Targeted namespace annotations #826
Labels
needs-discussion
No outline on the feature, discussion is welcome
Comments
No, there's no chance of achieving this. This is definitely a very subtle domain logic we cannot abstract in Capsule, thus I suggest you rely on specific policy engines, like Kyverno unless the community pushes to achieve this. |
|
Alright, got it. Thanks for the information! |
prometherion
added
needs-discussion
|
I'm reopening this just to allow people to comment on it and share their interest in this feature. |
|
@prometherion @maxgio92 Revamping the interest for external policy engine, natively with Validating Admission Policy feature set (still beta). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
we recently came across a conceptional issue with namespace annotations. In our clusters we are using linkerd as service mesh. To ensure that all tenants are properly meshed, we automatically annotate all namespaces by setting the linkerd.io/inject annotation in the additionalMetadata property of the tenants.
Which works perfectly, but recently we came across an issue where a tenant tried to deploy an nginx ingress controller. The issue basically is that linkerd interferes with the startup procedure because it prevents a short-lived container from properly terminating when starting nginx, so the recommendation is to not set the linkerd annotation on the nginx namespaces.
There are probably ways around this specific issue, but generally speaking - is there a way to target or exclude individual namespaces for the additionalMetadata property in capsule? From what I can tell after reading the docs it seems to be all or none.
The text was updated successfully, but these errors were encountered: