Support AllowList/BlockList Mode for Pod Webhook Injection #463
Description
Summary
Currently, the Pod Webhook uses whitelist mode: only Pods with tensor-fusion.ai/enabled=true label are injected with TensorFusion.
In some scenarios, users want to enable TensorFusion globally and only exclude specific Namespaces or Pods. The current whitelist approach requires manually adding labels to every Pod, which increases management overhead.
Proposal
Add blacklist mode support with LabelSelector-based exclusion rules for Namespaces and Pods.
Basic example
apiVersion: tensor-fusion.ai/v1
kind: TensorFusionCluster
metadata:
name: default
spec:
webhookConfig:
# Whitelist: current default behavior, only inject pods with tensor-fusion.ai/enabled=true
# Blacklist: inject all pods except those matching exclusion rules
injectionMode: Blacklist
exclusionRules:
# Exact namespace names to exclude
namespaceNames:
- kube-system
- kube-public
- istio-system
# Namespace LabelSelector
namespaceSelector:
matchLabels:
tensor-fusion.ai/injection: disabled
matchExpressions:
- key: environment
operator: In
values: [testing, ci]
# Pod LabelSelector
podSelector:
matchLabels:
tensor-fusion.ai/injection: disabledUser Usage
Exclude a Namespace:
apiVersion: v1
kind: Namespace
metadata:
name: my-namespace
labels:
tensor-fusion.ai/injection: disabledExclude a Pod:
apiVersion: v1
kind: Pod
metadata:
labels:
tensor-fusion.ai/injection: disabled