2.3. Managing admission webhooks in Operator Lifecycle Manager
Validating and mutating admission webhooks allow Operator authors to intercept, modify, and accept or reject resources before they are saved to the object store and handled by the Operator controller. Operator Lifecycle Manager (OLM) can manage the lifecycle of these webhooks when they are shipped alongside your Operator.
2.3.1. Defining webhooks in a CSV
The ClusterServiceVersion (CSV) resource includes a webhookdefinitions section to define validating and mutating admission webhooks that ship with an Operator. For example:
CSV containing a validating admission webhook
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
annotations:
description: |-
An example CSV that contains a webhook
name: example-webhook.v1.0.0
namespace: placeholder
spec:
webhookdefinitions:
- generateName: example.webhook.com
type: ValidatingAdmissionWebhook
deploymentName: "example-webhook-deployment"
containerPort: 443
sideEffects: "None"
failurePolicy: "Ignore"
admissionReviewVersions:
- "v1"
- "v1beta1"
rules:
- operations:
- "CREATE"
apiGroups:
- ""
apiVersions:
- "v1"
resources:
- "configmaps"
objectSelector:
foo: bar
webhookPath: "/validate"
...
Operator Lifecycle Manager (OLM) requires that you define the following:
-
The
typefield must be set to eitherValidatingAdmissionWebhookorMutatingAdmissionWebhook, or the CSV will be placed in a failed phase. -
The CSV must contain a Deployment whose name is equivalent to the value supplied in the
deploymentNamefield of thewebhookdefinition.
When the webhook is created, OLM ensures that the webhook only acts upon namespaces that match the Operator group that the Operator is deployed in.
2.3.2. Webhook considerations
When developing an admission webhook to be managed by Operator Lifecycle Manager (OLM), consider the following constraints:
Certificate authority constraints
OLM is configured to provide each deployment with a single certificate authority (CA). The logic that generates and mounts the CA into the deployment was originally used by the API service lifecycle logic. As a result:
-
The TLS certificate file is mounted to the deployment at
/apiserver.local.config/certificates/apiserver.crt. -
The TLS key file is mounted to the deployment at
/apiserver.local.config/certificates/apiserver.key.
Admission webhook rules constraints
To prevent an Operator from configuring the cluster into an unrecoverable state, OLM places the CSV in the failed phase if the rules defined in an admission webhook intercept any of the following requests:
- Requests that target all groups
-
Requests that target the
operators.coreos.comgroup -
Requests that target the
ValidatingWebhookConfigurationsorMutatingWebhookConfigurationsresources
