Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5814

RHACS: Allow users to exclude namespaces from admission controller webhook without manually modifying the ValidatingWebhookConfiguration

XMLWordPrintable

    • False
    • None
    • False

      Currently the admission controller applies to all namespaces, except for a handful that have been hardcoded as part of the ValidatingWebhookConfiguration

      We have unofficially recommended users edit it in place and add a new namespace if they want it excluded. This is because we actually don't recommend running it on system namespaces like istio or kube-system.

      However, for customers using operator this VWC config gets reconciled by the operator if the customer modifies it so the changes are never persisted.

      The recommendation is to allow customers to exclude namespaces without editing it.

      One suggestion is to use a unique label on the namespace instead. And the webhook can use the label to skip it. Something like `policyeval.stackrox.io/no-admission-control: false` .

            bmichael@redhat.com Boaz Michaely
            rh_nchander Nakul C (Inactive)
            Anjali Telang, Boaz Michaely, Doron Caspin, JP Jung, Maria Simon Marcos, Shubha Badve
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: