- set failurepolicy of webhookconfiguraitons to ignore; - disable auto-gen on policy disabllow_default_namespace

pkg/webhookconfig/common.go

@@ -63,6 +63,7 @@ func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
 
 func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
+	failurePolicy := admregapi.Ignore
 	return admregapi.Webhook{
 		Name: name,
 		ClientConfig: admregapi.WebhookClientConfig{
@@ -88,11 +89,13 @@ func generateDebugWebhook(name, url string, caData []byte, validate bool, timeou
 		},
 		AdmissionReviewVersions: []string{"v1beta1"},
 		TimeoutSeconds:          &timeoutSeconds,
+		FailurePolicy:           &failurePolicy,
 	}
 }
 
 func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
+	failurePolicy := admregapi.Ignore
 	return admregapi.Webhook{
 		Name: name,
 		ClientConfig: admregapi.WebhookClientConfig{
@@ -122,5 +125,6 @@ func generateWebhook(name, servicePath string, caData []byte, validation bool, t
 		},
 		AdmissionReviewVersions: []string{"v1beta1"},
 		TimeoutSeconds:          &timeoutSeconds,
+		FailurePolicy:           &failurePolicy,
 	}
 }

samples/best_practices/disallow_default_namespace.yaml

@@ -3,6 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: disallow-default-namespace
   annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
     policies.kyverno.io/category: Workload Isolation
     policies.kyverno.io/description: Kubernetes namespaces are an optional feature 
       that provide a way to segment and isolate cluster resources across multiple