Aitozi commented on code in PR #242: URL: https://github.com/apache/flink-kubernetes-operator/pull/242#discussion_r881142701
########## docs/content/docs/operations/helm.md: ########## @@ -107,6 +107,29 @@ The webhook can be disabled during helm install by passing the `--set webhook.cr The operator supports watching a specific list of namespaces for FlinkDeployment resources. You can enable it by setting the `--set watchNamespaces={flink-test}` parameter. When this is enabled role-based access control is only created specifically for these namespaces for the operator and the jobmanagers, otherwise it defaults to cluster scope. +Note, when working with webhook in a specified namespace, users should pay attention to the definition of `namespaceSelector.matchExpressions` in `webhook.yaml`. Currently, the default implementation of webhook relies on the `kubernetes.io/metadata.name` label to filter the validation requests +so that only validation requests from the specified namespace will be processed. The `kubernetes.io/metadata.name` label is automatically attached since k8s [1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#v1211). + +As a result, for users who run the flink kubernetes operator with older k8s version, they may label the specified namespace by themselves before installing the operator with helm: + +``` +kubectl label namespace <target namespace> kubernetes.io/metadata.name=<target namespace> +``` + +Besides, users can define their own namespaceSelector to filter the requests due to customized requirements. +A simple example that only accept requests from namespaces with both `kubernetes.io/metadata.name` amd `username` labels could be: Review Comment: Besides, I think user just need to customize the selector key, not the content. Because the content should be aligned with the operator watched namespaces ########## docs/content/docs/operations/helm.md: ########## @@ -107,6 +107,29 @@ The webhook can be disabled during helm install by passing the `--set webhook.cr The operator supports watching a specific list of namespaces for FlinkDeployment resources. You can enable it by setting the `--set watchNamespaces={flink-test}` parameter. When this is enabled role-based access control is only created specifically for these namespaces for the operator and the jobmanagers, otherwise it defaults to cluster scope. +Note, when working with webhook in a specified namespace, users should pay attention to the definition of `namespaceSelector.matchExpressions` in `webhook.yaml`. Currently, the default implementation of webhook relies on the `kubernetes.io/metadata.name` label to filter the validation requests +so that only validation requests from the specified namespace will be processed. The `kubernetes.io/metadata.name` label is automatically attached since k8s [1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#v1211). + +As a result, for users who run the flink kubernetes operator with older k8s version, they may label the specified namespace by themselves before installing the operator with helm: + +``` +kubectl label namespace <target namespace> kubernetes.io/metadata.name=<target namespace> +``` + +Besides, users can define their own namespaceSelector to filter the requests due to customized requirements. +A simple example that only accept requests from namespaces with both `kubernetes.io/metadata.name` amd `username` labels could be: Review Comment: typo: amd -> and -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@flink.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org