Exclude namespaces kube-system and kube-node-lease in mutatingwebhookconfiguration vpa-webhook-config

[britslampe]

Hello, I have the vertical-pod-autoscaler chart installed on a GKE cluster, and in the UI I am notified that the mutatingwebhookconfiguration vpa-webhook-config raises a warning:

This cluster has an admission webhook installed that is intercepting system critical requests in the last 24 hours. Intercepting these requests can impact availability of the GKE Control Plane.

I was able to patch the mutatingwebhookconfiguration object using a post-upgrade helm chart hook, following these instructions: https://cloud.google.com/kubernetes-engine/docs/how-to/optimize-webhooks?&_ga=2.18119354.-2077099904.1664205505#unsafe-webhooks

webhooks:
  ...
  namespaceSelector:
    matchExpressions:
    - key: kubernetes.io/metadata.name
      operator: NotIn
      values:
      - kube-system
      - kube-node-lease

Since there isn't really a way to add deny rules to the clusterrole definition, this would need to be patched onto the mutatingwebhookconfiguration object.

Steps

1. create a job YAML under templates
   a. image - bitnami/kubectl
   b. add annotations for the post-upgrade hook https://helm.sh/docs/topics/charts_hooks/#the-available-hooks

   metadata:
     annotations:
       "helm.sh/hook": post-upgrade
       "helm.sh/hook-weight": "1"
   

   c. use kubectl to patch the changes to the namespaceSelector

I was not able to get this to work including annotation "helm.sh/hook-delete-policy": hook-succeeded.

[sebastien-prudhomme]

Hi Brittany, you should open an issue in the upstream project as the webhook is for now created by the application here: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/pkg/admission-controller/config.go#L47

I had plan to manage the webhook directly in the Helm chart but it would introduce a breaking change for current users of the chart.