Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3970

Allow OLM to deploy webhooks that apply to * if they fail open

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • OLM
    • None
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request
        1. Allow OLM to deploy webhooks that apply to * if they fail open
      2. What is the nature and description of the request?
        1. OLM currently disallows operators with webhooks that apply to "*". Based on a Slack discussion, a potential way forward would be to allow this if the webhook "fails open". That way if the webhook is down, it doesn't prevent cluster functionality such as OLM operations.
      3. Why does the customer need this? (List the business requirements here)
        1. The Advanced Cluster Management for Kubernetes (ACM) product ships a Gatekeeper operator today that doesn't follow best practices. It is an operator that wraps the Gatekeeper operator for installation and configuration rather than let OLM handle that. To be able to migrate to using best-practices, we would need this addressed. Limiting the scope of the webhooks is not possible because we don't know at install time what resources that the customer's Gatekeeper constraints (policies that validate Kubernetes API requests using rego) will target.
        2. This would ideally be backported to OCP 4.11 to match the OCP versions supported by ACM 2.8.
      4. List any affected packages or components.
        1. OLM

              DanielMesser Daniel Messer
              mprahl Matthew Prahl
              Votes:
              0 Vote for this issue
              Watchers:
               Start watching this issue

                Created:
                Updated: