From 7f27a03e847d5f123d9e7fb8378d1459defc03e5 Mon Sep 17 00:00:00 2001
From: eball <liuy102@hotmail.com>
Date: Thu, 27 Nov 2025 16:19:56 +0800
Subject: [PATCH] opa: ignore validating opa pod itself (#2118)

* opa: ignore validating opa pod itself

* opa: add uid to response in decision logic

* opa: add apiVersion and kind to admission review response
---
 .../config/settings/templates/system_namespace.yaml |  1 +
 .../.olares/config/cluster/deploy/deployment.yaml   | 13 +++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/build/base-package/wizard/config/settings/templates/system_namespace.yaml b/build/base-package/wizard/config/settings/templates/system_namespace.yaml
index 43d0f996a..f8b3803aa 100644
--- a/build/base-package/wizard/config/settings/templates/system_namespace.yaml
+++ b/build/base-package/wizard/config/settings/templates/system_namespace.yaml
@@ -17,6 +17,7 @@ metadata:
     kubesphere.io/creator: '{{ .Values.user.name }}'
   labels:
     kubesphere.io/workspace: system-workspace
+    openpolicyagent.org/webhook: ignore
   name: os-platform
 
 ---
diff --git a/platform/open-policy-agent/.olares/config/cluster/deploy/deployment.yaml b/platform/open-policy-agent/.olares/config/cluster/deploy/deployment.yaml
index 7c001f056..f71573754 100644
--- a/platform/open-policy-agent/.olares/config/cluster/deploy/deployment.yaml
+++ b/platform/open-policy-agent/.olares/config/cluster/deploy/deployment.yaml
@@ -106,7 +106,10 @@ metadata:
   name: opa-validating-webhook
 webhooks:
   - name: validating-webhook.openpolicyagent.org
-    admissionReviewVersions: ["v1beta1"]
+    admissionReviewVersions: ["v1", "v1beta1"]
+    namespaceSelector: 
+      matchExpressions:
+        - {key: openpolicyagent.org/webhook, operator: NotIn, values: [ignore]}
     rules:
       - operations: ["CREATE", "UPDATE"]
         apiGroups: ["*"]
@@ -142,6 +145,12 @@ metadata:
 data:
   main: |
     package system
+    
+    default uid := ""
+    uid := input.request.uid
+
     main = {
-      "response": {"allowed": true},
+      "apiVersion": "admission.k8s.io/v1",
+      "kind": "AdmissionReview",
+      "response": {"allowed": true, "uid": uid},
     }
\ No newline at end of file