Chapter 12. Managing admission webhooks in Operator Lifecycle Manager
Validating and mutating admission webhooks allow Operator authors to intercept, modify, and accept or reject resources before they are saved to the object store and handled by the Operator controller. Operator Lifecycle Manager (OLM) can manage the lifecycle of these webhooks when they are shipped alongside your Operator.
12.1. Defining webhooks in a CSV
The ClusterServiceVersion (CSV) resource includes a
webhookdefinitions section to define validating and mutating admission webhooks that ship with an Operator. For example:
CSV containing a validating admission webhook
apiVersion: operators.coreos.com/v1alpha1 kind: ClusterServiceVersion metadata: annotations: description: |- An example CSV that contains a webhook name: example-webhook.v1.0.0 namespace: placeholder spec: webhookdefinitions: - generateName: example.webhook.com type: ValidatingAdmissionWebhook deploymentName: "example-webhook-deployment" containerPort: 443 sideEffects: "None" failurePolicy: "Ignore" admissionReviewVersions: - "v1" - "v1beta1" rules: - operations: - "CREATE" apiGroups: - "" apiVersions: - "v1" resources: - "configmaps" objectSelector: foo: bar webhookPath: "/validate" ...
OLM requires that you define the following:
typefield must be set to either
MutatingAdmissionWebhook, or the CSV will be placed in a failed phase. * The CSV must contain a Deployment whose name is equivalent to the value supplied in the
deploymentNamefield of the
When the webhook is created, OLM ensures that the webhook only acts upon namespaces that match the OperatorGroup that the Operator is deployed in.
12.2. Webhook considerations
When developing an admission webhook to be managed by OLM, consider the following constraints:
Certificate authority constraints
OLM is configured to provide each Deployment with a single certificate authority (CA). The logic that generates and mounts the CA into the Deployment was originally used by the APIService lifecycle logic. As a result:
The TLS certificate file is mounted to the Deployment at
The TLS key file is mounted to the Deployment at
Admission webhook rules constraints
To prevent an Operator from configuring the cluster into an unrecoverable state, OLM places the CSV in the failed phase if the rules defined in an admission webhook intercept any of the following requests:
- Requests that target all groups
Requests that target the
Requests that target the