Create webhook without rules by patch

Author: erikgb

config/webhook/kustomization.yaml

@@ -4,3 +4,6 @@ resources:
 
 configurations:
 - kustomizeconfig.yaml
+
+patchesStrategicMerge:
+- webhook_patch.yaml

config/webhook/manifests.yaml

@@ -71,28 +71,6 @@ webhooks:
     resources:
     - hierarchyconfigurations
   sideEffects: None
-- admissionReviewVersions:
-  - v1
-  clientConfig:
-    service:
-      name: webhook-service
-      namespace: system
-      path: /validate-objects
-  failurePolicy: Fail
-  name: objects.hnc.x-k8s.io
-  rules:
-  - apiGroups:
-    - rbac.authorization.k8s.io
-    apiVersions:
-    - '*'
-    operations:
-    - CREATE
-    - UPDATE
-    - DELETE
-    resources:
-    - roles
-    - rolebindings
-  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

config/webhook/webhook_patch.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+    - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-objects
+  failurePolicy: Fail
+  name: objects.hnc.x-k8s.io
+  # Intentionally no rules, as these are maintained by the HNCConfiguration reconciler
+  sideEffects: None
+  timeoutSeconds: 2
+  # We only apply this object validator on non-excluded namespaces, which have
+  # the "included-namespace" label set by the HC reconciler, so that when HNC
+  # (webhook service specifically) is down, operations in the excluded
+  # namespaces won't be affected. Validators on HNC CRs are not filtered because
+  # they are supposed to prevent abuse of HNC CRs in excluded namespaces.
+  # Namespace validator is not filtered to prevent abuse of the included-namespace
+  # label on excluded namespaces. Unfortunately, this means that when HNC is
+  # down, we will block updates on all namespaces, even "excluded" ones, but
+  # anyone who can update namespaces like `kube-system` should likely be able to
+  # delete the VWHConfiguration to make the updates.
+  namespaceSelector:
+    matchLabels:
+      hnc.x-k8s.io/included-namespace: "true"

internal/objects/validator.go

@@ -32,12 +32,6 @@ const (
 	ServingPath = "/validate-objects"
 )
 
-// Note: the validating webhook FAILS CLOSE. This means that if the webhook goes
-// down, all further changes are forbidden. The initial webhook configuration contains
-// just enforced types, and will be dynamically updated when reconciling the HNC configuration.
-//
-// +kubebuilder:webhook:admissionReviewVersions=v1,path=/validate-objects,mutating=false,failurePolicy=fail,groups="rbac.authorization.k8s.io",resources=roles;rolebindings,sideEffects=None,verbs=create;update;delete,versions="*",name=objects.hnc.x-k8s.io
-
 type Validator struct {
 	Log     logr.Logger
 	Forest  *forest.Forest