feat: support namespaced webhook configurations for multi-operator deployments#890
Open
maxlengdell wants to merge 1 commit into
Open
feat: support namespaced webhook configurations for multi-operator deployments#890maxlengdell wants to merge 1 commit into
maxlengdell wants to merge 1 commit into
Conversation
maxlengdell
requested review from
fcanovai,
gbartolini,
itay-grudev,
leonardoce,
mnencia and
phisco
as code owners
dosubot
Bot
added
the
size:XS
Author
|
Should also update the ClusterRole and ClusterRoleBinding convention |
…ployments When config.namespacedWebhooks is enabled and multiple operators share the same release name in different namespaces, the ClusterRoleBinding name collides and the second install overwrites the first, revoking permissions from the earlier operator. Append the operator namespace to the ClusterRoleBinding name (matching the existing webhook configuration name suffixing). The ClusterRole itself remains shared since permissions are identical across instances. Signed-off-by: Max Lengdell <max.a.lengdell@ericsson.com>
dosubot
Bot
added
size:S
guille-work
reviewed
Jun 22, 2026
| clusterWide: true | ||
| # -- When set to true, appends the operator namespace to webhook configuration | ||
| # names to avoid collisions when running multiple operators in namespaced mode. | ||
| namespacedWebhooks: false |
There was a problem hiding this comment.
Would it make more sense to fold this into clusterWide so that if clusterWide is false the webhooks are always namespaced?
I also wonder if this feature could allow for moving the webhooks permissions from cluster-wide to commonRules, allowing them to be namespace scoped as well, which would greatly remove the cluster-wide permissions needed to install the operator.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add config.namespacedWebhooks option that, when enabled:
This allows multiple CloudNativePG operators to run in single-namespace mode on the same cluster without webhook name collisions.