Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3970

Allow OLM to deploy webhooks that apply to * if they fail open

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Undefined
    • None
    • None
    • OLM
    • None
    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%

    Description

      1. Proposed title of this feature request
        1. Allow OLM to deploy webhooks that apply to * if they fail open
      2. What is the nature and description of the request?
        1. OLM currently disallows operators with webhooks that apply to "*". Based on a Slack discussion, a potential way forward would be to allow this if the webhook "fails open". That way if the webhook is down, it doesn't prevent cluster functionality such as OLM operations.
      3. Why does the customer need this? (List the business requirements here)
        1. The Advanced Cluster Management for Kubernetes (ACM) product ships a Gatekeeper operator today that doesn't follow best practices. It is an operator that wraps the Gatekeeper operator for installation and configuration rather than let OLM handle that. To be able to migrate to using best-practices, we would need this addressed. Limiting the scope of the webhooks is not possible because we don't know at install time what resources that the customer's Gatekeeper constraints (policies that validate Kubernetes API requests using rego) will target.
        2. This would ideally be backported to OCP 4.11 to match the OCP versions supported by ACM 2.8.
      4. List any affected packages or components.
        1. OLM

      Attachments

        Activity

          People

            DanielMesser Daniel Messer
            mprahl Matthew Prahl
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: