[GitHub] [flink-kubernetes-operator] bgeng777 opened a new pull request, #242: [FLINK-27615] Document how to define namespaceSelector for k8s operator's webhook

[GitBox <gi...@apache.org>]

bgeng777 opened a new pull request, #242:
URL: https://github.com/apache/flink-kubernetes-operator/pull/242

   - Improve the documents of `Watching only specific namespaces` part in `helm.md` to introduce how to make webhook work as expected using different k8s versions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] wangyang0918 merged pull request #242: [FLINK-27615] Document how to define namespaceSelector for k8s operator's webhook

[GitBox <gi...@apache.org>]

wangyang0918 merged PR #242:
URL: https://github.com/apache/flink-kubernetes-operator/pull/242


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] bgeng777 commented on a diff in pull request #242: [FLINK-27615] Document how to define namespaceSelector for k8s operator's webhook

[GitBox <gi...@apache.org>]

bgeng777 commented on code in PR #242:
URL: https://github.com/apache/flink-kubernetes-operator/pull/242#discussion_r881193136


##########
docs/content/docs/operations/helm.md:
##########
@@ -107,6 +107,29 @@ The webhook can be disabled during helm install by passing the `--set webhook.cr
 The operator supports watching a specific list of namespaces for FlinkDeployment resources. You can enable it by setting the `--set watchNamespaces={flink-test}` parameter.
 When this is enabled role-based access control is only created specifically for these namespaces for the operator and the jobmanagers, otherwise it defaults to cluster scope.
 
+Note, when working with webhook in a specified namespace, users should pay attention to the definition of `namespaceSelector.matchExpressions` in `webhook.yaml`. Currently, the default implementation of webhook relies on the `kubernetes.io/metadata.name` label to filter the validation requests
+so that only validation requests from the specified namespace will be processed. The `kubernetes.io/metadata.name` label is automatically attached since k8s [1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#v1211).
+
+As a result, for users who run the flink kubernetes operator with older k8s version, they may label the specified namespace by themselves before installing the operator with helm:
+
+```
+kubectl label namespace <target namespace> kubernetes.io/metadata.name=<target namespace>
+```
+
+Besides, users can define their own namespaceSelector to filter the requests due to customized requirements. 
+A simple example that only accept requests from namespaces with both `kubernetes.io/metadata.name` amd `username` labels could be:

Review Comment:
   Thanks! Fixed in ae04da612a55dd7d3a8c728fb448ca8f725d3de7



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] wangyang0918 commented on a diff in pull request #242: [FLINK-27615] Document how to define namespaceSelector for k8s operator's webhook

[GitBox <gi...@apache.org>]

wangyang0918 commented on code in PR #242:
URL: https://github.com/apache/flink-kubernetes-operator/pull/242#discussion_r881185048


##########
docs/content/docs/operations/helm.md:
##########
@@ -107,6 +107,28 @@ The webhook can be disabled during helm install by passing the `--set webhook.cr
 The operator supports watching a specific list of namespaces for FlinkDeployment resources. You can enable it by setting the `--set watchNamespaces={flink-test}` parameter.
 When this is enabled role-based access control is only created specifically for these namespaces for the operator and the jobmanagers, otherwise it defaults to cluster scope.
 
+Note, when working with webhook in a specified namespace, users should pay attention to the definition of `namespaceSelector.matchExpressions` in `webhook.yaml`. Currently, the default implementation of webhook relies on the `kubernetes.io/metadata.name` label to filter the validation requests

Review Comment:
   nit: we could use `<span class="label label-info">Note</span>`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] Aitozi commented on a diff in pull request #242: [FLINK-27615] Document how to define namespaceSelector for k8s operator's webhook

[GitBox <gi...@apache.org>]

Aitozi commented on code in PR #242:
URL: https://github.com/apache/flink-kubernetes-operator/pull/242#discussion_r881142701


##########
docs/content/docs/operations/helm.md:
##########
@@ -107,6 +107,29 @@ The webhook can be disabled during helm install by passing the `--set webhook.cr
 The operator supports watching a specific list of namespaces for FlinkDeployment resources. You can enable it by setting the `--set watchNamespaces={flink-test}` parameter.
 When this is enabled role-based access control is only created specifically for these namespaces for the operator and the jobmanagers, otherwise it defaults to cluster scope.
 
