cryostatio · ebaron · Jan 16, 2025 · Jan 16, 2025
diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -30,7 +30,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Monitoring, Developer Tools
     containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev
-    createdAt: "2025-01-14T22:32:19Z"
+    createdAt: "2025-01-16T19:04:11Z"
     description: JVM monitoring and profiling tool
     operatorframework.io/initialization-resource: |-
       {
@@ -1234,6 +1234,12 @@ spec:
       deploymentName: cryostat-operator-controller
       failurePolicy: Ignore
       generateName: mpod.cryostat.io
+      objectSelector:
+        matchExpressions:
+          - key: cryostat.io/name
+            operator: Exists
+          - key: cryostat.io/namespace
+            operator: Exists
       rules:
         - apiGroups:
             - ""

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -35,6 +35,7 @@ patchesStrategicMerge:
 - image_pull_patch.yaml
 - manager_webhook_patch.yaml
 - webhookcainjection_patch.yaml
+- webhook_object_selector_patch.yaml
 
 # the following config is for teaching kustomize how to do var substitution
 apiVersion: kustomize.config.k8s.io/v1beta1

diff --git a/config/default/webhook_object_selector_patch.yaml b/config/default/webhook_object_selector_patch.yaml
@@ -0,0 +1,12 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+webhooks:
+- name: mpod.cryostat.io
+  objectSelector:
+    matchExpressions:
+      - key: cryostat.io/name
+        operator: Exists
+      - key: cryostat.io/namespace
+        operator: Exists
diff --git a/internal/webhooks/agent/pod_defaulter.go b/internal/webhooks/agent/pod_defaulter.go
@@ -62,9 +62,10 @@ func (r *podMutator) Default(ctx context.Context, obj runtime.Object) error {
 		return fmt.Errorf("expected a Pod, but received a %T", obj)
 	}
 
-	// TODO do this with objectSelector: https://github.com/kubernetes-sigs/controller-tools/issues/553
-	// Check for required labels and return early if missing
+	// Check for required labels and return early if missing.
+	// This should not happen because such pods are filtered out by Kubernetes server-side due to our object selector.
 	if !metav1.HasLabel(pod.ObjectMeta, constants.AgentLabelCryostatName) || !metav1.HasLabel(pod.ObjectMeta, constants.AgentLabelCryostatNamespace) {
+		r.log.Info("pod is missing required labels")
 		return nil
 	}