CRD Multiversion (Conversion webhook)

[serhermar]

Hello everyone,

I am developing an operator with kubebuilder 3.2.0, I am looking at the possibility of using multiversion and I have encountered a problem.

By adding the following to the CRD itself for the convert webhook:

spec:
  conversion:
    strategy: Webhook
    webhook:
      clientConfig:
        service:
          name: webhook-service
          namespace: system
          path: /convert
      conversionReviewVersions:
      - v1

This makes the operator have to be cluster-wide, since the CRD is the one that marks which is the webhook-server.

I have seen the possibility of setting strategy: None, but of course the conversion method to the hub version is not executed.

I am doing something wrong? o Is there an alternative to not force the operator to be cluster-wide but namespace-wide?

Thank you very much in advance

[camilamacedo86]

Hello,

By using webhooks for CRD conversion or validation, the webhooks are typically cluster-scoped because CRDs themselves can be cluster-scoped. This means the webhook needs to be accessible from all namespaces for any instance of the CRD, which is why when you specify the webhook in the CRD definition, it makes the operator essentially cluster-scoped.

However, note that even if you have a cluster-wide webhook, you can still use RBAC to limit the permissions of the operator itself. Make sure the ClusterRole/Role and ClusterRoleBinding/RoleBinding for the operator only give it permissions to the namespace(s) where you want it to operate.

You might also can deploy the webhook server separately from your main operator deployment. The webhook server can be cluster-scoped (since it needs to handle requests from all namespaces), while the main operator logic can still be namespace-scoped. This will add some complexity to your deployment, but it's a feasible approach.

By using Strategy: None as you mentioned, setting the conversion strategy to None in the best of my knowledge means no conversion webhook would be invoked. That does not seems a real solution if you need the conversion logic to be executed.

Lastly, please check the following documentations to have a better understand about Operator/CRD cluster/namespace scoped:

• Operator Scope: https://sdk.operatorframework.io/docs/building-operators/golang/operator-scope/
• CRD scope: https://sdk.operatorframework.io/docs/building-operators/golang/crds-scope/

Hope this helps!

Closing this one as sorted out.
However, please feel free to reopen if you need to do so.