Aitozi commented on code in PR #242:
URL:
https://github.com/apache/flink-kubernetes-operator/pull/242#discussion_r881142701
##########
docs/content/docs/operations/helm.md:
##########
@@ -107,6 +107,29 @@ The webhook can be disabled during helm install by passing
the `--set webhook.cr
The operator supports watching a specific list of namespaces for
FlinkDeployment resources. You can enable it by setting the `--set
watchNamespaces={flink-test}` parameter.
When this is enabled role-based access control is only created specifically
for these namespaces for the operator and the jobmanagers, otherwise it
defaults to cluster scope.
+Note, when working with webhook in a specified namespace, users should pay
attention to the definition of `namespaceSelector.matchExpressions` in
`webhook.yaml`. Currently, the default implementation of webhook relies on the
`kubernetes.io/metadata.name` label to filter the validation requests
+so that only validation requests from the specified namespace will be
processed. The `kubernetes.io/metadata.name` label is automatically attached
since k8s
[1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#v1211).
+
+As a result, for users who run the flink kubernetes operator with older k8s
version, they may label the specified namespace by themselves before installing
the operator with helm:
+
+```
+kubectl label namespace <target namespace> kubernetes.io/metadata.name=<target
namespace>
+```
+
+Besides, users can define their own namespaceSelector to filter the requests
due to customized requirements.
+A simple example that only accept requests from namespaces with both
`kubernetes.io/metadata.name` amd `username` labels could be:
Review Comment:
Besides, I think user just need to customize the selector key, not the
content. Because the content should be aligned with the operator watched
namespaces
##########
docs/content/docs/operations/helm.md:
##########
@@ -107,6 +107,29 @@ The webhook can be disabled during helm install by passing
the `--set webhook.cr
The operator supports watching a specific list of namespaces for
FlinkDeployment resources. You can enable it by setting the `--set
watchNamespaces={flink-test}` parameter.
When this is enabled role-based access control is only created specifically
for these namespaces for the operator and the jobmanagers, otherwise it
defaults to cluster scope.
+Note, when working with webhook in a specified namespace, users should pay
attention to the definition of `namespaceSelector.matchExpressions` in
`webhook.yaml`. Currently, the default implementation of webhook relies on the
`kubernetes.io/metadata.name` label to filter the validation requests
+so that only validation requests from the specified namespace will be
processed. The `kubernetes.io/metadata.name` label is automatically attached
since k8s
[1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#v1211).
+
+As a result, for users who run the flink kubernetes operator with older k8s
version, they may label the specified namespace by themselves before installing
the operator with helm:
+
+```
+kubectl label namespace <target namespace> kubernetes.io/metadata.name=<target
namespace>
+```
+
+Besides, users can define their own namespaceSelector to filter the requests
due to customized requirements.
+A simple example that only accept requests from namespaces with both
`kubernetes.io/metadata.name` amd `username` labels could be:
Review Comment:
typo: amd -> and
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@flink.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
