From 66a068632547838928ad7706fd4f5ebd575c69de Mon Sep 17 00:00:00 2001 From: lianghao208 Date: Sun, 5 Nov 2023 02:59:33 +0800 Subject: [PATCH] Switch from objectSelector to AdmissionWebhookMatchConditions --- .../v1beta1/components/controller/controller.yaml | 1 - manifests/v1beta1/components/webhook/webhooks.yaml | 13 +++---------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/manifests/v1beta1/components/controller/controller.yaml b/manifests/v1beta1/components/controller/controller.yaml index 06579ff08ce..c6f97b5f189 100644 --- a/manifests/v1beta1/components/controller/controller.yaml +++ b/manifests/v1beta1/components/controller/controller.yaml @@ -15,7 +15,6 @@ spec: metadata: labels: katib.kubeflow.org/component: controller - katib.kubeflow.org/metrics-collector-injection: disabled annotations: prometheus.io/scrape: "true" prometheus.io/port: "8080" diff --git a/manifests/v1beta1/components/webhook/webhooks.yaml b/manifests/v1beta1/components/webhook/webhooks.yaml index da9a2d18666..fb8d93b06be 100644 --- a/manifests/v1beta1/components/webhook/webhooks.yaml +++ b/manifests/v1beta1/components/webhook/webhooks.yaml @@ -60,16 +60,9 @@ webhooks: namespaceSelector: matchLabels: katib.kubeflow.org/metrics-collector-injection: enabled - # Once the AdmissionWebhookMatchConditions feature gate is enabled by default, we should switch to control based on userInfo. - # REF: - # - AdmissionWebhookMatchConditions: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions - # - Tracking issue: https://github.com/kubeflow/katib/issues/2206 - objectSelector: - matchExpressions: - - key: katib.kubeflow.org/metrics-collector-injection - operator: NotIn - values: - - disabled + matchConditions: + - name: 'exclude-katib-controller' + expression: 'request.userInfo.username != "system:serviceaccount:kubeflow:katib-controller"' rules: - apiGroups: - ""