Skip to content

[feat webhook]: Templating failurePolicy value from all webhooks #4453

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+63 −7
Open

[feat webhook]: Templating failurePolicy value from all webhooks #4453

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9dc09cb
Templating failurePolicy value from all webhooks
pachecoc Nov 16, 2025
ffa3075
Small indentation fixes
pachecoc Nov 16, 2025
99f60ef
Small indentation fixes
pachecoc Nov 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions helm/aws-load-balancer-controller/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,12 @@ The default values set by the application itself can be confirmed [here](https:/
| `serviceMutatorWebhookConfig.failurePolicy` | Failure policy for the Service Mutator webhook | `Fail` |
| `serviceMutatorWebhookConfig.objectSelector` | Object selector(s) to limit which objects will be mutated by the Service Mutator webhook | `[]` |
| `serviceMutatorWebhookConfig.operations` | List of operations that will trigger the the Service Mutator webhook | `[ CREATE ]` |
| `podMutatorWebhookConfig.failurePolicy` | Failure policy for the Pod Mutator webhook | `Ignore` |
| `podServerIdMutatorWebhookConfig.failurePolicy` | Failure policy for the Pod Server Id Mutator webhook | `Fail` |
| `tgbMutatorWebhookConfig.failurePolicy` | Failure policy for the TargetGroupBinding Mutator webhook | `Fail` |
| `ingressClassParamsValidatorWebhookConfig.failurePolicy` | Failure policy for the Ingress Class Params Validator webhook | `Fail` |
| `tgbValidatorWebhookConfig.failurePolicy` | Failure policy for the TargetGroupBinding Validator webhook | `Fail` |
| `ingressValidatorWebhookConfig.failurePolicy` | Failure policy for the Ingress Validator webhook | `Fail` |
| `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` |
| `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None |
| `loadBalancerClass` | Sets the AWS load balancer type to be used when the Kubernetes service requests an external load balancer | `service.k8s.aws/nlb` |
Expand Down
10 changes: 5 additions & 5 deletions helm/aws-load-balancer-controller/templates/webhook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ webhooks:
name: {{ template "aws-load-balancer-controller.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /mutate-v1-pod-server-id
failurePolicy: Fail
failurePolicy: {{ .Values.podServerIdMutatorWebhookConfig.failurePolicy }}
name: quicid.elbv2.k8s.aws
admissionReviewVersions:
- v1beta1
Expand Down Expand Up @@ -147,7 +147,7 @@ webhooks:
name: {{ template "aws-load-balancer-controller.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding
failurePolicy: Fail
failurePolicy: {{ .Values.tgbMutatorWebhookConfig.failurePolicy }}
name: mtargetgroupbinding.elbv2.k8s.aws
admissionReviewVersions:
- v1beta1
Expand Down Expand Up @@ -182,7 +182,7 @@ webhooks:
name: {{ template "aws-load-balancer-controller.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /validate-elbv2-k8s-aws-v1beta1-ingressclassparams
failurePolicy: Fail
failurePolicy: {{ .Values.ingressClassParamsValidatorWebhookConfig.failurePolicy }}
name: vingressclassparams.elbv2.k8s.aws
admissionReviewVersions:
- v1beta1
Expand Down Expand Up @@ -211,7 +211,7 @@ webhooks:
name: {{ template "aws-load-balancer-controller.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding
failurePolicy: Fail
failurePolicy: {{ .Values.tgbValidatorWebhookConfig.failurePolicy }}
name: vtargetgroupbinding.elbv2.k8s.aws
admissionReviewVersions:
- v1beta1
Expand All @@ -235,7 +235,7 @@ webhooks:
name: {{ template "aws-load-balancer-controller.webhookService" . }}
namespace: {{ $.Release.Namespace }}
path: /validate-networking-v1-ingress
failurePolicy: Fail
failurePolicy: {{ .Values.ingressValidatorWebhookConfig.failurePolicy }}
matchPolicy: Equivalent
name: vingress.elbv2.k8s.aws
admissionReviewVersions:
Expand Down
27 changes: 26 additions & 1 deletion helm/aws-load-balancer-controller/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -356,4 +356,29 @@ serviceMutatorWebhookConfig:

podMutatorWebhookConfig:
# whether or not to fail the pod creation if the webhook fails
failurePolicy: Ignore
failurePolicy: Ignore

# podServerIdMutatorWebhookConfig contains configurations specific to the pod service id mutator webhook
podServerIdMutatorWebhookConfig:
# whether or not to fail the pod creation if the webhook fails
failurePolicy: Fail

# tgbMutatorWebhookConfig contains configurations specific to the targetgroupbinding webhook
tgbMutatorWebhookConfig:
# whether or not to fail the tgb creation if the webhook fails
failurePolicy: Fail

# ingressClassParamsValidatorWebhookConfig contains configurations specific to the ingress class params validator webhook
ingressClassParamsValidatorWebhookConfig:
# whether or not to fail the ingress creation if the webhook fails
failurePolicy: Fail

# tgbValidatorWebhookConfig contains configurations specific to the targetgroupbinding webhook
tgbValidatorWebhookConfig:
# whether or not to fail the tgb creation if the webhook fails
failurePolicy: Fail

# ingressValidatorWebhookConfig contains configurations specific to the ingress validator webhook
ingressValidatorWebhookConfig:
# whether or not to fail the ingress creation if the webhook fails
failurePolicy: Fail
27 changes: 26 additions & 1 deletion helm/aws-load-balancer-controller/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -452,11 +452,36 @@ serviceMutatorWebhookConfig:
- CREATE
# - UPDATE

# podMutatorWebhookConfig contains configurations specific to the service mutator webhook
# podMutatorWebhookConfig contains configurations specific to the pod mutator webhook
podMutatorWebhookConfig:
# whether or not to fail the pod creation if the webhook fails
failurePolicy: Ignore

# podServerIdMutatorWebhookConfig contains configurations specific to the pod service id mutator webhook
podServerIdMutatorWebhookConfig:
# whether or not to fail the pod creation if the webhook fails
failurePolicy: Fail

# tgbMutatorWebhookConfig contains configurations specific to the targetgroupbinding webhook
tgbMutatorWebhookConfig:
# whether or not to fail the tgb creation if the webhook fails
failurePolicy: Fail

# ingressClassParamsValidatorWebhookConfig contains configurations specific to the ingress class params validator webhook
ingressClassParamsValidatorWebhookConfig:
# whether or not to fail the ingress creation if the webhook fails
failurePolicy: Fail

# tgbValidatorWebhookConfig contains configurations specific to the targetgroupbinding webhook
tgbValidatorWebhookConfig:
# whether or not to fail the tgb creation if the webhook fails
failurePolicy: Fail

# ingressValidatorWebhookConfig contains configurations specific to the ingress validator webhook
ingressValidatorWebhookConfig:
# whether or not to fail the ingress creation if the webhook fails
failurePolicy: Fail

# serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs.
serviceTargetENISGTags:

Expand Down