The validation webhook is installed in the same namespace as the Kong Deployment, and will check resources in any namespace it has permissions to. You do not need separate webhooks per namespace.
The webhook actually does not take class into account for most resources. KongConsumers are the only validated resources with a class annotation. The others, e.g. KongPlugin, don’t use that annotation, so the webhook will validate all resources of that kind.
This may cause issues in clusters that use heterogeneous KIC/Kong versions: each webhook runs on any classless resource whether you intended to use it with the associated KIC instance or not. If one of the webhooks has an issue (for example, if a plugin added a new required field, and you’re trying to add a KongPlugin for an older version that lacks this field), it will reject the resource.
There isn’t any standard way to get around this, but you can modify your webhooks to only review specific resources using an object selector, e.g. what we’ve used to exclude Helm Secrets:
In your case, you’d want to use a matchLabels rather than a matchExpressions, and then label all resources intended for a given instance. Note that you need to do this across all instances, so that you’re both feeding the desired resources to their intended instance and excluding them from other instances.