Excluding custom resources via rules in Validating & Mutating web-hook configuration is getting overriden with default config #365
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Excluding custom resources via rules in Validating & Mutating web-hook configuration is getting overriden with default config
we have tried to adding rules to apply the validating & mutating webhook of policy.sigstore.dev with namespaceselector policy.sigstore.dev/include label and rules were empty by default.
we tried to add the rules to go via admission controller only for well known k8s objects such as deployments, statefulsets, daemonsets, cronjobs, jobs, pods only but not for custom resources. But when we add these objects explicitly in the rules they are getting overriden with default ones. Is there a way to exclude few resources since the Objectselector is not sufficient for our usecases.
namespaceSelector:
matchExpressions:
operator: DoesNotExist
operator: In
values:
objectSelector: {}
rules:
apiGroups:
""
apiVersions:
v1
operations:
CREATE
UPDATE
DELETE
resources:
pods
pods/status
scope: ''
apiGroups:
apps
apiVersions:
v1
operations:
CREATE
UPDATE
DELETE
resources:
deployments
deployments/status
scope: ''
.....
Main usecase is, we want to start with image sign verification only for well known objects mentioned above not for the custom resources. The problem with object selector is when we use matchexpressions NOT IN condition then also it is taken into effect for custom resources but it is considered for the deployments or pods.
Could you please let us know if there is way to exclude the all the custom resources in someway. Let us know, if you need any further info required.
we could see ./policy-controller/pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go:48 it is mentioned, how to exclucde them.
The text was updated successfully, but these errors were encountered: