opa: ignore validating opa pod itself (#2118)

* opa: ignore validating opa pod itself * opa: add uid to response in decision logic * opa: add apiVersion and kind to admission review response
2026-05-24 09:18:23 +00:00 · 2025-11-27 16:19:56 +08:00 · 2025-11-27 16:19:56 +08:00 · 7f27a03e84
commit 7f27a03e84
parent fe6817ff78
2 changed files with 12 additions and 2 deletions
--- a/build/base-package/wizard/config/settings/templates/system_namespace.yaml
+++ b/build/base-package/wizard/config/settings/templates/system_namespace.yaml
@ -17,6 +17,7 @@ metadata:
    kubesphere.io/creator: '{{ .Values.user.name }}'
  labels:
    kubesphere.io/workspace: system-workspace
+    openpolicyagent.org/webhook: ignore
  name: os-platform

 ---
--- a/platform/open-policy-agent/.olares/config/cluster/deploy/deployment.yaml
+++ b/platform/open-policy-agent/.olares/config/cluster/deploy/deployment.yaml
@ -106,7 +106,10 @@ metadata:
  name: opa-validating-webhook
 webhooks:
  - name: validating-webhook.openpolicyagent.org
-    admissionReviewVersions: ["v1beta1"]
+    admissionReviewVersions: ["v1", "v1beta1"]
+    namespaceSelector: 
+      matchExpressions:
+        - {key: openpolicyagent.org/webhook, operator: NotIn, values: [ignore]}
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["*"]
@ -142,6 +145,12 @@ metadata:
 data:
  main: |
    package system
+    
+    default uid := ""
+    uid := input.request.uid
+
    main = {
-      "response": {"allowed": true},
+      "apiVersion": "admission.k8s.io/v1",
+      "kind": "AdmissionReview",
+      "response": {"allowed": true, "uid": uid},
    }