Skip webhook on kube-system by default for tap-injector/jaeger-inject…

…or (#11649) Linkerd's control plane will skip webhook requests for resources in kube-system. The same configuration should be applied for other webhooks, i.e. tap and jaeger injectors. This change allows users to skip webhook on kube-system by default for tap and jaeger injector. Closes #11647 Signed-off-by: Takumi Sue <u630868b@alumni.osaka-u.ac.jp>
linkerd · Nov 30, 2023 · 1da8fcc · 1da8fcc
1 parent 2200a31
commit 1da8fcc
Show file tree

Hide file tree

Showing 12 changed files with 82 additions and 18 deletions.
diff --git a/jaeger/charts/linkerd-jaeger/README.md b/jaeger/charts/linkerd-jaeger/README.md
@@ -134,7 +134,7 @@ Kubernetes: `>=1.21.0-0`
 | webhook.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. |
 | webhook.keyPEM | string | `""` | Certificate key for the webhook. If not provided and not using an external secret then Helm will generate one. |
 | webhook.logLevel | string | `"info"` |  |
-| webhook.namespaceSelector | string | `nil` |  |
+| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}` | Namespace selector used by admission webhook. |
 | webhook.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information |
 | webhook.objectSelector | string | `nil` |  |
 | webhook.replicas | int | `1` | Number of replicas of the jaeger-injector component |

diff --git a/jaeger/charts/linkerd-jaeger/values.yaml b/jaeger/charts/linkerd-jaeger/values.yaml
@@ -284,11 +284,13 @@ webhook:
     pullPolicy: ""
   logLevel: info
 
+  # -- Namespace selector used by admission webhook.
   namespaceSelector:
-    #matchExpressions:
-    #- key: runlevel
-    #  operator: NotIn
-    #  values: ["0","1"]
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kube-system
   objectSelector:
     #matchLabels:
     #  foo: bar

diff --git a/jaeger/cmd/testdata/install_collector_disabled.golden b/jaeger/cmd/testdata/install_collector_disabled.golden
diff --git a/jaeger/cmd/testdata/install_default.golden b/jaeger/cmd/testdata/install_default.golden
diff --git a/jaeger/cmd/testdata/install_jaeger_disabled.golden b/jaeger/cmd/testdata/install_jaeger_disabled.golden
diff --git a/viz/charts/linkerd-viz/README.md b/viz/charts/linkerd-viz/README.md
@@ -198,7 +198,7 @@ Kubernetes: `>=1.21.0-0`
 | tapInjector.keyPEM | string | `""` | Certificate key for the tapInjector. If not provided and not using an external secret then Helm will generate one. |
 | tapInjector.logFormat | string | defaultLogFormat | log format of the tapInjector component |
 | tapInjector.logLevel | string | defaultLogLevel | log level of the tapInjector |
-| tapInjector.namespaceSelector | string | `nil` |  |
+| tapInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}` | Namespace selector used by admission webhook. |
 | tapInjector.objectSelector | string | `nil` |  |
 | tapInjector.proxy | string | `nil` |  |
 | tapInjector.replicas | int | `1` | Number of replicas of tapInjector |

diff --git a/viz/charts/linkerd-viz/values.yaml b/viz/charts/linkerd-viz/values.yaml
@@ -246,11 +246,13 @@ tapInjector:
     # @default -- defaultImagePullPolicy
     pullPolicy: ""
 
+  # -- Namespace selector used by admission webhook.
   namespaceSelector:
-    # matchExpressions:
-    # - key: runlevel
-    #   operator: NotIn
-    #   values: ["0","1"]
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kube-system
   objectSelector:
     # matchLabels:
     #   foo: bar

diff --git a/viz/cmd/testdata/install_default.golden b/viz/cmd/testdata/install_default.golden
diff --git a/viz/cmd/testdata/install_default_overrides.golden b/viz/cmd/testdata/install_default_overrides.golden
diff --git a/viz/cmd/testdata/install_prometheus_disabled.golden b/viz/cmd/testdata/install_prometheus_disabled.golden
diff --git a/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden b/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden
diff --git a/viz/cmd/testdata/install_proxy_resources.golden b/viz/cmd/testdata/install_proxy_resources.golden