kedacore · JorTurFer · Jan 9, 2023 · Dec 30, 2022 · Dec 31, 2022 · Jan 3, 2023
@@ -12,10 +12,11 @@ weight = 1
 
 ## How KEDA works
 
-KEDA performs two key roles within Kubernetes:
+KEDA performs three key roles within Kubernetes:
 
 1. **Agent** — KEDA activates and deactivates Kubernetes [Deployments](https://kubernetes.io/docs/concepts/workloads/controllers/deployment) to scale to and from zero on no events. This is one of the primary roles of the `keda-operator` container that runs when you install KEDA.
-1. **Metrics** — KEDA acts as a [Kubernetes metrics server](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics) that exposes rich event data like queue length or stream lag to the Horizontal Pod Autoscaler to drive scale out.  It is up to the Deployment to consume the events directly from the source.  This preserves rich event integration and enables gestures like completing or abandoning queue messages to work out of the box.  The metric serving is the primary role of the `keda-operator-metrics-apiserver` container that runs when you install KEDA.
+2. **Metrics** — KEDA acts as a [Kubernetes metrics server](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics) that exposes rich event data like queue length or stream lag to the Horizontal Pod Autoscaler to drive scale out.  It is up to the Deployment to consume the events directly from the source.  This preserves rich event integration and enables gestures like completing or abandoning queue messages to work out of the box.  The metric serving is the primary role of the `keda-operator-metrics-apiserver` container that runs when you install KEDA.
+3. **Admission Webhooks** - Automatically validate resource changes to prevent misconfiguration and enforce best practices by using an [admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). As an example, it will prevent multiple ScaledObjects to target the same scale target.
 
 ## Architecture
 

@@ -0,0 +1,22 @@
++++
+title = "Admission Webhook"
+description = "Automatically validate resource changes to prevent misconfiguration and enforce best practices"
+weight = 100
++++
+
+## Admission Webhooks
+
+> 💡 The Admission Webhooks are an opt-in feature and will become an opt-out feature as of KEDA v2.12.
+
+Admission webhooks require a valid certificate to expose the server for the api-server. To achieve this KEDA generates its own certificates and stores them in a secret.
+
+While this is a good starting point, some end-users may want to use their own certificates which are generated from their own CA in order to improve security. This can be achieved by disabling the certificate rotation via setting the console argument `enable-cert-rotation=false` (or removing it) and mounting the `tls.crt` and `tls.key` files to `/certs`. The path is also configurable using the console argument `webhooks-cert-dir=PATH-FOR-CERTS`.
+
+By default, the admission webhooks are registered with `failurePolicy: Ignore`, this won't block the resources creation/update when the admission controller is not available. To ensure that the validation is always required and perform validation, setting `failurePolicy` to `Fail` is required.
+
+### Prevention Rules
+
+KEDA will block all incoming changes to `ScaledObject` that don't match these rules:
+
+- The scaled workload (`scaledobject.spec.scaleTargetRef`) is already autoscaled by another other sources (other ScaledObject or HPA).
+- CPU and/or Memory trigger are used and the scaled workload doesn't have the requests defined. **This rule doesn't apply to all the workload types, only to `Deployment` and `StatefulSet`.**
@@ -81,16 +81,22 @@ Locate installed KEDA Operator in `keda` namespace, then remove created `KedaCon
 
 If you want to try KEDA on [Minikube](https://minikube.sigs.k8s.io) or a different Kubernetes deployment without using Helm you can still deploy it with `kubectl`.
 
-- We provide sample YAML declaration which includes our CRDs and all other resources in a file which is available on the [GitHub releases](https://github.com/kedacore/keda/releases) page.
+- We provide sample YAML declaration which includes our CRDs and all other resources in a file which is available on the [GitHub releases](https://github.com/kedacore/keda/releases) page. There are 2 files available, with and without the admission webhooks (keda-2.xx.x.yaml and keda-2.xx.x-core.yaml respectively), you can chose the installation mode just using the correct file.
 Run the following command (if needed, replace the version, in this case `2.10.0`, with the one you are using):
 
 ```sh
+// Including admission webhooks
 kubectl apply -f https://github.com/kedacore/keda/releases/download/v2.10.0/keda-2.10.0.yaml
+// Without admission webhooks
+kubectl apply -f https://github.com/kedacore/keda/releases/download/v2.10.0/keda-2.10.0-core.yaml
 ```
 
 - Alternatively you can download the file and deploy it from the local path:
 ```sh
-kubectl apply -f keda-2..0.yaml
+// Including admission webhooks
+kubectl apply -f keda-2.10.0.yaml
+// Without admission webhooks
+kubectl apply -f keda-2.10.0-core.yaml
 ```
 
 - You can also find the same YAML declarations in our `/config` directory on our [GitHub repo](https://github.com/kedacore/keda) if you prefer to clone it.
@@ -106,13 +112,19 @@ VERSION=2.10.0 make deploy
 - In case of installing from released YAML file just run the following command (if needed, replace the version, in this case `2.10.0`, with the one you are using):
 
 ```sh
+// Including admission webhooks
 kubectl delete -f https://github.com/kedacore/keda/releases/download/v2.10.0/keda-2.10.0.yaml
+// Without admission webhooks
+kubectl delete -f https://github.com/kedacore/keda/releases/download/v2.10.0/keda-2.10.0-core.yaml
 ```
 
 - If you have downloaded the file locally, you can run:
 
 ```sh
+// Including admission webhooks
 kubectl delete -f keda-2.10.0.yaml
+// Without admission webhooks
+kubectl delete -f keda-2.10.0-core.yaml
 ```
 
 - You would need to run these commands from within the directory of the cloned [GitHub repo](https://github.com/kedacore/keda):

@@ -9,4 +9,4 @@ We provide guidance & requirements around various areas to operate KEDA:
 - Cluster ([link](./cluster))
 - Integrate with Prometheus ([link](./prometheus))
 - Kubernetes Events ([link](./events))
-- KEDA Metrics Server ([link](./metrics-server))
+- KEDA Metrics Server ([link](./metrics-server))
@@ -18,6 +18,13 @@ The KEDA Operator exposes Prometheus metrics which can be scraped on port `8080`
 - `keda_trigger_totals` - Total number of triggers per trigger type.
 - Metrics exposed by the `Operator SDK` framework as explained [here](https://sdk.operatorframework.io/docs/building-operators/golang/advanced-topics/#metrics).
 
+### Admission Webhooks
+
+The KEDA Webhooks expose Prometheus metrics which can be scraped on port `8080` at `/metrics`. The following metrics are being gathered:
+
+- `scaled_object_validation_total`- The current value for scaled object validations.
+- `scaled_object_validation_errors` - The number of validation errors.
+
 ### Metrics Server
 
 > 💡 **DEPRECATED:** Prometheus Metrics exposed from Metrics Server are deprecated, please consume metrics from KEDA Operator.