diff --git a/webhook/configmaps/configmaps.go b/webhook/configmaps/configmaps.go index 5a4c4d8888..5cd1a5a46a 100644 --- a/webhook/configmaps/configmaps.go +++ b/webhook/configmaps/configmaps.go @@ -58,7 +58,8 @@ type reconciler struct { vwhlister admissionlisters.ValidatingWebhookConfigurationLister secretlister corelisters.SecretLister - secretName string + secretName string + disableNamespaceOwnership bool } var _ controller.Reconciler = (*reconciler)(nil) @@ -136,13 +137,15 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b webhook := configuredWebhook.DeepCopy() - // Set the owner to namespace. - ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{}) - if err != nil { - return fmt.Errorf("failed to fetch namespace: %w", err) + if !ac.disableNamespaceOwnership { + // Set the owner to namespace. + ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{}) + if err != nil { + return fmt.Errorf("failed to fetch namespace: %w", err) + } + nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace")) + webhook.OwnerReferences = []metav1.OwnerReference{nsRef} } - nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace")) - webhook.OwnerReferences = []metav1.OwnerReference{nsRef} for i, wh := range webhook.Webhooks { if wh.Name != webhook.Name { diff --git a/webhook/configmaps/controller.go b/webhook/configmaps/controller.go index c2d71eb039..e9512f2323 100644 --- a/webhook/configmaps/controller.go +++ b/webhook/configmaps/controller.go @@ -61,8 +61,9 @@ func NewAdmissionController( key: key, path: path, - constructors: make(map[string]reflect.Value), - secretName: options.SecretName, + constructors: make(map[string]reflect.Value), + secretName: options.SecretName, + disableNamespaceOwnership: options.DisableNamespaceOwnership, client: client, vwhlister: vwhInformer.Lister(), diff --git a/webhook/resourcesemantics/defaulting/controller.go b/webhook/resourcesemantics/defaulting/controller.go index ba50005d79..58694f4371 100644 --- a/webhook/resourcesemantics/defaulting/controller.go +++ b/webhook/resourcesemantics/defaulting/controller.go @@ -101,9 +101,10 @@ func newController(ctx context.Context, name string, optsFunc ...OptionFunc) *co handlers: opts.types, callbacks: opts.callbacks, - withContext: opts.wc, - disallowUnknownFields: opts.disallowUnknownFields, - secretName: wopts.SecretName, + withContext: opts.wc, + disallowUnknownFields: opts.disallowUnknownFields, + secretName: wopts.SecretName, + disableNamespaceOwnership: wopts.DisableNamespaceOwnership, client: client, mwhlister: mwhInformer.Lister(), diff --git a/webhook/resourcesemantics/defaulting/defaulting.go b/webhook/resourcesemantics/defaulting/defaulting.go index 90f9ec8c96..cfa7af29aa 100644 --- a/webhook/resourcesemantics/defaulting/defaulting.go +++ b/webhook/resourcesemantics/defaulting/defaulting.go @@ -69,8 +69,9 @@ type reconciler struct { mwhlister admissionlisters.MutatingWebhookConfigurationLister secretlister corelisters.SecretLister - disallowUnknownFields bool - secretName string + disallowUnknownFields bool + secretName string + disableNamespaceOwnership bool } // CallbackFunc is the function to be invoked. @@ -216,12 +217,14 @@ func (ac *reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt current := configuredWebhook.DeepCopy() - ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{}) - if err != nil { - return fmt.Errorf("failed to fetch namespace: %w", err) + if !ac.disableNamespaceOwnership { + ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{}) + if err != nil { + return fmt.Errorf("failed to fetch namespace: %w", err) + } + nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace")) + current.OwnerReferences = []metav1.OwnerReference{nsRef} } - nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace")) - current.OwnerReferences = []metav1.OwnerReference{nsRef} for i, wh := range current.Webhooks { if wh.Name != current.Name { diff --git a/webhook/resourcesemantics/validation/controller.go b/webhook/resourcesemantics/validation/controller.go index eee6105b45..a0ee1c003e 100644 --- a/webhook/resourcesemantics/validation/controller.go +++ b/webhook/resourcesemantics/validation/controller.go @@ -87,9 +87,10 @@ func newController(ctx context.Context, name string, optsFunc ...OptionFunc) *co handlers: opts.types, callbacks: opts.callbacks, - withContext: opts.wc, - disallowUnknownFields: opts.DisallowUnknownFields(), - secretName: woptions.SecretName, + withContext: opts.wc, + disallowUnknownFields: opts.DisallowUnknownFields(), + secretName: woptions.SecretName, + disableNamespaceOwnership: woptions.DisableNamespaceOwnership, client: client, vwhlister: vwhInformer.Lister(), diff --git a/webhook/resourcesemantics/validation/reconcile_config.go b/webhook/resourcesemantics/validation/reconcile_config.go index dfc3619910..21b2e79ff2 100644 --- a/webhook/resourcesemantics/validation/reconcile_config.go +++ b/webhook/resourcesemantics/validation/reconcile_config.go @@ -60,8 +60,9 @@ type reconciler struct { vwhlister admissionlisters.ValidatingWebhookConfigurationLister secretlister corelisters.SecretLister - disallowUnknownFields bool - secretName string + disallowUnknownFields bool + secretName string + disableNamespaceOwnership bool } var _ controller.Reconciler = (*reconciler)(nil) @@ -191,13 +192,15 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b current := configuredWebhook.DeepCopy() - // Set the owner to namespace. - ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{}) - if err != nil { - return fmt.Errorf("failed to fetch namespace: %w", err) + if !ac.disableNamespaceOwnership { + // Set the owner to namespace. + ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{}) + if err != nil { + return fmt.Errorf("failed to fetch namespace: %w", err) + } + nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace")) + current.OwnerReferences = []metav1.OwnerReference{nsRef} } - nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace")) - current.OwnerReferences = []metav1.OwnerReference{nsRef} for i, wh := range current.Webhooks { if wh.Name != current.Name { diff --git a/webhook/webhook.go b/webhook/webhook.go index eff693e80d..190c609452 100644 --- a/webhook/webhook.go +++ b/webhook/webhook.go @@ -78,6 +78,10 @@ type Options struct { // before shutting down. GracePeriod time.Duration + // DisableNamespaceOwnership configures whether the webhook adds an owner reference for the SYSTEM_NAMESPACE + // Disabling this is useful when you expect the webhook configuration to be managed by something other than knative + DisableNamespaceOwnership bool + // ControllerOptions encapsulates options for creating a new controller, // including throttling and stats behavior. ControllerOptions *controller.ControllerOptions