feat: add a webhook that blocks PDB creation in non-reserved namespaces (#546)

Author: michaelawyu

cmd/hubagent/options/webhooks.go

@@ -52,10 +52,15 @@ type WebhookOptions struct {
 
 	// Enable workload resources (pods and replicaSets) to be created in the hub cluster or not.
 	// If set to false, the KubeFleet pod and replicaset validating webhooks, which blocks the creation
-	// of pods and replicaSets outside KubeFleet reserved namespaces for most users, will be disabled.
+	// of pods and replicaSets outside KubeFleet reserved namespaces for most users, will be enabled.
 	// This option only applies if webhooks are enabled.
 	EnableWorkload bool
 
+	// Enable PodDisruptionBudgets to be created in the hub cluster or not. If set to false, the KubeFleet
+	// PodDisruptionBudget validating webhook, which blocks the creation of PodDisruptionBudgets outside KubeFleet
+	// reserved namespaces, will be enabled. This option only applies if webhooks are enabled.
+	EnablePDBs bool
+
 	// Use the cert-manager project for managing KubeFleet webhook server certificates or not.
 	// If set to false, the system will use self-signed certificates.
 	// This option only applies if webhooks are enabled.
@@ -109,7 +114,14 @@ func (o *WebhookOptions) AddFlags(flags *flag.FlagSet) {
 		&o.EnableWorkload,
 		"enable-workload",
 		false,
-		"Enable workload resources (pods and replicaSets) to be created in the hub cluster or not. If set to false, the KubeFleet pod and replicaset validating webhooks, which blocks the creation of pods and replicaSets outside KubeFleet reserved namespaces for most users, will be disabled. This option only applies if webhooks are enabled.",
+		"Enable workload resources (pods and replicaSets) to be created directly in the hub cluster or not. If set to true, the KubeFleet pod and replicaset validating webhooks, which blocks the creation of pods and replicaSets outside KubeFleet reserved namespaces for most users, will be disabled. This option only applies if webhooks are enabled.",
+	)
+
+	flags.BoolVar(
+		&o.EnablePDBs,
+		"enable-pdbs",
+		false,
+		"Enable PodDisruptionBudgets to be created directly in the hub cluster or not. If set to true, the KubeFleet PodDisruptionBudget validating webhook, which blocks the creation of PodDisruptionBudgets outside KubeFleet reserved namespaces, will be disabled. This option only applies if webhooks are enabled.",
 	)
 
 	flags.BoolVar(

pkg/webhook/add_handler.go

@@ -7,6 +7,7 @@ import (
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/clusterresourceplacementeviction"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/fleetresourcehandler"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/membercluster"
+	"github.com/kubefleet-dev/kubefleet/pkg/webhook/pdb"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/pod"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/replicaset"
 	"github.com/kubefleet-dev/kubefleet/pkg/webhook/resourceoverride"
@@ -23,6 +24,7 @@ func init() {
 	AddToManagerFuncs = append(AddToManagerFuncs, resourceplacement.Add)
 	AddToManagerFuncs = append(AddToManagerFuncs, pod.Add)
 	AddToManagerFuncs = append(AddToManagerFuncs, replicaset.Add)
+	AddToManagerFuncs = append(AddToManagerFuncs, pdb.Add)
 	AddToManagerFuncs = append(AddToManagerFuncs, clusterresourceoverride.Add)
 	AddToManagerFuncs = append(AddToManagerFuncs, resourceoverride.Add)
 	AddToManagerFuncs = append(AddToManagerFuncs, clusterresourceplacementeviction.Add)

pkg/webhook/clusterresourceoverride/clusterresourceoverride_validating_webhook.go

@@ -46,7 +46,7 @@ type clusterResourceOverrideValidator struct {
 	decoder webhook.AdmissionDecoder
 }
 
-// Add registers the webhook for K8s bulit-in object types.
+// Add registers the webhook for K8s built-in object types.
 func Add(mgr manager.Manager) error {
 	hookServer := mgr.GetWebhookServer()
 	hookServer.Register(ValidationPath, &webhook.Admission{Handler: &clusterResourceOverrideValidator{mgr.GetAPIReader(), admission.NewDecoder(mgr.GetScheme())}})

pkg/webhook/clusterresourceplacement/v1beta1_clusterresourceplacement_validating_webhook.go

@@ -39,7 +39,7 @@ type clusterResourcePlacementValidator struct {
 	decoder webhook.AdmissionDecoder
 }
 
-// Add registers the webhook for K8s bulit-in object types.
+// Add registers the webhook for K8s built-in object types.
 func Add(mgr manager.Manager) error {
 	hookServer := mgr.GetWebhookServer()
 	hookServer.Register(ValidationPath, &webhook.Admission{Handler: &clusterResourcePlacementValidator{admission.NewDecoder(mgr.GetScheme())}})

pkg/webhook/clusterresourceplacementdisruptionbudget/clusterresourceplacementdisruptionbudget_validating_webhook.go

