This is an automated email from the ASF dual-hosted git repository.
wangyang0918 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git
The following commit(s) were added to refs/heads/main by this push:
new e04a91d [FLINK-27615] Document how to define namespaceSelector for
k8s operator's webhook for different k8s versions
e04a91d is described below
commit e04a91d8cef121e4ad078674de935a80f21d4481
Author: Biao Geng <[email protected]>
AuthorDate: Tue May 24 20:52:08 2022 +0800
[FLINK-27615] Document how to define namespaceSelector for k8s operator's
webhook for different k8s versions
---
docs/content/docs/operations/helm.md | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/docs/content/docs/operations/helm.md
b/docs/content/docs/operations/helm.md
index ec630ef..df2fcd9 100644
--- a/docs/content/docs/operations/helm.md
+++ b/docs/content/docs/operations/helm.md
@@ -107,6 +107,28 @@ The webhook can be disabled during helm install by passing
the `--set webhook.cr
The operator supports watching a specific list of namespaces for
FlinkDeployment resources. You can enable it by setting the `--set
watchNamespaces={flink-test}` parameter.
When this is enabled role-based access control is only created specifically
for these namespaces for the operator and the jobmanagers, otherwise it
defaults to cluster scope.
+<span class="label label-info">Note</span> When working with webhook in a
specified namespace, users should pay attention to the definition of
`namespaceSelector.matchExpressions` in `webhook.yaml`. Currently, the default
implementation of webhook relies on the `kubernetes.io/metadata.name` label to
filter the validation requests
+so that only validation requests from the specified namespace will be
processed. The `kubernetes.io/metadata.name` label is automatically attached
since k8s
[1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#v1211).
+
+As a result, for users who run the flink kubernetes operator with older k8s
version, they may label the specified namespace by themselves before installing
the operator with helm:
+
+```
+kubectl label namespace <target namespace name>
kubernetes.io/metadata.name=<target namespace name>
+```
+
+Besides, users can define their own namespaceSelector to filter the requests
due to customized requirements.
+
+For example, if users label their namespace with key-value pair
{customized_namespace_key: <target namespace name> }
+the corresponding namespaceSelector that only accepts requests from this
namespace could be:
+```yaml
+namespaceSelector:
+ matchExpressions:
+ - key: customized_namespace_key
+ operator: In
+ values: [{{- range .Values.watchNamespaces }}{{ . | quote }},{{- end}}]
+```
+Check out this
[document](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
for more details.
+
## Working with Argo CD
If you are using [Argo CD](https://argoproj.github.io) to manage the operator,
you will encounter the issue which complains the CRDs too long. Same with [this
issue](https://github.com/prometheus-operator/prometheus-operator/issues/4439).
