Enhancement request: admission webhook expression filter

[Zombro]

issue

gmsa admission webhook intercepts everything, including pods that have nothing to do with gmsa.

the gmsa mutating webhook has no object selector / match expressions. it may be preferable to incorporate a few filters as this chart moves forward with k8s.

the easy move forward might be something like an objectSelector that matches a label like gmsa-mutate: true

a more hands-free future solution could leverage match conditions testing existence of spec securityContext.windowsOptions.gmsaCredentialSpecName

references

took a look at - https://github.com/kubernetes-sigs/windows-gmsa/pull/145/files. good. this mostly circumvents the issue.

last year k8s added enhancement to support expression filters in webhooks kubernetes/enhancements#3716, marked stable in v1.30+

k8s docs
object filter - start here: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector,
fancy new CEL expressions (1.30+): https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[jsturtevant]

/remove-lifecycle stale

This is something we should probably look into at some point
/help

[k8s-ci-robot]

@jsturtevant:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/remove-lifecycle stale

This is something we should probably look into at some point
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.