@@ -42,7 +42,7 @@ type clusterResourcePlacementDisruptionBudgetValidator struct {
 	decoder webhook.AdmissionDecoder
 }
 
-// Add registers the webhook for K8s bulit-in object types.
+// Add registers the webhook for K8s built-in object types.
 func Add(mgr manager.Manager) error {
 	hookServer := mgr.GetWebhookServer()
 	hookServer.Register(ValidationPath, &webhook.Admission{Handler: &clusterResourcePlacementDisruptionBudgetValidator{mgr.GetClient(), admission.NewDecoder(mgr.GetScheme())}})

pkg/webhook/clusterresourceplacementeviction/clusterresourceplacementeviction_validating_webhook.go

@@ -46,7 +46,7 @@ type clusterResourcePlacementEvictionValidator struct {
 	decoder webhook.AdmissionDecoder
 }
 
-// Add registers the webhook for K8s bulit-in object types.
+// Add registers the webhook for K8s built-in object types.
 func Add(mgr manager.Manager) error {
 	hookServer := mgr.GetWebhookServer()
 	hookServer.Register(ValidationPath, &webhook.Admission{Handler: &clusterResourcePlacementEvictionValidator{mgr.GetClient(), admission.NewDecoder(mgr.GetScheme())}})

pkg/webhook/membercluster/membercluster_validating_webhook.go

@@ -31,7 +31,7 @@ type memberClusterValidator struct {
 	networkingAgentsEnabled bool
 }
 
-// Add registers the webhook for K8s bulit-in object types.
+// Add registers the webhook for K8s built-in object types.
 func Add(mgr manager.Manager, networkingAgentsEnabled bool) {
 	hookServer := mgr.GetWebhookServer()
 	hookServer.Register(ValidationPath, &webhook.Admission{Handler: &memberClusterValidator{

pkg/webhook/pdb/pdb_validating_webhook.go

@@ -0,0 +1,79 @@
+/*
+Copyright 2026 The KubeFleet Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pdb
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	admissionv1 "k8s.io/api/admission/v1"
+	policyv1 "k8s.io/api/policy/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/kubefleet-dev/kubefleet/pkg/utils"
+)
+
+const (
+	usrFriendlyDenialErrMsgFmt = "PDBs %s/%s cannot be directly created in the hub cluster due to potential side effects; to place a PDB to member clusters, consider wrapping it in a resource envelope."
+)
+
+var (
+	// ValidationPath is the webhook service path which admission requests are routed to for validating PodDisruptionBudget resources.
+	ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, policyv1.SchemeGroupVersion.Group, policyv1.SchemeGroupVersion.Version, "poddisruptionbudget")
+)
+
+// Add registers the webhook for K8s built-in object types.
+func Add(mgr manager.Manager) error {
+	hookServer := mgr.GetWebhookServer()
+	hookServer.Register(ValidationPath, &webhook.Admission{Handler: &pdbValidator{admission.NewDecoder(mgr.GetScheme())}})
+	return nil
+}
+
+type pdbValidator struct {
+	decoder webhook.AdmissionDecoder
+}
+
+// Handle pdbValidator denies a PodDisruptionBudget if it is not created in the system namespaces.
+func (v *pdbValidator) Handle(_ context.Context, req admission.Request) admission.Response {
+	namespacedName := types.NamespacedName{Name: req.Name, Namespace: req.Namespace}
+	if req.Operation == admissionv1.Create {
+		klog.V(2).InfoS("handling PodDisruptionBudget resource", "operation", req.Operation, "subResource", req.SubResource, "namespacedName", namespacedName)
+		pdb := &policyv1.PodDisruptionBudget{}
+		if err := v.decoder.Decode(req, pdb); err != nil {
+			return admission.Errored(http.StatusBadRequest, err)
+		}
+		if !utils.IsReservedNamespace(pdb.Namespace) {
+			klog.V(2).InfoS("Denying creation of PDBs in non-reserved namespaces",
+				"user", req.UserInfo.Username, "groups", req.UserInfo.Groups,
+				"operation", req.Operation,
+				"GVK", req.RequestKind,
+				"subResource", req.SubResource, "namespacedName", namespacedName)
+			return admission.Denied(fmt.Sprintf(usrFriendlyDenialErrMsgFmt, pdb.Namespace, pdb.Name))
+		}
+	}
+	klog.V(3).InfoS("Allowing operations on PDBs",
+		"user", req.UserInfo.Username, "groups", req.UserInfo.Groups,
+		"operation", req.Operation,
+		"GVK", req.RequestKind,
+		"subResource", req.SubResource, "namespacedName", namespacedName)
+	return admission.Allowed("")
+}

