Merge pull request #1542 from jvanz/issue1540

viccuad · web-flow · commit 138014cd889c · 2026-03-04T09:16:59.000+01:00
fix(charts): allow evaluations in controller namespace.
diff --git a/charts/kubewarden-controller/templates/deployment.yaml b/charts/kubewarden-controller/templates/deployment.yaml
@@ -51,7 +51,9 @@ spec:
         - --leader-elect
         - --deployments-namespace={{ .Release.Namespace }}
         - --webhook-service-name={{ include "kubewarden-controller.fullname" . }}-webhook-service
+        {{- if .Values.alwaysAcceptAdmissionReviewsOnDeploymentsNamespace }}
         - --always-accept-admission-reviews-on-deployments-namespace
+        {{- end }}
         - --zap-log-level={{ .Values.logLevel }}
        {{- if .Values.mTLS.enable }}
         - --client-ca-configmap-name={{ .Values.mTLS.configMapName }}
diff --git a/charts/kubewarden-controller/tests/always_accept_admission_reviews_test.yaml b/charts/kubewarden-controller/tests/always_accept_admission_reviews_test.yaml
@@ -0,0 +1,25 @@
+suite: alwaysAcceptAdmissionReviewsOnDeploymentsNamespace flag
+templates:
+  - deployment.yaml
+tests:
+  - it: "should include the flag when alwaysAcceptAdmissionReviewsOnDeploymentsNamespace is true (default)"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--always-accept-admission-reviews-on-deployments-namespace"
+
+  - it: "should include the flag when alwaysAcceptAdmissionReviewsOnDeploymentsNamespace is explicitly true"
+    set:
+      alwaysAcceptAdmissionReviewsOnDeploymentsNamespace: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--always-accept-admission-reviews-on-deployments-namespace"
+
+  - it: "should not include the flag when alwaysAcceptAdmissionReviewsOnDeploymentsNamespace is false"
+    set:
+      alwaysAcceptAdmissionReviewsOnDeploymentsNamespace: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--always-accept-admission-reviews-on-deployments-namespace"
diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml
@@ -145,6 +145,12 @@ preDeleteHook:
     runAsNonRoot: true
     seccompProfile:
       type: RuntimeDefault
+# If true, the controller will always accept admission reviews in the
+# deployment namespace. It is recommended to keep this value true unless you
+# have a specific reason to disable it. This is a safety flag to avoid policy
+# evaluations that could interfere with the Kubewarden stack running in the
+# admission controller namespace.
+alwaysAcceptAdmissionReviewsOnDeploymentsNamespace: true
 # Verbosity of logging. Can be one of 'debug', 'info', 'error'.
 logLevel: info
 # open-telemetry options
