Enable-the-validating-admission for multiple kong ingress classes. in single k8s

Hello,

Anyone who is using the multiple Kong Ingress Classes in single K8s with unique class name like

  • name: CONTROLLER_INGRESS_CLASS
    value: kong-ui

on a separate like namespace=kong-ui ?

How did you update the kind: ValidatingWebhookConfiguration name: kong-validations. ??

Any insight would be greatly appreciated .

  1. is this second qualifier “kong” namespace ? If yes, do we need to add for each namespace ?
    webhooks:
  1. do we need to repeat this for each namespace :

clientConfig:
service:
namespace: kong
name: kong-validation-webhook

What problem are you running into, if any?

The validation webhook is installed in the same namespace as the Kong Deployment, and will check resources in any namespace it has permissions to. You do not need separate webhooks per namespace.

The webhook actually does not take class into account for most resources. KongConsumers are the only validated resources with a class annotation. The others, e.g. KongPlugin, don’t use that annotation, so the webhook will validate all resources of that kind.

This may cause issues in clusters that use heterogeneous KIC/Kong versions: each webhook runs on any classless resource whether you intended to use it with the associated KIC instance or not. If one of the webhooks has an issue (for example, if a plugin added a new required field, and you’re trying to add a KongPlugin for an older version that lacks this field), it will reject the resource.

There isn’t any standard way to get around this, but you can modify your webhooks to only review specific resources using an object selector, e.g. what we’ve used to exclude Helm Secrets:

In your case, you’d want to use a matchLabels rather than a matchExpressions, and then label all resources intended for a given instance. Note that you need to do this across all instances, so that you’re both feeding the desired resources to their intended instance and excluding them from other instances.