pkg/webhook/pdb/pdb_validating_webhook_test.go

@@ -0,0 +1,179 @@
+/*
+Copyright 2026 The KubeFleet Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pdb
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	admissionv1 "k8s.io/api/admission/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	policyv1 "k8s.io/api/policy/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+func TestHandle(t *testing.T) {
+	scheme := runtime.NewScheme()
+	if err := policyv1.AddToScheme(scheme); err != nil {
+		t.Fatalf("policyv1.AddToScheme() = %v, want nil", err)
+	}
+	decoder := admission.NewDecoder(scheme)
+
+	pdbInDefaultNS := &policyv1.PodDisruptionBudget{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pdb",
+			Namespace: "default",
+		},
+	}
+	pdbInFleetNS := &policyv1.PodDisruptionBudget{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pdb",
+			Namespace: "fleet-system",
+		},
+	}
+	pdbInKubeNS := &policyv1.PodDisruptionBudget{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pdb",
+			Namespace: "kube-system",
+		},
+	}
+
+	pdbInDefaultNSBytes, err := json.Marshal(pdbInDefaultNS)
+	if err != nil {
+		t.Fatalf("json.Marshal() = %v, want nil", err)
+	}
+	pdbInFleetNSBytes, err := json.Marshal(pdbInFleetNS)
+	if err != nil {
+		t.Fatalf("json.Marshal() = %v, want nil", err)
+	}
+	pdbInKubeNSBytes, err := json.Marshal(pdbInKubeNS)
+	if err != nil {
+		t.Fatalf("json.Marshal() = %v, want nil", err)
+	}
+
+	userInfo := authenticationv1.UserInfo{
+		Username: "test-user",
+		Groups:   []string{"system:authenticated"},
+	}
+
+	testCases := map[string]struct {
+		req          admission.Request
+		wantResponse admission.Response
+	}{
+		"deny CREATE in non-reserved namespace": {
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Name:      "test-pdb",
+					Namespace: "default",
+					Operation: admissionv1.Create,
+					Object: runtime.RawExtension{
+						Raw:    pdbInDefaultNSBytes,
+						Object: pdbInDefaultNS,
+					},
+					UserInfo: userInfo,
+				},
+			},
+			wantResponse: admission.Denied(fmt.Sprintf(usrFriendlyDenialErrMsgFmt, "default", "test-pdb")),
+		},
+		"allow CREATE in fleet- reserved namespace": {
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Name:      "test-pdb",
+					Namespace: "fleet-system",
+					Operation: admissionv1.Create,
+					Object: runtime.RawExtension{
+						Raw:    pdbInFleetNSBytes,
+						Object: pdbInFleetNS,
+					},
+					UserInfo: userInfo,
+				},
+			},
+			wantResponse: admission.Allowed(""),
+		},
+		"allow CREATE in kube- reserved namespace": {
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Name:      "test-pdb",
+					Namespace: "kube-system",
+					Operation: admissionv1.Create,
+					Object: runtime.RawExtension{
+						Raw:    pdbInKubeNSBytes,
+						Object: pdbInKubeNS,
+					},
+					UserInfo: userInfo,
+				},
+			},
+			wantResponse: admission.Allowed(""),
+		},
+		"allow UPDATE (non-CREATE operation)": {
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Name:      "test-pdb",
+					Namespace: "default",
+					Operation: admissionv1.Update,
+					UserInfo:  userInfo,
+				},
+			},
+			wantResponse: admission.Allowed(""),
+		},
+		"allow DELETE (non-CREATE operation)": {
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Name:      "test-pdb",
+					Namespace: "default",
+					Operation: admissionv1.Delete,
+					UserInfo:  userInfo,
+				},
+			},
+			wantResponse: admission.Allowed(""),
+		},
+		"error on malformed request object": {
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Name:      "test-pdb",
+					Namespace: "default",
+					Operation: admissionv1.Create,
+					Object: runtime.RawExtension{
+						Raw: []byte("not valid json"),
+					},
+					UserInfo: userInfo,
+				},
+			},
+			// The exact error message from the decoder is implementation-defined;
+			// only the status code and allowed=false are compared.
+			wantResponse: admission.Errored(http.StatusBadRequest, errors.New("")),
+		},
+	}
+
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			v := pdbValidator{decoder: decoder}
+			gotResponse := v.Handle(context.Background(), testCase.req)
+			if diff := cmp.Diff(gotResponse, testCase.wantResponse, cmpopts.IgnoreFields(metav1.Status{}, "Message")); diff != "" {
+				t.Errorf("Handle() mismatch (-got +want):\n%s", diff)
+			}
+		})
+	}
+}

pkg/webhook/pod/pod_validating_webhook.go

@@ -43,7 +43,7 @@ var (
 	ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, corev1.SchemeGroupVersion.Group, corev1.SchemeGroupVersion.Version, "pod")
 )
 
-// Add registers the webhook for K8s bulit-in object types.
+// Add registers the webhook for K8s built-in object types.
 func Add(mgr manager.Manager) error {
 	hookServer := mgr.GetWebhookServer()
 	hookServer.Register(ValidationPath, &webhook.Admission{Handler: &podValidator{admission.NewDecoder(mgr.GetScheme())}})