dapr-sidecar-injector webhook gets flagged as unsafe on GKE #24
Description
When running Dapr helm chart on a GKE cluster the dapr-sidecar-injector MutatingWebhookConfiguration gets flagged as unsafe for potentially reaching over to the system namespaces like kube-system.
A few months ago, the chart has been extended with optional namespaceSelector, which is great, but having that properly configured is not enough, because the webhooks' scope in webhooks[].rules[].scope [reference] is not set, which means the default value is "*", which means it could also affect cluster resources. In this case GCP checks don't go very deep and nag about it despite the rule affects only pods 🤷.
Setting that single rule's scope for the sidecar injector webhook explicitly to "Namespaced" can't harm anything (as pods are namespaced resources anyway), and all the OCD folks could sleep better having one less nagging warning in their production clusters 😉
Thank you so much!