Add matchConditions to only run webhooks on pods with annotation (#4)

* Add matchConditions to only run webhooks on pods with annotation
* Revert PR #3

Author: wnagele

config/webhook/kustomization.yaml

@@ -4,3 +4,34 @@ resources:
 
 configurations:
 - kustomizeconfig.yaml
+
+patches:
+- patch: |-
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: MutatingWebhookConfiguration
+    metadata:
+      name: mutating-webhook-configuration
+    webhooks:
+    - name: mpod-v1.kb.io
+      matchConditions:
+        - name: vpc-attachment-annotation-exists
+          expression: >
+            object != null &&
+            has(object.metadata) &&
+            has(object.metadata.annotations) &&
+            "k8s.v1alpha.galactic.datumapis.com/vpc-attachment" in object.metadata.annotations
+
+- patch: |-
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingWebhookConfiguration
+    metadata:
+      name: validating-webhook-configuration
+    webhooks:
+    - name: vpod-v1.kb.io
+      matchConditions:
+        - name: vpc-attachment-annotation-exists
+          expression: >
+            object != null &&
+            has(object.metadata) &&
+            has(object.metadata.annotations) &&
+            "k8s.v1alpha.galactic.datumapis.com/vpc-attachment" in object.metadata.annotations

dist/install.yaml

@@ -754,6 +754,10 @@ webhooks:
       namespace: galactic-operator-system
       path: /mutate--v1-pod
   failurePolicy: Fail
+  matchConditions:
+  - expression: object != null && has(object.metadata) && has(object.metadata.annotations)
+      && "k8s.v1alpha.galactic.datumapis.com/vpc-attachment" in object.metadata.annotations
+    name: vpc-attachment-annotation-exists
   name: mpod-v1.kb.io
   rules:
   - apiGroups:
@@ -782,6 +786,10 @@ webhooks:
       namespace: galactic-operator-system
       path: /validate--v1-pod
   failurePolicy: Fail
+  matchConditions:
+  - expression: object != null && has(object.metadata) && has(object.metadata.annotations)
+      && "k8s.v1alpha.galactic.datumapis.com/vpc-attachment" in object.metadata.annotations
+    name: vpc-attachment-annotation-exists
   name: vpod-v1.kb.io
   rules:
   - apiGroups:

internal/webhook/v1/pod_webhook.go

@@ -35,7 +35,7 @@ func SetupPodWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
-// +kubebuilder:webhook:path=/mutate--v1-pod,mutating=true,failurePolicy=ignore,sideEffects=None,groups="",resources=pods,verbs=create;update,versions=v1,name=mpod-v1.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/mutate--v1-pod,mutating=true,failurePolicy=fail,sideEffects=None,groups="",resources=pods,verbs=create;update,versions=v1,name=mpod-v1.kb.io,admissionReviewVersions=v1
 
 type PodCustomDefaulter struct {
 	client.Client
@@ -62,7 +62,7 @@ func (d *PodCustomDefaulter) Default(ctx context.Context, obj runtime.Object) er
 	return nil
 }
 
-// +kubebuilder:webhook:path=/validate--v1-pod,mutating=false,failurePolicy=ignore,sideEffects=None,groups="",resources=pods,verbs=create;update,versions=v1,name=vpod-v1.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/validate--v1-pod,mutating=false,failurePolicy=fail,sideEffects=None,groups="",resources=pods,verbs=create;update,versions=v1,name=vpod-v1.kb.io,admissionReviewVersions=v1
 
 type PodCustomValidator struct {
 	client.Client