Add matchConditions to only run webhooks on pods with annotation

wnagele · wnagele · commit 0f5ec28835cf · 2025-08-18T13:47:37.000-04:00
diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml
@@ -4,3 +4,34 @@ resources:
 
 configurations:
 - kustomizeconfig.yaml
+
+patches:
+- patch: |-
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: MutatingWebhookConfiguration
+    metadata:
+      name: mutating-webhook-configuration
+    webhooks:
+    - name: mpod-v1.kb.io
+      matchConditions:
+        - name: vpc-attachment-annotation-exists
+          expression: >
+            object != null &&
+            has(object.metadata) &&
+            has(object.metadata.annotations) &&
+            "k8s.v1alpha.galactic.datumapis.com/vpc-attachment" in object.metadata.annotations
+
+- patch: |-
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingWebhookConfiguration
+    metadata:
+      name: validating-webhook-configuration
+    webhooks:
+    - name: vpod-v1.kb.io
+      matchConditions:
+        - name: vpc-attachment-annotation-exists
+          expression: >
+            object != null &&
+            has(object.metadata) &&
+            has(object.metadata.annotations) &&
+            "k8s.v1alpha.galactic.datumapis.com/vpc-attachment" in object.metadata.annotations
diff --git a/dist/install.yaml b/dist/install.yaml
@@ -754,6 +754,10 @@ webhooks:
       namespace: galactic-operator-system
       path: /mutate--v1-pod
   failurePolicy: Fail
+  matchConditions:
+  - expression: object != null && has(object.metadata) && has(object.metadata.annotations)
+      && "k8s.v1alpha.galactic.datumapis.com/vpc-attachment" in object.metadata.annotations
+    name: vpc-attachment-annotation-exists
   name: mpod-v1.kb.io
   rules:
   - apiGroups:
@@ -782,6 +786,10 @@ webhooks:
       namespace: galactic-operator-system
       path: /validate--v1-pod
   failurePolicy: Fail
+  matchConditions:
+  - expression: object != null && has(object.metadata) && has(object.metadata.annotations)
+      && "k8s.v1alpha.galactic.datumapis.com/vpc-attachment" in object.metadata.annotations
+    name: vpc-attachment-annotation-exists
   name: vpod-v1.kb.io
   rules:
   - apiGroups:
