Open
Conversation
github-project-automation
Bot
moved this to Pending review
in Kubewarden Admission Controller
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
b922c91 to
a5d22a3
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1682 +/- ##
==========================================
- Coverage 82.14% 77.17% -4.98%
==========================================
Files 129 172 +43
Lines 16961 21544 +4583
==========================================
+ Hits 13933 16626 +2693
- Misses 3028 4705 +1677
- Partials 0 213 +213
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
a5d22a3 to
8f9845e
Compare
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
8f9845e to
cacc668
Compare
github-project-automation
Bot
moved this to Pending review
in Kubewarden Admission Controller
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds host-network support for Kubewarden by wiring a new controller flag through to PolicyServer deployments and exposing per-PolicyServer port overrides to mitigate host-port conflicts.
Changes:
- Add
--host-networkcontroller flag and configure PolicyServer pods withhostNetwork: true+dnsPolicy: ClusterFirstWithHostNetwhen enabled. - Add optional PolicyServer CRD ports (
webhookPort,readinessProbePort,metricsPort) and plumb webhook/readiness into Deployment/Service behavior. - Extend Helm charts to configure controller hostNetwork/ports and default PolicyServer port/affinity overrides, with unit tests.
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/policyserver_controller_test.go | Asserts default PolicyServer pod spec does not use host networking. |
| internal/controller/policyserver_controller_service.go | Updates Service target port logic for webhook and introduces metrics port selection. |
| internal/controller/policyserver_controller_deployment.go | Adds hostNetwork support and uses effective webhook/readiness ports in the pod. |
| internal/controller/policyserver_controller.go | Adds reconciler fields for HostNetwork and global default metrics port. |
| cmd/controller/main.go | Adds webhook server port flag; parses metrics port env var into reconciler config; adds host-network flag. |
| api/policies/v1/policyserver_types.go | Adds CRD port fields + Effective*Port helpers. |
| api/policies/v1/policyserver_webhook.go / *_test.go | Validates port conflicts and adds tests. |
| api/policies/v1/factories.go / zz_generated.deepcopy.go | Extends test factory + deepcopy for new fields. |
| charts/kubewarden-defaults/* | Adds values/schema/template/tests for default PolicyServer affinity and port overrides. |
| charts/kubewarden-crds/templates/*policyservers.yaml | Adds CRD schema for the new port fields. |
| charts/kubewarden-controller/* | Adds values/schema/template/tests for controller hostNetwork and configurable ports. |
| Makefile | Adds test-all convenience target. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
2 times, most recently
from
80041e7 to
ba20391
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds host-network support across Kubewarden by introducing a controller-wide --host-network flag that enables hostNetwork: true (and dnsPolicy: ClusterFirstWithHostNet) for all PolicyServer pods, plus new PolicyServer CRD fields to customize webhook/readiness/metrics ports to avoid host-port conflicts.
Changes:
- Add controller flag + Helm values to enable host networking for the controller and all PolicyServers, including DNS policy adjustments.
- Extend the PolicyServer CRD with optional
webhookPort,readinessProbePort, andmetricsPort, and wire these into reconciliation logic. - Update unit/integration tests and CRD docs to cover the new fields/behavior.
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/suite_test.go | Loads CRDs from the Helm CRD chart templates for envtest runs. |
| internal/controller/policyserver_controller_test.go | Adds assertions for default hostNetwork/DNSPolicy and tests custom webhook/readiness ports. |
| internal/controller/policyserver_controller_service.go | Uses PolicyServer effective webhook port for Service targetPort; introduces per-PolicyServer/global metrics Service port selection. |
| internal/controller/policyserver_controller_deployment.go | Adds hostNetwork wiring to the PolicyServer PodSpec and uses effective webhook/readiness ports in env/probes. |
| internal/controller/policyserver_controller.go | Extends reconciler config with HostNetwork and a global default metrics port. |
| cmd/controller/main.go | Adds --webhook-server-port, --host-network, and parses a global PolicyServer metrics port from env var. |
| api/policies/v1/policyserver_types.go | Adds port fields to the PolicyServer spec and “Effective*Port” helpers. |
| api/policies/v1/policyserver_webhook.go | Adds webhook validation preventing port conflicts across the new fields. |
| api/policies/v1/policyserver_webhook_test.go | Adds unit tests for port-conflict validation. |
| api/policies/v1/factories.go | Extends PolicyServer factory to set the new port fields in tests. |
| api/policies/v1/zz_generated.deepcopy.go | Regenerates deepcopy implementations for the new fields. |
| docs/crds/CRD-docs-for-docs-repo.md | Documents new PolicyServer port fields in generated CRD docs (markdown). |
| docs/crds/CRD-docs-for-docs-repo.adoc | Documents new PolicyServer port fields in generated CRD docs (asciidoc). |
| charts/kubewarden-crds/templates/policies.kubewarden.io_policyservers.yaml | Updates the PolicyServer CRD schema with the new port fields. |
| charts/kubewarden-defaults/values.yaml | Adds Helm values documentation for the new default PolicyServer port fields and affinity guidance. |
| charts/kubewarden-defaults/values.schema.json | Adds JSON schema entries for the new default PolicyServer port fields. |
| charts/kubewarden-defaults/templates/policyserver-default.yaml | Renders port overrides into the default PolicyServer CR. |
| charts/kubewarden-defaults/templates/_helpers.tpl | Adds helper to select effective affinity (policyServer-specific over global). |
| charts/kubewarden-defaults/tests/host_network_test.yaml | Adds helm-unittest coverage for port fields and affinity selection. |
| charts/kubewarden-controller/values.yaml | Adds hostNetwork + ports + affinity Helm values for the controller chart. |
| charts/kubewarden-controller/values.schema.json | Adds schema entries for hostNetwork/ports/affinity. |
| charts/kubewarden-controller/templates/deployment.yaml | Wires hostNetwork, affinity selection, and configurable ports into the controller Deployment. |
| charts/kubewarden-controller/templates/service.yaml | Uses configurable ports for webhook and metrics Services. |
| charts/kubewarden-controller/templates/_helpers.tpl | Adds helper to select effective affinity (controller-specific over global). |
| charts/kubewarden-controller/tests/service_ports_test.yaml | Adds helm-unittest coverage for service port wiring. |
| charts/kubewarden-controller/tests/host_network_test.yaml | Adds helm-unittest coverage for hostNetwork and port args/probes. |
| Makefile | Adds a test-all target combining unit, helm-unittest, and e2e. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
2 times, most recently
from
9e23939 to
5de7497
Compare
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
2 times, most recently
from
ba8c7fc to
5be5364
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds host-networking support for Kubewarden PolicyServer Deployments and introduces per-PolicyServer port overrides to help avoid port conflicts when hostNetwork is enabled.
Changes:
- Add
--host-networkcontroller flag and plumb it into PolicyServer Deployment pod spec (hostNetwork: true+dnsPolicy: ClusterFirstWithHostNet). - Add optional
webhookPort,readinessProbePort,metricsPortfields to the PolicyServer CRD spec and update controller reconciliation + docs/tests accordingly. - Update Helm charts to configure hostNetwork, affinity handling, and controller/service ports; extend unit/integration tests.
Reviewed changes
Copilot reviewed 28 out of 28 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/suite_test.go | Envtest now loads CRDs from Helm chart templates (copied into a temp dir). |
| internal/controller/policyserver_controller_test.go | Adds assertions/tests for default hostNetwork behavior and custom port overrides. |
| internal/controller/policyserver_controller_service_test.go | Adds unit coverage for PolicyServer Service metrics port precedence behavior. |
| internal/controller/policyserver_controller_service.go | Updates PolicyServer Service port wiring to use effective webhook/metrics ports. |
| internal/controller/policyserver_controller_deployment.go | Enables hostNetwork + adjusts dnsPolicy; skips OTel sidecar injection under hostNetwork; wires webhook/readiness ports into container env/probe. |
| internal/controller/policyserver_controller.go | Extends reconciler configuration with HostNetwork and PolicyServerMetricsPort. |
| docs/crds/CRD-docs-for-docs-repo.md | Documents new PolicyServer port fields. |
| docs/crds/CRD-docs-for-docs-repo.adoc | Documents new PolicyServer port fields (adoc). |
| cmd/controller/main.go | Adds controller port flags, host-network flag, and parses global default PolicyServer metrics port from env var. |
| charts/kubewarden-defaults/values.yaml | Documents default PolicyServer port settings and affinity guidance for hostNetwork. |
| charts/kubewarden-defaults/values.schema.json | Adds schema validation for PolicyServer port overrides and affinity. |
| charts/kubewarden-defaults/tests/host_network_test.yaml | Helm unit tests for default PolicyServer port/affinity rendering. |
| charts/kubewarden-defaults/templates/policyserver-default.yaml | Renders effective affinity and optional PolicyServer port overrides into the default PolicyServer CR. |
| charts/kubewarden-defaults/templates/_helpers.tpl | Adds helper to compute effective default PolicyServer affinity (policyServer.affinity > global.affinity). |
| charts/kubewarden-crds/templates/policies.kubewarden.io_policyservers.yaml | Updates PolicyServer CRD schema with the new port fields. |
| charts/kubewarden-controller/values.yaml | Adds hostNetwork, controller affinity, and controller port configuration values. |
| charts/kubewarden-controller/values.schema.json | Adds schema for affinity/hostNetwork/ports values. |
| charts/kubewarden-controller/tests/service_ports_test.yaml | Helm unit tests validating controller service ports and overrides. |
| charts/kubewarden-controller/tests/host_network_test.yaml | Helm unit tests validating controller hostNetwork behavior, ports, and telemetry sidecar suppression. |
| charts/kubewarden-controller/templates/service.yaml | Splits/guards metrics service rendering and parameterizes service target ports via values. |
| charts/kubewarden-controller/templates/deployment.yaml | Adds hostNetwork/dnsPolicy support, effective affinity, and configurable controller ports/args. |
| charts/kubewarden-controller/templates/_helpers.tpl | Adds helper to compute effective controller affinity (affinity > global.affinity). |
| api/policies/v1/zz_generated.deepcopy.go | Updates deepcopy generation for new PolicyServer builder/spec fields. |
| api/policies/v1/policyserver_webhook_test.go | Adds validation tests for port conflicts (including env-var default metrics port interactions). |
| api/policies/v1/policyserver_webhook.go | Extends webhook setup/validator to account for default metrics port and validate port conflicts. |
| api/policies/v1/policyserver_types.go | Adds CRD fields and “Effective*Port” helpers to compute final ports. |
| api/policies/v1/factories.go | Extends PolicyServer factory to set new port fields for tests/builders. |
| Makefile | Adds test-all target aggregating unit, Helm, and e2e tests. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
bd7e005 to
20319ac
Compare
jvanz
commented
Apr 27, 2026
Comment on lines
1
to
+19
| @@ -10,16 +11,12 @@ metadata: | |||
| {{- include "kubewarden-controller.annotations" . | nindent 4 }} | |||
| spec: | |||
| ports: | |||
| {{- if .Values.telemetry.metrics }} | |||
| - name: metrics | |||
| port: 8080 | |||
| targetPort: 8080 | |||
| {{- end}} | |||
| - name: https | |||
| port: 8443 | |||
| targetPort: https | |||
| targetPort: {{ .Values.ports.metrics }} | |||
| selector: | |||
| {{- include "kubewarden-controller.selectorLabels" . | nindent 4 }} | |||
| {{- end}} | |||
Member
Author
There was a problem hiding this comment.
@kubewarden/kubewarden-developers do you know we add this service with the webhook port if it should be used for metric collection?
@copilot can you investigate the git story and let us know what you found?
There was a problem hiding this comment.
Here's what the git history shows:
Original state (base, before this PR): The metrics-service always had two ports:
metrics(8080 → 8080) — conditional ontelemetry.metricshttps(8443 → named porthttps) — always present, unconditionally
The https port appears to be a legacy artifact from when the project was likely scaffolded with kubebuilder using a kube-rbac-proxy sidecar (which serves HTTPS metrics on 8443). However, the actual deployment never had a container port named https — it only exposed the webhook-server port. So the https port in the service was pointing to a non-existent named port and was essentially dead/non-functional code.
An intermediate PR commit (5be5364) accidentally wired that https port to target .Values.ports.webhook, which was caught in review as creating a second access path to the webhook endpoint.
Current state (commit 20319ac): This PR cleans it up:
- The
metrics-serviceis now fully conditional ontelemetry.metrics(since it's only useful when metrics are enabled), and itstargetPortis the configurable{{ .Values.ports.metrics }}(default 8088) - The
httpsdead-code port is removed entirely - The
webhook-serviceremains separate withtargetPort: {{ .Values.ports.webhook }}
So no — the metrics-service was never intentionally for the webhook port. The original https/8443 port was legacy scaffolding that was never backed by a real container port. This PR removes it.
github-project-automation
Bot
moved this to Pending review
in Kubewarden Admission Controller
flavio
reviewed
Apr 29, 2026
Member
flavio
left a comment
flavio
left a comment
There was a problem hiding this comment.
Overall LGTM, left some comments
| fmt.Sprintf("metricsPort must differ from webhookPort (%d)", webhookPort), | ||
| )) | ||
| } | ||
| if readinessPort == metricsPort { |
Member
There was a problem hiding this comment.
You also have to check for readiness != webhook
Member
Author
There was a problem hiding this comment.
This is done in the first if on this function, on line 349. ;)
| metrics: ptr.To[int32](9000), | ||
| defaultMetricsPort: constants.PolicyServerMetricsPort, | ||
| errContains: "metricsPort must differ from readinessProbePort", | ||
| }, |
Member
Author
There was a problem hiding this comment.
This is done in the second test case: webhookPort equals readinessProbePort. Line 431. ;)
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
2 times, most recently
from
48694ac to
2698ca7
Compare
Member
Author
|
@flavio fyi: since your first review I've added some documentation explaining the different behavior of the |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds host-network support across PolicyServer Deployments (controller-driven), plus per-PolicyServer port overrides to reduce host-level port conflicts when host networking is enabled.
Changes:
- Add
--host-networkcontroller flag to sethostNetwork: trueanddnsPolicy: ClusterFirstWithHostNeton PolicyServer Deployments. - Extend PolicyServer CRD/spec with optional
webhookPort,readinessProbePort, andmetricsPort, and wire these into Deployment/Service rendering. - Update Helm charts + unit/integration tests to cover hostNetwork behavior, affinity precedence, and port configuration.
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/suite_test.go | Envtest now loads CRDs from chart templates; disables controller-runtime metrics binding in tests; reconciler wiring updated for metrics port config. |
| internal/controller/policyserver_controller_test.go | Adds assertions for default HostNetwork/DNSPolicy and an e2e-style test for custom ports. |
| internal/controller/policyserver_controller_service_test.go | New unit tests covering metrics Service port priority and fixed TargetPort behavior. |
| internal/controller/policyserver_controller_service.go | Service targetPort now follows effective webhook port; metrics Service port can be overridden per PolicyServer. |
| internal/controller/policyserver_controller_deployment.go | Deployment builder gains hostNetwork/dnsPolicy support; webhook/readiness ports come from effective CRD values; sidecar injection skipped under hostNetwork. |
| internal/controller/policyserver_controller.go | Adds HostNetwork and PolicyServerMetricsPort fields to reconciler. |
| docs/crds/CRD-docs-for-docs-repo.md | Documents new PolicyServer spec fields (webhook/readiness/metrics ports). |
| docs/crds/CRD-docs-for-docs-repo.adoc | Same CRD doc updates in AsciiDoc format. |
| cmd/controller/main.go | Adds --host-network and --webhook-server-port; parses/validates global PolicyServer metrics Service port env var and passes it to reconciler. |
| charts/kubewarden-defaults/values.yaml | Documents port customization and affinity guidance for the default PolicyServer. |
| charts/kubewarden-defaults/values.schema.json | Adds schema for new PolicyServer port values; minor JSON formatting normalization. |
| charts/kubewarden-defaults/tests/host_network_test.yaml | Helm-unittest coverage for port field emission and affinity precedence for the default PolicyServer. |
| charts/kubewarden-defaults/templates/policyserver-default.yaml | Renders effective affinity (policyServer > global) and optional port fields into the default PolicyServer CR. |
| charts/kubewarden-defaults/templates/_helpers.tpl | Adds helper to compute effective affinity. |
| charts/kubewarden-crds/templates/policies.kubewarden.io_policyservers.yaml | CRD schema updated with new port fields and descriptions. |
| charts/kubewarden-controller/values.yaml | Adds controller affinity, hostNetwork, and ports values with operational warnings. |
| charts/kubewarden-controller/values.schema.json | Adds schema entries for affinity, hostNetwork, and ports. |
| charts/kubewarden-controller/tests/service_ports_test.yaml | Helm-unittest coverage for service targetPort wiring and metrics-service conditional rendering. |
| charts/kubewarden-controller/tests/host_network_test.yaml | Helm-unittest coverage for hostNetwork behavior, arg suppression for sidecar mode, and port overrides. |
| charts/kubewarden-controller/templates/service.yaml | Metrics Service now conditional on telemetry.metrics; webhook Service targetPort configurable. |
| charts/kubewarden-controller/templates/deployment.yaml | Adds hostNetwork/dnsPolicy support, effective affinity helper, and configurable port args/ports; suppresses sidecar inject when hostNetwork. |
| charts/kubewarden-controller/templates/_helpers.tpl | Adds helper to compute effective affinity for controller deployment. |
| charts/kubewarden-controller/templates/NOTES.txt | Adds hostNetwork warning + sidecar incompatibility note. |
| api/policies/v1/zz_generated.deepcopy.go | Deepcopy updated for new port pointer fields. |
| api/policies/v1/policyserver_webhook_test.go | Adds webhook validation tests for port conflicts. |
| api/policies/v1/policyserver_webhook.go | Adds admission validation to prevent webhook/readiness port conflicts. |
| api/policies/v1/policyserver_types.go | Adds new spec fields + effective-port helper methods. |
| api/policies/v1/factories.go | Extends PolicyServerFactory builder with new port setters. |
| Makefile | Adds test-all target to run unit + helm-unittest + e2e. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
2 times, most recently
from
e0d016c to
efe74a4
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds host-network support to the Kubewarden controller/PolicyServers and introduces per-PolicyServer port overrides to avoid host port conflicts when host networking is enabled.
Changes:
- Add
--host-networkcontroller flag to enablehostNetwork: true+dnsPolicy: ClusterFirstWithHostNeton managed PolicyServer Deployments. - Add optional PolicyServer CRD port fields (
webhookPort,readinessProbePort,metricsPort) plus “effective port” helpers and validation. - Update Helm charts, unit/integration tests, and docs to support hostNetwork + port configuration.
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/suite_test.go | Adjust envtest setup to load CRDs from chart templates and disable manager metrics binding in tests. |
| internal/controller/policyserver_controller_test.go | Extend integration tests to assert hostNetwork defaults and custom port behavior. |
| internal/controller/policyserver_controller_service_test.go | Add unit tests for metrics Service port/targetPort priority behavior. |
| internal/controller/policyserver_controller_service.go | Update PolicyServer Service ports to use effective webhook/metrics port logic. |
| internal/controller/policyserver_controller_deployment.go | Add hostNetwork + dnsPolicy wiring into the PolicyServer Deployment pod spec; skip OTel sidecar injection when hostNetwork. |
| internal/controller/policyserver_controller.go | Extend reconciler config with HostNetwork and PolicyServerMetricsPort. |
| docs/crds/CRD-docs-for-docs-repo.md | Document new CRD port fields. |
| docs/crds/CRD-docs-for-docs-repo.adoc | Document new CRD port fields (AsciiDoc). |
| cmd/controller/main.go | Add --host-network and --webhook-server-port; validate port ranges; parse metrics service port env var once at startup. |
| charts/kubewarden-defaults/values.yaml | Add values documentation for default PolicyServer port overrides and affinity guidance. |
| charts/kubewarden-defaults/values.schema.json | Add schema for default PolicyServer port overrides and affinity. |
| charts/kubewarden-defaults/tests/host_network_test.yaml | Add Helm unit tests for default PolicyServer ports + affinity selection. |
| charts/kubewarden-defaults/templates/policyserver-default.yaml | Render port fields and use effective affinity helper. |
| charts/kubewarden-defaults/templates/_helpers.tpl | Add effective affinity helper for default PolicyServer. |
| charts/kubewarden-crds/templates/policies.kubewarden.io_policyservers.yaml | CRD YAML updated with new port fields and descriptions. |
| charts/kubewarden-controller/values.yaml | Add controller affinity, hostNetwork, and controller port values documentation. |
| charts/kubewarden-controller/values.schema.json | Add schema for controller affinity, hostNetwork, and controller ports. |
| charts/kubewarden-controller/tests/service_ports_test.yaml | Add Helm unit tests for service targetPorts using configurable controller ports. |
| charts/kubewarden-controller/tests/host_network_test.yaml | Add Helm unit tests for hostNetwork behavior, affinity selection, port args, and sidecar incompatibility. |
| charts/kubewarden-controller/templates/service.yaml | Conditionally render metrics Service and parameterize webhook/metrics targetPorts. |
| charts/kubewarden-controller/templates/deployment.yaml | Add hostNetwork + dnsPolicy, controller port args, and effective affinity helper usage. |
| charts/kubewarden-controller/templates/_helpers.tpl | Add effective affinity helper and hostNetwork/sidecar incompatibility validation. |
| charts/kubewarden-controller/templates/NOTES.txt | Add hostNetwork warning output. |
| api/policies/v1/zz_generated.deepcopy.go | Regenerate deepcopy logic for new spec fields and builder fields. |
| api/policies/v1/policyserver_webhook_test.go | Add webhook validation tests for port conflicts. |
| api/policies/v1/policyserver_webhook.go | Add port conflict validation for webhook/readiness ports. |
| api/policies/v1/policyserver_types.go | Add new CRD fields and “effective port” helper methods. |
| api/policies/v1/factories.go | Extend PolicyServer factory builder with port override setters. |
| Makefile | Add test-all convenience target. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
github-project-automation
Bot
moved this to Pending review
in Kubewarden Admission Controller
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
efe74a4 to
965a060
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds host-network support and per-PolicyServer port customization, enabling PolicyServer pods to run with hostNetwork: true while allowing operators to mitigate node-level port conflicts and retaining telemetry/metrics behavior constraints.
Changes:
- Add controller-wide
--host-networkbehavior that setshostNetwork: trueanddnsPolicy: ClusterFirstWithHostNetfor all PolicyServer Deployments, and enforce incompatibility with OpenTelemetry sidecar mode. - Add optional
webhookPort,readinessProbePort, andmetricsPortfields to the PolicyServer spec, with controller/service behavior updates and validations. - Update Helm charts, CRDs, docs, and tests to support/verify hostNetwork + port configuration and affinity override precedence.
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/suite_test.go | Loads CRDs from chart templates for envtest and disables controller-runtime metrics binding in tests. |
| internal/controller/policyserver_controller_test.go | Adds assertions and test coverage for hostNetwork defaults and custom port behavior. |
| internal/controller/policyserver_controller_service_test.go | Adds unit tests for metrics Service port/targetPort priority and behavior when metrics disabled. |
| internal/controller/policyserver_controller_service.go | Updates PolicyServer Service ports to use effective webhook/metrics ports and fixed metrics targetPort. |
| internal/controller/policyserver_controller_deployment.go | Adds hostNetwork + DNSPolicy wiring to PolicyServer pod spec; skips OTel sidecar injection when hostNetwork enabled; wires effective ports into container env/probe. |
| internal/controller/policyserver_controller.go | Extends reconciler config with HostNetwork and PolicyServerMetricsPort fields. |
| docs/crds/CRD-docs-for-docs-repo.md | Documents new PolicyServer spec port fields and semantics. |
| docs/crds/CRD-docs-for-docs-repo.adoc | Documents new PolicyServer spec port fields and semantics (adoc). |
| cmd/controller/main.go | Adds --host-network and --webhook-server-port, validates port ranges, enforces hostNetwork vs sidecar exclusivity, and parses global PolicyServer metrics port env var. |
| charts/kubewarden-defaults/values.yaml | Adds documented values for default PolicyServer port configuration and affinity guidance. |
| charts/kubewarden-defaults/values.schema.json | Adds schema for new default PolicyServer port fields and affinity. |
| charts/kubewarden-defaults/tests/host_network_test.yaml | Adds helm-unittest coverage for default PolicyServer port fields and affinity precedence behavior. |
| charts/kubewarden-defaults/templates/policyserver-default.yaml | Renders effective affinity and optional port fields into the default PolicyServer manifest. |
| charts/kubewarden-defaults/templates/_helpers.tpl | Adds helper to compute effective affinity for the default PolicyServer. |
| charts/kubewarden-crds/templates/policies.kubewarden.io_policyservers.yaml | Extends CRD schema with webhookPort/readinessProbePort/metricsPort fields and documentation. |
