feat(helm): limit webhooks only to namespaces with kuma.io/sidecar-injection label #13378
+654
−191
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Lukasz Dziedziak <[email protected]>
…jection label Signed-off-by: Lukasz Dziedziak <[email protected]>
Signed-off-by: Lukasz Dziedziak <[email protected]>
Signed-off-by: Lukasz Dziedziak <[email protected]>
Signed-off-by: Lukasz Dziedziak <[email protected]>
Reviewer Checklist🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
|
slonka
requested changes
Apr 16, 2025
| @@ -20,6 +20,28 @@ To simplify the namespace selector logic in webhooks, we now require the `kuma.i | |||
|
|
|||
| Since Kubernetes v1.22, the API server automatically adds the `kubernetes.io/metadata.name` label to all namespaces. As a result, we’ve replaced the use of the custom `kuma.io/system-namespace` label in the secret webhook selector with this standard label. | |||
|
|
|||
| ### Namespaces that are part of the Mesh requires `kuma.io/sidecar-injection` label to exist | |||
|
|
|||
| Since version 2.11.x, to improve performance and security, we require that each namespace participating in the Mesh has the `kuma.io/sidecar-injection` label set. | |||
There was a problem hiding this comment.
Suggested change
| Since version 2.11.x, to improve performance and security, we require that each namespace participating in the Mesh has the `kuma.io/sidecar-injection` label set. | |
| Since version 2.11.x, to improve performance and security, each namespace participating in the Mesh is required to have the `kuma.io/sidecar-injection` label set. |
|
|
||
| Since version 2.11.x, to improve performance and security, we require that each namespace participating in the Mesh has the `kuma.io/sidecar-injection` label set. | ||
|
|
||
| Before upgrading, check if you are running any deployments with the `kuma.io/sidecar-injection: true` or `enabled` label in namespaces that do not have the `kuma.io/sidecar-injection` label set. If so, add `kuma.io/sidecar-injection: false` or `disabled` to those namespaces. |
There was a problem hiding this comment.
nitpick: I think disabled to mean false is discouraged - isn't it? If so, I wouldn't recommend setting it.
Suggested change
| Before upgrading, check if you are running any deployments with the `kuma.io/sidecar-injection: true` or `enabled` label in namespaces that do not have the `kuma.io/sidecar-injection` label set. If so, add `kuma.io/sidecar-injection: false` or `disabled` to those namespaces. | |
| Before upgrading, check whether any deployments are using the `kuma.io/sidecar-injection: true` or `enabled` label in namespaces that do not have the `kuma.io/sidecar-injection` label set. If so, add `kuma.io/sidecar-injection: false` to those namespaces. |
|
|
||
| Before upgrading, check if you are running any deployments with the `kuma.io/sidecar-injection: true` or `enabled` label in namespaces that do not have the `kuma.io/sidecar-injection` label set. If so, add `kuma.io/sidecar-injection: false` or `disabled` to those namespaces. | ||
|
|
||
| You can use this script |
There was a problem hiding this comment.
Suggested change
| You can use this script | |
| You can use this script to detect such namespaces: |
| You can later patch namespaces with the following command: | ||
|
|
||
| ```bash | ||
| kubectl label namespace NAMESPACE_NAME kuma.io/sidecar-injection=disabled |
There was a problem hiding this comment.
I think it's a bad merge or something but this point shouldn't be in the middle of another point.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Webhooks currently use a very broad namespace selector that only excludes the
kube-systemnamespace. To improve both security and performance, we’ve decided to restrict webhooks to only watch namespaces that have thekuma.io/sidecar-injectionlabel.Implementation information
kuma.io/sidecar-injection, orkuma-system(for mesh defaulter/owner reference cases).kuma.io/sidecar-injectionlabelNeeds: #13377
Supporting documentation
Fix #13372