diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index e8e8969489..87a2d4ba57 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -68,6 +68,7 @@ The following table lists the configurable parameters of the kyverno chart and t | `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` | | `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` | | `config.resourceFilters` | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/kyverno/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]` | +| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namesapceSelector` can be configured with Kyverno v1.4.0 | `nil` | | customLabels | object | `{}` | Additional labels | | `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` | | envVars | Extra environment variables to pass to kyverno | {} | diff --git a/charts/kyverno/templates/configmap.yaml b/charts/kyverno/templates/configmap.yaml index b71ee31ccd..a99c877491 100644 --- a/charts/kyverno/templates/configmap.yaml +++ b/charts/kyverno/templates/configmap.yaml @@ -17,4 +17,7 @@ data: {{- if .Values.config.excludeUsername }} excludeUsername: {{ join "" .Values.config.excludeUsername | quote }} {{- end -}} + {{- if .Values.config.webhooks }} + webhooks: {{ .Values.config.webhooks | toJson | quote }} + {{- end -}} {{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 8cae6ef37b..0c02cdd447 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -141,6 +141,12 @@ config: # - "" excludeUsername: # - "" + # Webhookconfigurations, this block defines the namespaceSelector in the webhookconfigurations. + # Note that it takes a list of namespaceSelector in the JSON format, and only the first element + # will be forwarded to the webhookconfigurations. + webhooks: + # webhooks: [{"namespaceSelector":{"matchExpressions":[{"key":"environment","operator":"In","values":["prod"]}]}}] + # existingConfig: init-config service: diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index 7118c44694..593a2925ce 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -179,12 +179,14 @@ func (wrc *Register) UpdateWebhookConfigurations(configHandler config.Interface) if err := wrc.updateResourceMutatingWebhookConfiguration(nsSelector); err != nil { logger.Error(err, "unable to update mutatingWebhookConfigurations", "name", wrc.getResourceMutatingWebhookConfigName()) + go func() { wrc.UpdateWebhookChan <- true }() } else { logger.Info("successfully updated mutatingWebhookConfigurations", "name", wrc.getResourceMutatingWebhookConfigName()) } if err := wrc.updateResourceValidatingWebhookConfiguration(nsSelector); err != nil { logger.Error(err, "unable to update validatingWebhookConfigurations", "name", wrc.getResourceValidatingWebhookConfigName()) + go func() { wrc.UpdateWebhookChan <- true }() } else { logger.Info("successfully updated validatingWebhookConfigurations", "name", wrc.getResourceValidatingWebhookConfigName()) }