diff --git a/pkg/clusteragent/admission/common/label_selectors.go b/pkg/clusteragent/admission/common/label_selectors.go index 710e0ff8c11d7..2c49b36011bc2 100644 --- a/pkg/clusteragent/admission/common/label_selectors.go +++ b/pkg/clusteragent/admission/common/label_selectors.go @@ -19,11 +19,7 @@ func DefaultLabelSelectors(useNamespaceSelector bool) (namespaceSelector, object if pkgconfigsetup.Datadog().GetBool("admission_controller.mutate_unlabelled") || pkgconfigsetup.Datadog().GetBool("apm_config.instrumentation.enabled") || - pkgconfigsetup.Datadog().GetBool("admission_controller.inject_config.enabled") || - pkgconfigsetup.Datadog().GetBool("admission_controller.inject_tags.enabled") || - len(pkgconfigsetup.Datadog().GetStringSlice("apm_config.instrumentation.enabled_namespaces")) > 0 || - len(pkgconfigsetup.Datadog().GetStringSlice("admission_controller.inject_config.enabled_namespaces")) > 0 || - len(pkgconfigsetup.Datadog().GetStringSlice("admission_controller.inject_tags.enabled_namespaces")) > 0 { + len(pkgconfigsetup.Datadog().GetStringSlice("apm_config.instrumentation.enabled_namespaces")) > 0 { // Accept all, ignore pods if they're explicitly filtered-out labelSelector = metav1.LabelSelector{ MatchExpressions: []metav1.LabelSelectorRequirement{ diff --git a/pkg/clusteragent/admission/controllers/webhook/controller_v1_test.go b/pkg/clusteragent/admission/controllers/webhook/controller_v1_test.go index 12a6b04342c15..3c0bbb81bd5f3 100644 --- a/pkg/clusteragent/admission/controllers/webhook/controller_v1_test.go +++ b/pkg/clusteragent/admission/controllers/webhook/controller_v1_test.go @@ -282,12 +282,8 @@ func TestGenerateTemplatesV1(t *testing.T) { configFunc: func(mockConfig model.Config) Config { return NewConfig(false, false, false, mockConfig) }, want: func() []admiv1.MutatingWebhook { webhook := webhook("datadog.webhook.agent.config", "/injectconfig", &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, nil, []admiv1.MatchCondition{}, []admiv1.OperationType{admiv1.Create}, []string{"pods"}) return []admiv1.MutatingWebhook{webhook} @@ -328,12 +324,8 @@ func TestGenerateTemplatesV1(t *testing.T) { configFunc: func(mockConfig model.Config) Config { return NewConfig(false, false, false, mockConfig) }, want: func() []admiv1.MutatingWebhook { webhook := webhook("datadog.webhook.standard.tags", "/injecttags", &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, nil, []admiv1.MatchCondition{}, []admiv1.OperationType{admiv1.Create}, []string{"pods"}) return []admiv1.MutatingWebhook{webhook} @@ -392,21 +384,13 @@ func TestGenerateTemplatesV1(t *testing.T) { configFunc: func(mockConfig model.Config) Config { return NewConfig(false, false, false, mockConfig) }, want: func() []admiv1.MutatingWebhook { webhookConfig := webhook("datadog.webhook.agent.config", "/injectconfig", &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, nil, []admiv1.MatchCondition{}, []admiv1.OperationType{admiv1.Create}, []string{"pods"}) webhookTags := webhook("datadog.webhook.standard.tags", "/injecttags", &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, nil, []admiv1.MatchCondition{}, []admiv1.OperationType{admiv1.Create}, []string{"pods"}) return []admiv1.MutatingWebhook{webhookConfig, webhookTags} @@ -457,21 +441,13 @@ func TestGenerateTemplatesV1(t *testing.T) { configFunc: func(mockConfig model.Config) Config { return NewConfig(false, true, false, mockConfig) }, want: func() []admiv1.MutatingWebhook { webhookConfig := webhook("datadog.webhook.agent.config", "/injectconfig", nil, &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, []admiv1.MatchCondition{}, []admiv1.OperationType{admiv1.Create}, []string{"pods"}) webhookTags := webhook("datadog.webhook.standard.tags", "/injecttags", nil, &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, []admiv1.MatchCondition{}, []admiv1.OperationType{admiv1.Create}, []string{"pods"}) return []admiv1.MutatingWebhook{webhookConfig, webhookTags} diff --git a/pkg/clusteragent/admission/controllers/webhook/controller_v1beta1_test.go b/pkg/clusteragent/admission/controllers/webhook/controller_v1beta1_test.go index 4bb1b0336424e..ef20ff4343a97 100644 --- a/pkg/clusteragent/admission/controllers/webhook/controller_v1beta1_test.go +++ b/pkg/clusteragent/admission/controllers/webhook/controller_v1beta1_test.go @@ -278,12 +278,8 @@ func TestGenerateTemplatesV1beta1(t *testing.T) { configFunc: func(mockConfig model.Config) Config { return NewConfig(false, false, false, mockConfig) }, want: func() []admiv1beta1.MutatingWebhook { webhook := webhook("datadog.webhook.agent.config", "/injectconfig", &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, nil, []admiv1beta1.MatchCondition{}, []admiv1beta1.OperationType{admiv1beta1.Create}, []string{"pods"}) return []admiv1beta1.MutatingWebhook{webhook} @@ -324,12 +320,8 @@ func TestGenerateTemplatesV1beta1(t *testing.T) { configFunc: func(mockConfig model.Config) Config { return NewConfig(false, false, false, mockConfig) }, want: func() []admiv1beta1.MutatingWebhook { webhook := webhook("datadog.webhook.standard.tags", "/injecttags", &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, nil, []admiv1beta1.MatchCondition{}, []admiv1beta1.OperationType{admiv1beta1.Create}, []string{"pods"}) return []admiv1beta1.MutatingWebhook{webhook} @@ -388,21 +380,13 @@ func TestGenerateTemplatesV1beta1(t *testing.T) { configFunc: func(mockConfig model.Config) Config { return NewConfig(false, false, false, mockConfig) }, want: func() []admiv1beta1.MutatingWebhook { webhookConfig := webhook("datadog.webhook.agent.config", "/injectconfig", &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, nil, []admiv1beta1.MatchCondition{}, []admiv1beta1.OperationType{admiv1beta1.Create}, []string{"pods"}) webhookTags := webhook("datadog.webhook.standard.tags", "/injecttags", &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, nil, []admiv1beta1.MatchCondition{}, []admiv1beta1.OperationType{admiv1beta1.Create}, []string{"pods"}) return []admiv1beta1.MutatingWebhook{webhookConfig, webhookTags} @@ -453,21 +437,13 @@ func TestGenerateTemplatesV1beta1(t *testing.T) { configFunc: func(mockConfig model.Config) Config { return NewConfig(false, true, false, mockConfig) }, want: func() []admiv1beta1.MutatingWebhook { webhookConfig := webhook("datadog.webhook.agent.config", "/injectconfig", nil, &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, []admiv1beta1.MatchCondition{}, []admiv1beta1.OperationType{admiv1beta1.Create}, []string{"pods"}) webhookTags := webhook("datadog.webhook.standard.tags", "/injecttags", nil, &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "admission.datadoghq.com/enabled", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{"false"}, - }, + MatchLabels: map[string]string{ + "admission.datadoghq.com/enabled": "true", }, }, []admiv1beta1.MatchCondition{}, []admiv1beta1.OperationType{admiv1beta1.Create}, []string{"pods"}) return []admiv1beta1.MutatingWebhook{webhookConfig, webhookTags} diff --git a/pkg/clusteragent/admission/mutate/config/filter.go b/pkg/clusteragent/admission/mutate/config/filter.go index e891145ec8da3..913df5e8dffae 100644 --- a/pkg/clusteragent/admission/mutate/config/filter.go +++ b/pkg/clusteragent/admission/mutate/config/filter.go @@ -15,7 +15,5 @@ import ( // NewFilter creates a new MutationFilter from the provided FilterConfig. func NewFilter(datadogConfig config.Component) (mutatecommon.MutationFilter, error) { enabled := datadogConfig.GetBool("admission_controller.inject_config.enabled") - enabledNamespaces := datadogConfig.GetStringSlice("admission_controller.inject_config.enabled_namespaces") - disabledNamespaces := datadogConfig.GetStringSlice("admission_controller.inject_config.disabled_namespaces") - return mutatecommon.NewDefaultFilter(enabled, enabledNamespaces, disabledNamespaces) + return mutatecommon.NewDefaultFilter(enabled, nil, nil) } diff --git a/pkg/clusteragent/admission/mutate/tagsfromlabels/filter.go b/pkg/clusteragent/admission/mutate/tagsfromlabels/filter.go index 970460ba25d12..6119998cca856 100644 --- a/pkg/clusteragent/admission/mutate/tagsfromlabels/filter.go +++ b/pkg/clusteragent/admission/mutate/tagsfromlabels/filter.go @@ -15,7 +15,5 @@ import ( // NewFilter creates a new MutationFilter from the provided FilterConfig. func NewFilter(datadogConfig config.Component) (mutatecommon.MutationFilter, error) { enabled := datadogConfig.GetBool("admission_controller.inject_tags.enabled") - enabledNamespaces := datadogConfig.GetStringSlice("admission_controller.inject_tags.enabled_namespaces") - disabledNamespaces := datadogConfig.GetStringSlice("admission_controller.inject_tags.disabled_namespaces") - return mutatecommon.NewDefaultFilter(enabled, enabledNamespaces, disabledNamespaces) + return mutatecommon.NewDefaultFilter(enabled, nil, nil) } diff --git a/pkg/config/setup/config.go b/pkg/config/setup/config.go index 2ff12362e7f6e..2dbcd7472bd84 100644 --- a/pkg/config/setup/config.go +++ b/pkg/config/setup/config.go @@ -748,8 +748,6 @@ func InitConfig(config pkgconfigmodel.Setup) { config.BindEnvAndSetDefault("admission_controller.certificate.secret_name", "webhook-certificate") // name of the Secret object containing the webhook certificate config.BindEnvAndSetDefault("admission_controller.webhook_name", "datadog-webhook") config.BindEnvAndSetDefault("admission_controller.inject_config.enabled", true) - config.BindEnvAndSetDefault("admission_controller.inject_config.enabled_namespaces", []string{}) - config.BindEnvAndSetDefault("admission_controller.inject_config.disabled_namespaces", []string{}) config.BindEnvAndSetDefault("admission_controller.inject_config.endpoint", "/injectconfig") config.BindEnvAndSetDefault("admission_controller.inject_config.mode", "hostip") // possible values: hostip / service / socket config.BindEnvAndSetDefault("admission_controller.inject_config.local_service_name", "datadog") @@ -758,8 +756,6 @@ func InitConfig(config pkgconfigmodel.Setup) { config.BindEnvAndSetDefault("admission_controller.inject_config.dogstatsd_socket", "unix:///var/run/datadog/dsd.socket") config.BindEnvAndSetDefault("admission_controller.inject_config.type_socket_volumes", false) config.BindEnvAndSetDefault("admission_controller.inject_tags.enabled", true) - config.BindEnvAndSetDefault("admission_controller.inject_tags.enabled_namespaces", []string{}) - config.BindEnvAndSetDefault("admission_controller.inject_tags.disabled_namespaces", []string{}) config.BindEnvAndSetDefault("admission_controller.inject_tags.endpoint", "/injecttags") config.BindEnvAndSetDefault("admission_controller.inject_tags.pod_owners_cache_validity", 10) // in minutes config.BindEnv("admission_controller.pod_owners_cache_validity") // Alias for admission_controller.inject_tags.pod_owners_cache_validity. Was added without the "inject_tags" prefix by mistake but needs to be kept for backwards compatibility diff --git a/releasenotes/notes/decouple-admission-controller-webhooks-e75f98372d5edc01.yaml b/releasenotes/notes/decouple-admission-controller-webhooks-e75f98372d5edc01.yaml deleted file mode 100644 index 395135f68beb0..0000000000000 --- a/releasenotes/notes/decouple-admission-controller-webhooks-e75f98372d5edc01.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Each section from every release note are combined when the -# CHANGELOG.rst is rendered. So the text needs to be worded so that -# it does not depend on any information only available in another -# section. This may mean repeating some details, but each section -# must be readable independently of the other. -# -# Each section note must be formatted as reStructuredText. ---- -upgrade: - - | - The auto instrumentation, config, and tags from labels webhooks have been decoupled to function independently. The following settings will now apply exclusively to the auto instrumentation webhook: - - `apm_config.instrumentation.enabled` - - `apm_config.instrumentation.enabled_namespaces` - - `apm_config.instrumentation.disabled_namespaces` - - These settings will no longer apply to the config or tags from labels webhooks. To maintain the existing behavior, configure these settings separately for each webhook. - - For the config webhook, use the following settings: - - `admission_controller.inject_config.enabled` - - `admission_controller.inject_config.enabled_namespaces` - - `admission_controller.inject_config.disabled_namespaces` - - For the tags from labels webhook, use the following settings: - - `admission_controller.inject_tags.enabled` - - `admission_controller.inject_tags.enabled_namespaces` - - `admission_controller.inject_tags.disabled_namespaces`