mutatingWebhook is being flagged as unsafe

[serdarkkts]

The cloud-sql-proxy-operator mutating webhook can intercept pods in system-managed namespaces. Because of that GKE is flagging the webhook as unsafe.

From the GKE documentation:

If a webhook is intercepting any resources in system-managed namespaces, or certain types of resources, GKE considers this unsafe and recommends that you update the webhooks to avoid intercepting these resources.

The recommended action is to change the scope of the resources to namespaced from * and exclude the system-managed namespaces with the help of the namespaceSelector on the MutatingWebhookConfiguration resource (Since Kubernetes v1.21). However, I am not sure if this would affect any potential use cases of the cloud-sql-proxy-operator.

What are your opinions on this?

[hessjcg]

Thank you for reporting this. I agree that the operator has no reason to intercept pods in system namespaces, and I'd like to change the operator setup so that it works correctly. I have a suggestions on how to accomplish this:

• Make the default installation YAML for the MutatingWebhookConfiguration use Kubernetes 1.21 namespaceSelector
• Provide an alternative installation yaml for Kubernetes < 1.21, providing an explicit list of namespaces, and instructions to the user on how to edit that list.
• When we build the helm chart, allow the users to explicitly list monitored namespaces in the chart's values. (Feature Request: Helm Chart #343)

[enocom]

I think this is a bug -- we shouldn't be causing GKE to flag the Operator. Adjusting the priority down, though, as it's not going to interfere with operations.

[enocom]

Here's a screenshot of the warning for reference:

[enocom]

Based on GKE's version support, I think v1.21 (April 8, 2021) is already unsupported. So we're good to use a > v1.21 solution here (i.e. namespaceSelector).

Reference: https://cloud.google.com/kubernetes-engine/versioning#version-support