wrap namespaceSelector values for admission-controller with a flag

vertical-pod-autoscaler/pkg/admission-controller/README.md

@@ -32,6 +32,8 @@ up the changes: ```sudo systemctl restart kubelet.service```
    for pods on their creation & updates.
 1. You can specify a path for it to register as a part of the installation process
    by setting `--register-by-url=true` and passing `--webhook-address` and `--webhook-port`.
+1. You can optionally provide a of comma separated list of namespaces for the webhook
+   to ignore using `--webhook-ignore-namespaces`.
 
 ## Implementation
 

vertical-pod-autoscaler/pkg/admission-controller/config.go

@@ -44,7 +44,7 @@ func configTLS(serverCert, serverKey []byte) *tls.Config {
 
 // register this webhook admission controller with the kube-apiserver
 // by creating MutatingWebhookConfiguration.
-func selfRegistration(clientset *kubernetes.Clientset, caCert []byte, namespace, serviceName, url string, registerByURL bool, timeoutSeconds int32) {
+func selfRegistration(clientset *kubernetes.Clientset, caCert []byte, namespace, serviceName, url string, registerByURL bool, timeoutSeconds int32, ignoredNamespaces []string) {
 	time.Sleep(10 * time.Second)
 	client := clientset.AdmissionregistrationV1().MutatingWebhookConfigurations()
 	_, err := client.Get(context.TODO(), webhookConfigName, metav1.GetOptions{})
@@ -70,7 +70,7 @@ func selfRegistration(clientset *kubernetes.Clientset, caCert []byte, namespace,
 			{
 				Key:      "kubernetes.io/metadata.name",
 				Operator: metav1.LabelSelectorOpNotIn,
-				Values:   []string{"kube-system", "kube-node-lease"},
+				Values:   ignoredNamespaces,
 			},
 		},
 	}

vertical-pod-autoscaler/pkg/admission-controller/main.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"strings"
 	"time"
 
 	apiv1 "k8s.io/api/core/v1"
@@ -55,19 +56,20 @@ var (
 		tlsPrivateKey: flag.String("tls-private-key", "/etc/tls-certs/serverKey.pem", "Path to server certificate key PEM file."),
 	}
 
-	port               = flag.Int("port", 8000, "The port to listen on.")
-	address            = flag.String("address", ":8944", "The address to expose Prometheus metrics.")
-	kubeconfig         = flag.String("kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
-	kubeApiQps         = flag.Float64("kube-api-qps", 5.0, `QPS limit when making requests to Kubernetes apiserver`)
-	kubeApiBurst       = flag.Float64("kube-api-burst", 10.0, `QPS burst limit when making requests to Kubernetes apiserver`)
-	namespace          = os.Getenv("NAMESPACE")
-	serviceName        = flag.String("webhook-service", "vpa-webhook", "Kubernetes service under which webhook is registered. Used when registerByURL is set to false.")
-	webhookAddress     = flag.String("webhook-address", "", "Address under which webhook is registered. Used when registerByURL is set to true.")
-	webhookPort        = flag.String("webhook-port", "", "Server Port for Webhook")
-	webhookTimeout     = flag.Int("webhook-timeout-seconds", 30, "Timeout in seconds that the API server should wait for this webhook to respond before failing.")
-	registerWebhook    = flag.Bool("register-webhook", true, "If set to true, admission webhook object will be created on start up to register with the API server.")
-	registerByURL      = flag.Bool("register-by-url", false, "If set to true, admission webhook will be registered by URL (webhookAddress:webhookPort) instead of by service name")
-	vpaObjectNamespace = flag.String("vpa-object-namespace", apiv1.NamespaceAll, "Namespace to search for VPA objects. Empty means all namespaces will be used.")
+	port                     = flag.Int("port", 8000, "The port to listen on.")
+	address                  = flag.String("address", ":8944", "The address to expose Prometheus metrics.")
+	kubeconfig               = flag.String("kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
+	kubeApiQps               = flag.Float64("kube-api-qps", 5.0, `QPS limit when making requests to Kubernetes apiserver`)
+	kubeApiBurst             = flag.Float64("kube-api-burst", 10.0, `QPS burst limit when making requests to Kubernetes apiserver`)
+	namespace                = os.Getenv("NAMESPACE")
+	serviceName              = flag.String("webhook-service", "vpa-webhook", "Kubernetes service under which webhook is registered. Used when registerByURL is set to false.")
+	webhookAddress           = flag.String("webhook-address", "", "Address under which webhook is registered. Used when registerByURL is set to true.")
+	webhookPort              = flag.String("webhook-port", "", "Server Port for Webhook")
+	webhookTimeout           = flag.Int("webhook-timeout-seconds", 30, "Timeout in seconds that the API server should wait for this webhook to respond before failing.")
+	registerWebhook          = flag.Bool("register-webhook", true, "If set to true, admission webhook object will be created on start up to register with the API server.")
+	registerByURL            = flag.Bool("register-by-url", false, "If set to true, admission webhook will be registered by URL (webhookAddress:webhookPort) instead of by service name")
+	vpaObjectNamespace       = flag.String("vpa-object-namespace", apiv1.NamespaceAll, "Namespace to search for VPA objects. Empty means all namespaces will be used.")
+	webhookIgnoredNamespaces = flag.String("webhook-ignore-namespaces", "", "Comma separated list of namespaces the admission webhook object will ignore.")
 )
 
 func main() {
@@ -128,9 +130,10 @@ func main() {
 		TLSConfig: configTLS(certs.serverCert, certs.serverKey),
 	}
 	url := fmt.Sprintf("%v:%v", *webhookAddress, *webhookPort)
+	ignoredNamespaces := strings.Split(*webhookIgnoredNamespaces, ",")
 	go func() {
 		if *registerWebhook {
-			selfRegistration(kubeClient, certs.caCert, namespace, *serviceName, url, *registerByURL, int32(*webhookTimeout))
+			selfRegistration(kubeClient, certs.caCert, namespace, *serviceName, url, *registerByURL, int32(*webhookTimeout), ignoredNamespaces)
 		}
 		// Start status updates after the webhook is initialized.
 		statusUpdater.Run(stopCh)