From 4e2be87bf3c8beafa3ae6c2cdbe979e00827da51 Mon Sep 17 00:00:00 2001
From: Vivek Thrivikraman <vivek.thrivikraman@est.tech>
Date: Thu, 21 Oct 2021 13:59:49 +0000
Subject: [PATCH] enable nri pod restarts

---
 README.md                  |  2 ++
 deployments/webhook.yaml   |  6 ++++++
 pkg/installer/installer.go | 14 ++++++++++++++
 3 files changed, 22 insertions(+)

diff --git a/README.md b/README.md
index 73b6865d..a295613c 100644
--- a/README.md
+++ b/README.md
@@ -158,6 +158,8 @@ Currently supported arguments are below. If needed, detailed description is avai
 |network-resource-name-keys|k8s.v1.cni.cncf.io/resourceName|comma separated resource name keys|YES|
 |honor-resources|false|Honor the existing requested resources requests & limits|YES|
 
+NOTE: Network Resource Injector would not mutate pods in kube-system namespace.
+
 ### Features control switches
 It is possible to control some features of Network Resource Injector with runtime configuration. NRI is watching for a ConfigMap with name **nri-control-switches** that should be available in the same namespace as NRI (default is kube-system). Below is example with full configuration that sets all features to disable state. Not all values have to be defined. User can toggle only one feature leaving others in default state. By default state, one should understand state set during webhook initialization. Could be a state set by CLI argument, default argument embedded in code or environment variable.
 
diff --git a/deployments/webhook.yaml b/deployments/webhook.yaml
index 2c9321ff..1c86d2cf 100644
--- a/deployments/webhook.yaml
+++ b/deployments/webhook.yaml
@@ -14,6 +14,12 @@ webhooks:
         namespace: ${NAMESPACE}
         path: "/mutate"
       caBundle: ${CA_BUNDLE}
+    namespaceSelector:
+      matchExpressions:
+        - key: "kubernetes.io/metadata.name"
+          operator: "NotIn"
+          values:
+            - "kube-system"
     rules:
       - operations: [ "CREATE" ]
         apiGroups: ["apps", ""]
diff --git a/pkg/installer/installer.go b/pkg/installer/installer.go
index 015e7cf0..8ad63335 100644
--- a/pkg/installer/installer.go
+++ b/pkg/installer/installer.go
@@ -107,6 +107,19 @@ func createMutatingWebhookConfiguration(certificate []byte, failurePolicyStr str
 	}
 	sideEffects := arv1.SideEffectClassNone
 	path := "/mutate"
+	namespaces := []string{"kube-system"}
+	if namespace != "kube-system" {
+		namespaces = append(namespaces, namespace)
+	}
+	namespaceSelector := metav1.LabelSelector{
+		MatchExpressions: []metav1.LabelSelectorRequirement{
+			{
+				Key:      "kubernetes.io/metadata.name",
+				Operator: metav1.LabelSelectorOpNotIn,
+				Values:   namespaces,
+			},
+		},
+	}
 	configuration := &arv1.MutatingWebhookConfiguration{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: configName,
@@ -128,6 +141,7 @@ func createMutatingWebhookConfiguration(certificate []byte, failurePolicyStr str
 				FailurePolicy:           &failurePolicy,
 				AdmissionReviewVersions: []string{"v1"},
 				SideEffects:             &sideEffects,
+				NamespaceSelector:       &namespaceSelector,
 				Rules: []arv1.RuleWithOperations{
 					arv1.RuleWithOperations{
 						Operations: []arv1.OperationType{arv1.Create},