| charts/kubewarden-controller/values.yaml | Adds controller hostNetwork/ports/affinity values and guidance about sidecar incompatibility. |
| charts/kubewarden-controller/values.schema.json | Adds schema entries for controller affinity, hostNetwork, and ports. |
| charts/kubewarden-controller/tests/service_ports_test.yaml | Adds helm-unittest coverage for controller service targetPorts based on values. |
| charts/kubewarden-controller/tests/host_network_test.yaml | Adds helm-unittest coverage for hostNetwork wiring, port args, affinity precedence, and sidecar incompatibility. |
| charts/kubewarden-controller/templates/service.yaml | Makes metrics Service conditional and parameterizes targetPorts via values. |
| charts/kubewarden-controller/templates/deployment.yaml | Adds hostNetwork/dnsPolicy and ports/affinity wiring; validates sidecar incompatibility. |
| charts/kubewarden-controller/templates/_helpers.tpl | Adds helpers for effective affinity and hostNetwork+sidecar validation. |
| charts/kubewarden-controller/templates/NOTES.txt | Adds hostNetwork warnings and clarifies sidecar incompatibility at install time. |
| api/policies/v1/zz_generated.deepcopy.go | Updates deepcopy generation for new PolicyServerSpec port fields and builder fields. |
| api/policies/v1/policyserver_webhook_test.go | Adds validation tests for port conflict rules. |
| api/policies/v1/policyserver_webhook.go | Adds server-side validation to reject webhookPort/readinessProbePort conflicts. |
| api/policies/v1/policyserver_types.go | Adds new spec fields and “effective port” helper methods for webhook/readiness/metrics. |
| api/policies/v1/factories.go | Extends PolicyServer test factory builder with port setters. |
| Makefile | Adds a test-all target combining unit, helm-unittest, and e2e tests. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This commit adds the support to enable host network in the Kubewarden stack. This is done by enabling a CLI flag in the controller. Once this is done, all the policy server deployments are configured to use host network as well. Furthermore, to allow user to fix port conflicts issues, 3 new fields have been added to the policy server spec. This fields allow users to define the ports to be used by the policy server deployment. Assisted-by: Github Copilot Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com> refactor(webhook): remove metricsPort conflict validation spec.metricsPort only controls the metrics Service Port (the externally visible scrape port) and has no effect on pod-side ports. Since it operates at a different layer than webhookPort and readinessProbePort, there is no meaningful conflict to validate against. The only pod-side conflict check that remains is webhookPort vs readinessProbePort. As a consequence, the defaultMetricsPort parameter is removed from SetupWebhookWithManager and the policyServerValidator struct, simplifying the webhook setup chain in main.go. Assisted-by: Github Copilot Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
965a060 to
1655565
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds host-network support to Kubewarden. When the
--host-networkcontroller flag is enabled, all PolicyServer deployments are configured withhostNetwork: trueanddnsPolicy: ClusterFirstWithHostNet. Three new optional fields are added to the PolicyServer CRD spec to allow users to customize ports on a per-PolicyServer basis:webhookPortchanges the port the pod listens on for webhook requests,readinessProbePortchanges the readiness probe port, and both help resolve host-port conflicts when multiple PolicyServers share a node. ThemetricsPortfield customizes only the Service port (the externally visible port Prometheus scrapes). The pod-side TargetPort remains the controller-wide default because the OpenTelemetry sidecar always exports metrics on a fixed cluster-wide port. As a result,metricsPortdoes not resolve host-network port collisions on the nodeAffinity is fully user-managed. The controller does not auto-inject pod anti-affinity rules, giving operators full control over scheduling. OpenTelemetry sidecar mode is incompatible with host-network mode: when
hostNetworkis enabled, sidecar injection is rejected at both the helm chart level (template render fails) and the controller binary level (fail-fast error at startup), so users must use a remote collector (telemetry.mode=custom) instead. Both the--webhook-server-portflag and theKUBEWARDEN_POLICY_SERVER_SERVICES_METRICS_PORTenvironment variable are validated at startup to be within the 1–65535 range, failing fast with clear error messages if out of bounds.Fix #1597