+Note, when working with webhook in a specified namespace, users should pay attention to the definition of `namespaceSelector.matchExpressions` in `webhook.yaml`. Currently, the default implementation of webhook relies on the `kubernetes.io/metadata.name` label to filter the validation requests
+so that only validation requests from the specified namespace will be processed. The `kubernetes.io/metadata.name` label is automatically attached since k8s [1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#v1211).
+
+As a result, for users who run the flink kubernetes operator with older k8s version, they may label the specified namespace by themselves before installing the operator with helm:
+
+```
+kubectl label namespace <target namespace> kubernetes.io/metadata.name=<target namespace>
+```
+
+Besides, users can define their own namespaceSelector to filter the requests due to customized requirements. 
+A simple example that only accept requests from namespaces with both `kubernetes.io/metadata.name` amd `username` labels could be:

Review Comment:
   Besides, I think user just need to customize the selector key, not the content. Because the content should be aligned with the operator watched namespaces 



##########
docs/content/docs/operations/helm.md:
##########
@@ -107,6 +107,29 @@ The webhook can be disabled during helm install by passing the `--set webhook.cr
 The operator supports watching a specific list of namespaces for FlinkDeployment resources. You can enable it by setting the `--set watchNamespaces={flink-test}` parameter.
 When this is enabled role-based access control is only created specifically for these namespaces for the operator and the jobmanagers, otherwise it defaults to cluster scope.
 
+Note, when working with webhook in a specified namespace, users should pay attention to the definition of `namespaceSelector.matchExpressions` in `webhook.yaml`. Currently, the default implementation of webhook relies on the `kubernetes.io/metadata.name` label to filter the validation requests
+so that only validation requests from the specified namespace will be processed. The `kubernetes.io/metadata.name` label is automatically attached since k8s [1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#v1211).
+
+As a result, for users who run the flink kubernetes operator with older k8s version, they may label the specified namespace by themselves before installing the operator with helm:
+
+```
+kubectl label namespace <target namespace> kubernetes.io/metadata.name=<target namespace>
+```
+
+Besides, users can define their own namespaceSelector to filter the requests due to customized requirements. 
+A simple example that only accept requests from namespaces with both `kubernetes.io/metadata.name` amd `username` labels could be:

Review Comment:
   typo: amd -> and



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] bgeng777 commented on a diff in pull request #242: [FLINK-27615] Document how to define namespaceSelector for k8s operator's webhook

[GitBox <gi...@apache.org>]

bgeng777 commented on code in PR #242:
URL: https://github.com/apache/flink-kubernetes-operator/pull/242#discussion_r881193136


##########
docs/content/docs/operations/helm.md:
##########
@@ -107,6 +107,29 @@ The webhook can be disabled during helm install by passing the `--set webhook.cr
 The operator supports watching a specific list of namespaces for FlinkDeployment resources. You can enable it by setting the `--set watchNamespaces={flink-test}` parameter.
 When this is enabled role-based access control is only created specifically for these namespaces for the operator and the jobmanagers, otherwise it defaults to cluster scope.
 
+Note, when working with webhook in a specified namespace, users should pay attention to the definition of `namespaceSelector.matchExpressions` in `webhook.yaml`. Currently, the default implementation of webhook relies on the `kubernetes.io/metadata.name` label to filter the validation requests
+so that only validation requests from the specified namespace will be processed. The `kubernetes.io/metadata.name` label is automatically attached since k8s [1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#v1211).
+
+As a result, for users who run the flink kubernetes operator with older k8s version, they may label the specified namespace by themselves before installing the operator with helm:
+
+```
+kubectl label namespace <target namespace> kubernetes.io/metadata.name=<target namespace>
+```
+
+Besides, users can define their own namespaceSelector to filter the requests due to customized requirements. 
+A simple example that only accept requests from namespaces with both `kubernetes.io/metadata.name` amd `username` labels could be:

Review Comment:
   Thanks! Fixed in 2c03133



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] bgeng777 commented on a diff in pull request #242: [FLINK-27615] Document how to define namespaceSelector for k8s operator's webhook

[GitBox <gi...@apache.org>]

bgeng777 commented on code in PR #242:
URL: https://github.com/apache/flink-kubernetes-operator/pull/242#discussion_r881193025


##########
docs/content/docs/operations/helm.md:
##########
@@ -107,6 +107,28 @@ The webhook can be disabled during helm install by passing the `--set webhook.cr
 The operator supports watching a specific list of namespaces for FlinkDeployment resources. You can enable it by setting the `--set watchNamespaces={flink-test}` parameter.
 When this is enabled role-based access control is only created specifically for these namespaces for the operator and the jobmanagers, otherwise it defaults to cluster scope.
 
+Note, when working with webhook in a specified namespace, users should pay attention to the definition of `namespaceSelector.matchExpressions` in `webhook.yaml`. Currently, the default implementation of webhook relies on the `kubernetes.io/metadata.name` label to filter the validation requests

Review Comment:
   It does look nicer:
   <img width="842" alt="image" src="https://user-images.githubusercontent.com/80749729/170175942-a412af6f-e2b6-4ddf-adf8-2283984fedd0.png">
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-kubernetes-operator] bgeng777 commented on pull request #242: [FLINK-27615] Document how to define namespaceSelector for k8s operator's webhook

[GitBox <gi...@apache.org>]

bgeng777 commented on PR #242:
URL: https://github.com/apache/flink-kubernetes-operator/pull/242#issuecomment-1136017180

   cc @wangyang0918 @Aitozi 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org