allow to turn on/off the rolebinding admitter via configitem

Author: Martin Linkhorst

cluster/config-defaults.yaml

@@ -674,6 +674,9 @@ teapot_admission_controller_configmap_deletion_protection_enabled: "true"
 teapot_admission_controller_configmap_deletion_protection_factories_enabled: "true"
 {{end}}
 
+# enable the rolebinding admission-controller webhook which validates rolebindings and clusterrolebindings
+teapot_admission_controller_enable_rolebinding_webhook: "true"
+
 # Enable and configure Pod Security Policy rules implemented in admission-controller.
 teapot_admission_controller_pod_security_policy_enabled: "true"
 

cluster/manifests/01-admission-control/teapot.yaml

@@ -252,6 +252,7 @@ webhooks:
         apiGroups: [""]
         apiVersions: ["v1"]
         resources: ["services"]
+{{- if eq .Cluster.ConfigItems.teapot_admission_controller_enable_rolebinding_webhook "true" }}
   - name: rolebinding-admitter.teapot.zalan.do
     clientConfig:
       url: "https://localhost:8085/rolebinding"
@@ -265,3 +266,4 @@ webhooks:
         apiGroups: ["rbac.authorization.k8s.io"]
         apiVersions: ["v1"]
         resources: ["rolebindings", "clusterrolebindings"]
+{{- end }}