diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md index 6da919857..7c9edd383 100644 --- a/helm/aws-load-balancer-controller/README.md +++ b/helm/aws-load-balancer-controller/README.md @@ -281,6 +281,12 @@ The default values set by the application itself can be confirmed [here](https:/ | `serviceMutatorWebhookConfig.failurePolicy` | Failure policy for the Service Mutator webhook | `Fail` | | `serviceMutatorWebhookConfig.objectSelector` | Object selector(s) to limit which objects will be mutated by the Service Mutator webhook | `[]` | | `serviceMutatorWebhookConfig.operations` | List of operations that will trigger the the Service Mutator webhook | `[ CREATE ]` | +| `podMutatorWebhookConfig.failurePolicy` | Failure policy for the Pod Mutator webhook | `Ignore` | +| `podServerIdMutatorWebhookConfig.failurePolicy` | Failure policy for the Pod Server Id Mutator webhook | `Fail` | +| `tgbMutatorWebhookConfig.failurePolicy` | Failure policy for the TargetGroupBinding Mutator webhook | `Fail` | +| `ingressClassParamsValidatorWebhookConfig.failurePolicy` | Failure policy for the Ingress Class Params Validator webhook | `Fail` | +| `tgbValidatorWebhookConfig.failurePolicy` | Failure policy for the TargetGroupBinding Validator webhook | `Fail` | +| `ingressValidatorWebhookConfig.failurePolicy` | Failure policy for the Ingress Validator webhook | `Fail` | | `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` | | `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None | | `loadBalancerClass` | Sets the AWS load balancer type to be used when the Kubernetes service requests an external load balancer | `service.k8s.aws/nlb` | diff --git a/helm/aws-load-balancer-controller/templates/webhook.yaml b/helm/aws-load-balancer-controller/templates/webhook.yaml index 06f1cc2ee..3e54726c3 100644 --- a/helm/aws-load-balancer-controller/templates/webhook.yaml +++ b/helm/aws-load-balancer-controller/templates/webhook.yaml @@ -64,7 +64,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /mutate-v1-pod-server-id - failurePolicy: Fail + failurePolicy: {{ .Values.podServerIdMutatorWebhookConfig.failurePolicy }} name: quicid.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -147,7 +147,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding - failurePolicy: Fail + failurePolicy: {{ .Values.tgbMutatorWebhookConfig.failurePolicy }} name: mtargetgroupbinding.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -182,7 +182,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /validate-elbv2-k8s-aws-v1beta1-ingressclassparams - failurePolicy: Fail + failurePolicy: {{ .Values.ingressClassParamsValidatorWebhookConfig.failurePolicy }} name: vingressclassparams.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -211,7 +211,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding - failurePolicy: Fail + failurePolicy: {{ .Values.tgbValidatorWebhookConfig.failurePolicy }} name: vtargetgroupbinding.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -235,7 +235,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /validate-networking-v1-ingress - failurePolicy: Fail + failurePolicy: {{ .Values.ingressValidatorWebhookConfig.failurePolicy }} matchPolicy: Equivalent name: vingress.elbv2.k8s.aws admissionReviewVersions: diff --git a/helm/aws-load-balancer-controller/test.yaml b/helm/aws-load-balancer-controller/test.yaml index d995d7060..754ef9631 100644 --- a/helm/aws-load-balancer-controller/test.yaml +++ b/helm/aws-load-balancer-controller/test.yaml @@ -356,4 +356,29 @@ serviceMutatorWebhookConfig: podMutatorWebhookConfig: # whether or not to fail the pod creation if the webhook fails - failurePolicy: Ignore \ No newline at end of file + failurePolicy: Ignore + +# podServerIdMutatorWebhookConfig contains configurations specific to the pod service id mutator webhook +podServerIdMutatorWebhookConfig: + # whether or not to fail the pod creation if the webhook fails + failurePolicy: Fail + +# tgbMutatorWebhookConfig contains configurations specific to the targetgroupbinding webhook +tgbMutatorWebhookConfig: + # whether or not to fail the tgb creation if the webhook fails + failurePolicy: Fail + +# ingressClassParamsValidatorWebhookConfig contains configurations specific to the ingress class params validator webhook +ingressClassParamsValidatorWebhookConfig: + # whether or not to fail the ingress creation if the webhook fails + failurePolicy: Fail + +# tgbValidatorWebhookConfig contains configurations specific to the targetgroupbinding webhook +tgbValidatorWebhookConfig: + # whether or not to fail the tgb creation if the webhook fails + failurePolicy: Fail + +# ingressValidatorWebhookConfig contains configurations specific to the ingress validator webhook +ingressValidatorWebhookConfig: + # whether or not to fail the ingress creation if the webhook fails + failurePolicy: Fail \ No newline at end of file diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml index 4b7a684f9..8c1ef4dc4 100644 --- a/helm/aws-load-balancer-controller/values.yaml +++ b/helm/aws-load-balancer-controller/values.yaml @@ -452,11 +452,36 @@ serviceMutatorWebhookConfig: - CREATE # - UPDATE -# podMutatorWebhookConfig contains configurations specific to the service mutator webhook +# podMutatorWebhookConfig contains configurations specific to the pod mutator webhook podMutatorWebhookConfig: # whether or not to fail the pod creation if the webhook fails failurePolicy: Ignore +# podServerIdMutatorWebhookConfig contains configurations specific to the pod service id mutator webhook +podServerIdMutatorWebhookConfig: + # whether or not to fail the pod creation if the webhook fails + failurePolicy: Fail + +# tgbMutatorWebhookConfig contains configurations specific to the targetgroupbinding webhook +tgbMutatorWebhookConfig: + # whether or not to fail the tgb creation if the webhook fails + failurePolicy: Fail + +# ingressClassParamsValidatorWebhookConfig contains configurations specific to the ingress class params validator webhook +ingressClassParamsValidatorWebhookConfig: + # whether or not to fail the ingress creation if the webhook fails + failurePolicy: Fail + +# tgbValidatorWebhookConfig contains configurations specific to the targetgroupbinding webhook +tgbValidatorWebhookConfig: + # whether or not to fail the tgb creation if the webhook fails + failurePolicy: Fail + +# ingressValidatorWebhookConfig contains configurations specific to the ingress validator webhook +ingressValidatorWebhookConfig: + # whether or not to fail the ingress creation if the webhook fails + failurePolicy: Fail + # serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs. serviceTargetENISGTags: