[Feature] remove the admission enforcer, or allow to be disabled at cluster level #4002
Assignees
Labels
Comments
|
@gambtho @robbiezhang I could not reply to you in #1771 (comment), so I am raising this issue here. |
Closed
2 tasks
|
The ongoing cycle of webhook modifications are impacting the stability of the AKS Kubernetes API. So this AKS feature contradicts the intended purpose of "protecting system stability" and is having the opposite effect. |
Closed
2 tasks
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
Currently, AKS is the only major Kubernetes distribution that mutates
ValidatingWebhookConfigurationandMutatingWebhookConfigurationunexpectedly to add additional namespaceNotInlabel selectors forcontrol-plane=trueandkubernetes.azure.com/managedby=aks.This behavior is causing countless issues for downstream apps:
admissions.enforcer/disabledand you will find hundreds)Effectively, every major Kubernetes application has to work around this strange behavior so that customers of AKS can use the app, which is putting a large burden on the open-source community, and driving users away from Azure.
Describe the solution you'd like
My preference is that AKS removes the admission enforcer entirely, or at least disables it by default (with a strong warning that using it will likely break software designed for normal Kubernetes distributions).
If that is not possible, I would at the very least appreciate a new config to disable it at the cluster level, so I can recommend users of complex apps with many webhooks (like Kubeflow / deployKF), disable it to avoid all these problems.
Describe alternatives you've considered
Annotating every webhook with
admissions.enforcer/disabled: "true", possibly by using another webhook.The text was updated successfully, but these errors were encountered: