unavailable, it can impact unrelated StatefulSet operations. We want to limit the webhook to MOCO-managed resources .
Changes
objectSelectorwithapp.kubernetes.io/created-by=mocoon the StatefulSet mutating webhook.Notes
Currently, controller-gen's
+kubebuilder:webhookmarker does not support setting anobjectSelector. That is why we addobjectSelectoras a Kustomize patch. See kubernetes-sigs/controller-tools#553