diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md index 8ccf0c336..d1da11e27 100644 --- a/helm/aws-load-balancer-controller/README.md +++ b/helm/aws-load-balancer-controller/README.md @@ -282,6 +282,12 @@ The default values set by the application itself can be confirmed [here](https:/ | `serviceMutatorWebhookConfig.failurePolicy` | Failure policy for the Service Mutator webhook | `Fail` | | `serviceMutatorWebhookConfig.objectSelector` | Object selector(s) to limit which objects will be mutated by the Service Mutator webhook | `[]` | | `serviceMutatorWebhookConfig.operations` | List of operations that will trigger the the Service Mutator webhook | `[ CREATE ]` | +| `podMutatorWebhookConfig.failurePolicy` | Failure policy for the Pod Mutator webhook | `Ignore` | +| `podServerIdMutatorWebhookConfig.failurePolicy` | Failure policy for the Pod Server Id Mutator webhook | `Fail` | +| `tgbMutatorWebhookConfig.failurePolicy` | Failure policy for the TargetGroupBinding Mutator webhook | `Fail` | +| `ingressClassParamsValidatorWebhookConfig.failurePolicy` | Failure policy for the Ingress Class Params Validator webhook | `Fail` | +| `tgbValidatorWebhookConfig.failurePolicy` | Failure policy for the TargetGroupBinding Validator webhook | `Fail` | +| `ingressValidatorWebhookConfig.failurePolicy` | Failure policy for the Ingress Validator webhook | `Fail` | | `autoscaling` | If `autoscaling.enabled=true`, enable the HPA on the controller mainly to survive load induced failure by the calls to the `aws-load-balancer-webhook-service`. Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node | `false` | | `serviceTargetENISGTags` | set of `key=value` pairs of AWS tags in addition to cluster name for finding the target ENI security group to which to add inbound rules from NLBs | None | | `loadBalancerClass` | Sets the AWS load balancer type to be used when the Kubernetes service requests an external load balancer | `service.k8s.aws/nlb` | diff --git a/helm/aws-load-balancer-controller/templates/webhook.yaml b/helm/aws-load-balancer-controller/templates/webhook.yaml index 49bc1e9d5..a6d4b4c32 100644 --- a/helm/aws-load-balancer-controller/templates/webhook.yaml +++ b/helm/aws-load-balancer-controller/templates/webhook.yaml @@ -64,7 +64,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /mutate-v1-pod-server-id - failurePolicy: Fail + failurePolicy: {{ .Values.podServerIdMutatorWebhookConfig.failurePolicy }} name: quicid.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -221,7 +221,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding - failurePolicy: Fail + failurePolicy: {{ .Values.tgbMutatorWebhookConfig.failurePolicy }} name: mtargetgroupbinding.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -256,7 +256,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /validate-elbv2-k8s-aws-v1beta1-ingressclassparams - failurePolicy: Fail + failurePolicy: {{ .Values.ingressClassParamsValidatorWebhookConfig.failurePolicy }} name: vingressclassparams.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -285,7 +285,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /validate-elbv2-k8s-aws-v1beta1-targetgroupbinding - failurePolicy: Fail + failurePolicy: {{ .Values.tgbValidatorWebhookConfig.failurePolicy }} name: vtargetgroupbinding.elbv2.k8s.aws admissionReviewVersions: - v1beta1 @@ -309,7 +309,7 @@ webhooks: name: {{ template "aws-load-balancer-controller.webhookService" . }} namespace: {{ $.Release.Namespace }} path: /validate-networking-v1-ingress - failurePolicy: Fail + failurePolicy: {{ .Values.ingressValidatorWebhookConfig.failurePolicy }} matchPolicy: Equivalent name: vingress.elbv2.k8s.aws admissionReviewVersions: diff --git a/helm/aws-load-balancer-controller/test.yaml b/helm/aws-load-balancer-controller/test.yaml index cc1c898a5..a0329b8a0 100644 --- a/helm/aws-load-balancer-controller/test.yaml +++ b/helm/aws-load-balancer-controller/test.yaml @@ -360,3 +360,28 @@ serviceMutatorWebhookConfig: podMutatorWebhookConfig: # whether or not to fail the pod creation if the webhook fails failurePolicy: Ignore + +# podServerIdMutatorWebhookConfig contains configurations specific to the pod service id mutator webhook +podServerIdMutatorWebhookConfig: + # whether or not to fail the pod creation if the webhook fails + failurePolicy: Fail + +# tgbMutatorWebhookConfig contains configurations specific to the targetgroupbinding webhook +tgbMutatorWebhookConfig: + # whether or not to fail the tgb creation if the webhook fails + failurePolicy: Fail + +# ingressClassParamsValidatorWebhookConfig contains configurations specific to the ingress class params validator webhook +ingressClassParamsValidatorWebhookConfig: + # whether or not to fail the ingress creation if the webhook fails + failurePolicy: Fail + +# tgbValidatorWebhookConfig contains configurations specific to the targetgroupbinding webhook +tgbValidatorWebhookConfig: + # whether or not to fail the tgb creation if the webhook fails + failurePolicy: Fail + +# ingressValidatorWebhookConfig contains configurations specific to the ingress validator webhook +ingressValidatorWebhookConfig: + # whether or not to fail the ingress creation if the webhook fails + failurePolicy: Fail diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml index 3ddad6281..6d63ed91d 100644 --- a/helm/aws-load-balancer-controller/values.yaml +++ b/helm/aws-load-balancer-controller/values.yaml @@ -462,11 +462,36 @@ serviceMutatorWebhookConfig: - CREATE # - UPDATE -# podMutatorWebhookConfig contains configurations specific to the service mutator webhook +# podMutatorWebhookConfig contains configurations specific to the pod mutator webhook podMutatorWebhookConfig: # whether or not to fail the pod creation if the webhook fails failurePolicy: Ignore +# podServerIdMutatorWebhookConfig contains configurations specific to the pod service id mutator webhook +podServerIdMutatorWebhookConfig: + # whether or not to fail the pod creation if the webhook fails + failurePolicy: Fail + +# tgbMutatorWebhookConfig contains configurations specific to the targetgroupbinding webhook +tgbMutatorWebhookConfig: + # whether or not to fail the tgb creation if the webhook fails + failurePolicy: Fail + +# ingressClassParamsValidatorWebhookConfig contains configurations specific to the ingress class params validator webhook +ingressClassParamsValidatorWebhookConfig: + # whether or not to fail the ingress creation if the webhook fails + failurePolicy: Fail + +# tgbValidatorWebhookConfig contains configurations specific to the targetgroupbinding webhook +tgbValidatorWebhookConfig: + # whether or not to fail the tgb creation if the webhook fails + failurePolicy: Fail + +# ingressValidatorWebhookConfig contains configurations specific to the ingress validator webhook +ingressValidatorWebhookConfig: + # whether or not to fail the ingress creation if the webhook fails + failurePolicy: Fail + # serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs. serviceTargetENISGTags: