Feature request: Ability to configure excluded namespaces for validating webhook #290
Description
In the hub cluster, there is a validating webhook that gets deployed. This webhook appears to stop any workloads (deployment, daemonset, etc.) from getting deployed into the hub cluster and the definition for that webhook configuration is in code, not in the installation Helm chart.
For a managed system like Azure Kubernetes Fleet Manager, this is probably sufficient.
For a self-hosted hub cluster, we really want the ability to deploy things like...
- Prometheus
- OpenTelemetry Collector
- Security scanning software (e.g., Wiz, CrowdStrike)
...and so on. The validating webhook configuration makes this impossible to do.
We have resorted to applying a JSON PATCH to the configuration immediately after the hub agent is deployed to explicitly ignore certain namespaces and allow us to get our required additional Kubernetes components deployed.
Having a way to exclude a namespace from the webhook - either by deploying the configuration via Helm or by allowing for a label/annotation on a namespace - would be a huge help in allowing us to set up a cluster with required components. (Open to other solutions as well, the suggestions here are just brainstorming/suggestions.)