-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Targeted namespace annotations #826
Comments
No, there's no chance of achieving this. This is definitely a very subtle domain logic we cannot abstract in Capsule, thus I suggest you rely on specific policy engines, like Kyverno unless the community pushes to achieve this. |
Alright, got it. Thanks for the information! |
I'm reopening this just to allow people to comment on it and share their interest in this feature. |
@prometherion @maxgio92 Revamping the interest for external policy engine, natively with Validating Admission Policy feature set (still beta). |
Hi,
we recently came across a conceptional issue with namespace annotations. In our clusters we are using linkerd as service mesh. To ensure that all tenants are properly meshed, we automatically annotate all namespaces by setting the linkerd.io/inject annotation in the additionalMetadata property of the tenants.
Which works perfectly, but recently we came across an issue where a tenant tried to deploy an nginx ingress controller. The issue basically is that linkerd interferes with the startup procedure because it prevents a short-lived container from properly terminating when starting nginx, so the recommendation is to not set the linkerd annotation on the nginx namespaces.
There are probably ways around this specific issue, but generally speaking - is there a way to target or exclude individual namespaces for the additionalMetadata property in capsule? From what I can tell after reading the docs it seems to be all or none.
The text was updated successfully, but these errors were encountered: