Merge pull request #9071 from zalando-incubator/disable-admission-protection

zaklawrencea · web-flow · commit 57cd310b0b0a · 2025-03-11T17:32:58.000+01:00
Disable resource protection via admission-controller in legacy clusters
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -695,10 +695,15 @@ teapot_admission_controller_configmap_deletion_protection_factories_enabled: "tr
 # enable the rolebinding admission-controller webhook which validates rolebindings and clusterrolebindings
 teapot_admission_controller_enable_rolebinding_webhook: "true"
 
-# enable the generic deny-all admission webhook which rejects all requests it receives
+{{ if eq .Cluster.Provider "zalando-eks" }}
+# enable the resource protection admission webhook which prevents users from accessing system resources
 teapot_admission_controller_enable_write_protection_webhook: "true"
-# configure the behaviour of the deny-all admission webhook, `true` blocks everything, `false` allows everything
+# configure the behaviour of the resource protection admission webhook, `true` blocks everything, `false` allows everything
 teapot_admission_controller_prevent_write_operations: "true"
+{{ else }}
+teapot_admission_controller_enable_write_protection_webhook: "false"
+teapot_admission_controller_prevent_write_operations: "false"
+{{ end }}
 
 # Enable and configure Pod Security Policy rules implemented in admission-controller.
 teapot_admission_controller_pod_security_policy_enabled: "true"
