Targeted namespace annotations
micke-post opened this issue · 4 comments
Hi,
we recently came across a conceptional issue with namespace annotations. In our clusters we are using linkerd as service mesh. To ensure that all tenants are properly meshed, we automatically annotate all namespaces by setting the linkerd.io/inject annotation in the additionalMetadata property of the tenants.
Which works perfectly, but recently we came across an issue where a tenant tried to deploy an nginx ingress controller. The issue basically is that linkerd interferes with the startup procedure because it prevents a short-lived container from properly terminating when starting nginx, so the recommendation is to not set the linkerd annotation on the nginx namespaces.
There are probably ways around this specific issue, but generally speaking - is there a way to target or exclude individual namespaces for the additionalMetadata property in capsule? From what I can tell after reading the docs it seems to be all or none.
is there a way to target or exclude individual namespaces for the additionalMetadata property in capsule?
No, there's no chance of achieving this. This is definitely a very subtle domain logic we cannot abstract in Capsule, thus I suggest you rely on specific policy engines, like Kyverno unless the community pushes to achieve this.
Alright, got it. Thanks for the information!
I'm reopening this just to allow people to comment on it and share their interest in this feature.
@prometherion @maxgio92 Revamping the interest for external policy engine, natively with Validating Admission Policy feature set (still beta).