From 58710dcc5ae7672dcdb3c7605f0178b6d3e162b3 Mon Sep 17 00:00:00 2001 From: lianghao208 Date: Sun, 5 Nov 2023 02:59:33 +0800 Subject: [PATCH] Switch from objectSelector to AdmissionWebhookMatchConditions --- .../v1beta1/components/controller/controller.yaml | 1 - manifests/v1beta1/components/webhook/webhooks.yaml | 13 +++---------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/manifests/v1beta1/components/controller/controller.yaml b/manifests/v1beta1/components/controller/controller.yaml index 06579ff08ce..c6f97b5f189 100644 --- a/manifests/v1beta1/components/controller/controller.yaml +++ b/manifests/v1beta1/components/controller/controller.yaml @@ -15,7 +15,6 @@ spec: metadata: labels: katib.kubeflow.org/component: controller - katib.kubeflow.org/metrics-collector-injection: disabled annotations: prometheus.io/scrape: "true" prometheus.io/port: "8080" diff --git a/manifests/v1beta1/components/webhook/webhooks.yaml b/manifests/v1beta1/components/webhook/webhooks.yaml index bb3f291daf2..111941fb829 100644 --- a/manifests/v1beta1/components/webhook/webhooks.yaml +++ b/manifests/v1beta1/components/webhook/webhooks.yaml @@ -63,16 +63,9 @@ webhooks: namespaceSelector: matchLabels: katib.kubeflow.org/metrics-collector-injection: enabled - # Once the AdmissionWebhookMatchConditions feature gate is enabled by default, we should switch to control based on userInfo. - # REF: - # - AdmissionWebhookMatchConditions: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions - # - Tracking issue: https://github.com/kubeflow/katib/issues/2206 - objectSelector: - matchExpressions: - - key: katib.kubeflow.org/metrics-collector-injection - operator: NotIn - values: - - disabled + matchConditions: + - name: 'exclude-katib-controller' + expression: 'request.userInfo.username != "system:serviceaccount:kubeflow:katib-controller"' rules: - apiGroups: - ""