AKS' Admission Enforcer mutates ControlPlane
's ValidatingWebhookConfiguration
which causes a perpetual reconciliation loop
#239
Labels
Milestone
Current Behavior
When KGO is running against an AKS cluster, that cluster's Admission Enforcer patches all
ValidatingWebhookConfiguration
s so that it does not check AKS managed resources, which have thekubernetes.azure.com/managedby=aks
label set.This is in conflict with KGO's mechanism to patch the in cluster resource if it's different than the one that's generated.
Expected Behavior
Reconciliation succeeds.
Proposed solutions
ValidatingWebhookConfiguration
Suggest users to add 3rd party tooling to remove the aks related VWC config inMatchExpressions
added by AKS (something akin to Kyverno mutate rules https://kyverno.io/docs/writing-policies/mutate/)Steps To Reproduce
--set env.zap_log_level=2
)Gateway
(e.g. using https://github.com/Kong/gateway-operator/blob/36c58ab4dd9a449627e14381cf1fc63f362b9903/config/samples/gateway-with-gatewayconfiguration.yaml). 2Gateway
s make it more apparent, not sure 100% why that's the case.ControlPlane
not getting a Deployment and perpetual reconciliation ofValidatingWebhookConfiguration
Operator Version
1.2.3 and latest main
kubectl version
The text was updated successfully, but these errors were encountered: