Open
Conversation
github-project-automation
Bot
moved this to Pending review
in Kubewarden Admission Controller
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
b922c91 to
a5d22a3
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1682 +/- ##
==========================================
- Coverage 82.14% 77.17% -4.98%
==========================================
Files 129 172 +43
Lines 16961 21544 +4583
==========================================
+ Hits 13933 16626 +2693
- Misses 3028 4705 +1677
- Partials 0 213 +213
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
a5d22a3 to
8f9845e
Compare
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
8f9845e to
cacc668
Compare
github-project-automation
Bot
moved this to Pending review
in Kubewarden Admission Controller
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds host-network support for Kubewarden by wiring a new controller flag through to PolicyServer deployments and exposing per-PolicyServer port overrides to mitigate host-port conflicts.
Changes:
- Add
--host-networkcontroller flag and configure PolicyServer pods withhostNetwork: true+dnsPolicy: ClusterFirstWithHostNetwhen enabled. - Add optional PolicyServer CRD ports (
webhookPort,readinessProbePort,metricsPort) and plumb webhook/readiness into Deployment/Service behavior. - Extend Helm charts to configure controller hostNetwork/ports and default PolicyServer port/affinity overrides, with unit tests.
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/policyserver_controller_test.go | Asserts default PolicyServer pod spec does not use host networking. |
| internal/controller/policyserver_controller_service.go | Updates Service target port logic for webhook and introduces metrics port selection. |
| internal/controller/policyserver_controller_deployment.go | Adds hostNetwork support and uses effective webhook/readiness ports in the pod. |
| internal/controller/policyserver_controller.go | Adds reconciler fields for HostNetwork and global default metrics port. |
| cmd/controller/main.go | Adds webhook server port flag; parses metrics port env var into reconciler config; adds host-network flag. |
| api/policies/v1/policyserver_types.go | Adds CRD port fields + Effective*Port helpers. |
| api/policies/v1/policyserver_webhook.go / *_test.go | Validates port conflicts and adds tests. |
| api/policies/v1/factories.go / zz_generated.deepcopy.go | Extends test factory + deepcopy for new fields. |
| charts/kubewarden-defaults/* | Adds values/schema/template/tests for default PolicyServer affinity and port overrides. |
| charts/kubewarden-crds/templates/*policyservers.yaml | Adds CRD schema for the new port fields. |
| charts/kubewarden-controller/* | Adds values/schema/template/tests for controller hostNetwork and configurable ports. |
| Makefile | Adds test-all convenience target. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
2 times, most recently
from
80041e7 to
ba20391
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds host-network support across Kubewarden by introducing a controller-wide --host-network flag that enables hostNetwork: true (and dnsPolicy: ClusterFirstWithHostNet) for all PolicyServer pods, plus new PolicyServer CRD fields to customize webhook/readiness/metrics ports to avoid host-port conflicts.
Changes:
- Add controller flag + Helm values to enable host networking for the controller and all PolicyServers, including DNS policy adjustments.
- Extend the PolicyServer CRD with optional
webhookPort,readinessProbePort, andmetricsPort, and wire these into reconciliation logic. - Update unit/integration tests and CRD docs to cover the new fields/behavior.
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/suite_test.go | Loads CRDs from the Helm CRD chart templates for envtest runs. |
| internal/controller/policyserver_controller_test.go | Adds assertions for default hostNetwork/DNSPolicy and tests custom webhook/readiness ports. |
| internal/controller/policyserver_controller_service.go | Uses PolicyServer effective webhook port for Service targetPort; introduces per-PolicyServer/global metrics Service port selection. |
| internal/controller/policyserver_controller_deployment.go | Adds hostNetwork wiring to the PolicyServer PodSpec and uses effective webhook/readiness ports in env/probes. |
| internal/controller/policyserver_controller.go | Extends reconciler config with HostNetwork and a global default metrics port. |
| cmd/controller/main.go | Adds --webhook-server-port, --host-network, and parses a global PolicyServer metrics port from env var. |
| api/policies/v1/policyserver_types.go | Adds port fields to the PolicyServer spec and “Effective*Port” helpers. |
| api/policies/v1/policyserver_webhook.go | Adds webhook validation preventing port conflicts across the new fields. |
| api/policies/v1/policyserver_webhook_test.go | Adds unit tests for port-conflict validation. |
| api/policies/v1/factories.go | Extends PolicyServer factory to set the new port fields in tests. |
| api/policies/v1/zz_generated.deepcopy.go | Regenerates deepcopy implementations for the new fields. |
| docs/crds/CRD-docs-for-docs-repo.md | Documents new PolicyServer port fields in generated CRD docs (markdown). |
| docs/crds/CRD-docs-for-docs-repo.adoc | Documents new PolicyServer port fields in generated CRD docs (asciidoc). |
| charts/kubewarden-crds/templates/policies.kubewarden.io_policyservers.yaml | Updates the PolicyServer CRD schema with the new port fields. |
| charts/kubewarden-defaults/values.yaml | Adds Helm values documentation for the new default PolicyServer port fields and affinity guidance. |
| charts/kubewarden-defaults/values.schema.json | Adds JSON schema entries for the new default PolicyServer port fields. |
| charts/kubewarden-defaults/templates/policyserver-default.yaml | Renders port overrides into the default PolicyServer CR. |
| charts/kubewarden-defaults/templates/_helpers.tpl | Adds helper to select effective affinity (policyServer-specific over global). |
| charts/kubewarden-defaults/tests/host_network_test.yaml | Adds helm-unittest coverage for port fields and affinity selection. |
| charts/kubewarden-controller/values.yaml | Adds hostNetwork + ports + affinity Helm values for the controller chart. |
| charts/kubewarden-controller/values.schema.json | Adds schema entries for hostNetwork/ports/affinity. |
| charts/kubewarden-controller/templates/deployment.yaml | Wires hostNetwork, affinity selection, and configurable ports into the controller Deployment. |
| charts/kubewarden-controller/templates/service.yaml | Uses configurable ports for webhook and metrics Services. |
| charts/kubewarden-controller/templates/_helpers.tpl | Adds helper to select effective affinity (controller-specific over global). |
| charts/kubewarden-controller/tests/service_ports_test.yaml | Adds helm-unittest coverage for service port wiring. |
| charts/kubewarden-controller/tests/host_network_test.yaml | Adds helm-unittest coverage for hostNetwork and port args/probes. |
| Makefile | Adds a test-all target combining unit, helm-unittest, and e2e. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
2 times, most recently
from
9e23939 to
5de7497
Compare
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
2 times, most recently
from
ba8c7fc to
5be5364
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds host-networking support for Kubewarden PolicyServer Deployments and introduces per-PolicyServer port overrides to help avoid port conflicts when hostNetwork is enabled.
Changes:
- Add
--host-networkcontroller flag and plumb it into PolicyServer Deployment pod spec (hostNetwork: true+dnsPolicy: ClusterFirstWithHostNet). - Add optional
webhookPort,readinessProbePort,metricsPortfields to the PolicyServer CRD spec and update controller reconciliation + docs/tests accordingly. - Update Helm charts to configure hostNetwork, affinity handling, and controller/service ports; extend unit/integration tests.
Reviewed changes
Copilot reviewed 28 out of 28 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/suite_test.go | Envtest now loads CRDs from Helm chart templates (copied into a temp dir). |
| internal/controller/policyserver_controller_test.go | Adds assertions/tests for default hostNetwork behavior and custom port overrides. |
| internal/controller/policyserver_controller_service_test.go | Adds unit coverage for PolicyServer Service metrics port precedence behavior. |
| internal/controller/policyserver_controller_service.go | Updates PolicyServer Service port wiring to use effective webhook/metrics ports. |
| internal/controller/policyserver_controller_deployment.go | Enables hostNetwork + adjusts dnsPolicy; skips OTel sidecar injection under hostNetwork; wires webhook/readiness ports into container env/probe. |
| internal/controller/policyserver_controller.go | Extends reconciler configuration with HostNetwork and PolicyServerMetricsPort. |
| docs/crds/CRD-docs-for-docs-repo.md | Documents new PolicyServer port fields. |
| docs/crds/CRD-docs-for-docs-repo.adoc | Documents new PolicyServer port fields (adoc). |
| cmd/controller/main.go | Adds controller port flags, host-network flag, and parses global default PolicyServer metrics port from env var. |
| charts/kubewarden-defaults/values.yaml | Documents default PolicyServer port settings and affinity guidance for hostNetwork. |
| charts/kubewarden-defaults/values.schema.json | Adds schema validation for PolicyServer port overrides and affinity. |
| charts/kubewarden-defaults/tests/host_network_test.yaml | Helm unit tests for default PolicyServer port/affinity rendering. |
| charts/kubewarden-defaults/templates/policyserver-default.yaml | Renders effective affinity and optional PolicyServer port overrides into the default PolicyServer CR. |
| charts/kubewarden-defaults/templates/_helpers.tpl | Adds helper to compute effective default PolicyServer affinity (policyServer.affinity > global.affinity). |
| charts/kubewarden-crds/templates/policies.kubewarden.io_policyservers.yaml | Updates PolicyServer CRD schema with the new port fields. |
| charts/kubewarden-controller/values.yaml | Adds hostNetwork, controller affinity, and controller port configuration values. |
| charts/kubewarden-controller/values.schema.json | Adds schema for affinity/hostNetwork/ports values. |
| charts/kubewarden-controller/tests/service_ports_test.yaml | Helm unit tests validating controller service ports and overrides. |
| charts/kubewarden-controller/tests/host_network_test.yaml | Helm unit tests validating controller hostNetwork behavior, ports, and telemetry sidecar suppression. |
| charts/kubewarden-controller/templates/service.yaml | Splits/guards metrics service rendering and parameterizes service target ports via values. |
| charts/kubewarden-controller/templates/deployment.yaml | Adds hostNetwork/dnsPolicy support, effective affinity, and configurable controller ports/args. |
| charts/kubewarden-controller/templates/_helpers.tpl | Adds helper to compute effective controller affinity (affinity > global.affinity). |
| api/policies/v1/zz_generated.deepcopy.go | Updates deepcopy generation for new PolicyServer builder/spec fields. |
| api/policies/v1/policyserver_webhook_test.go | Adds validation tests for port conflicts (including env-var default metrics port interactions). |
| api/policies/v1/policyserver_webhook.go | Extends webhook setup/validator to account for default metrics port and validate port conflicts. |
| api/policies/v1/policyserver_types.go | Adds CRD fields and “Effective*Port” helpers to compute final ports. |
| api/policies/v1/factories.go | Extends PolicyServer factory to set new port fields for tests/builders. |
| Makefile | Adds test-all target aggregating unit, Helm, and e2e tests. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+596
to
+619
| It("should use all custom ports", func() { | ||
| policyServer := policiesv1.NewPolicyServerFactory(). | ||
| WithName(policyServerName). | ||
| WithWebhookPort(9443). | ||
| WithReadinessProbePort(9081). | ||
| WithMetricsPort(9080). | ||
| Build() | ||
| createPolicyServerAndWaitForItsService(ctx, policyServer) | ||
|
|
||
| By("checking all custom port env vars in the deployment") | ||
| Eventually(func() error { | ||
| deployment, err := getTestPolicyServerDeployment(ctx, policyServerName) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| container := deployment.Spec.Template.Spec.Containers[0] | ||
| envMap := make(map[string]string) | ||
| for _, env := range container.Env { | ||
| envMap[env.Name] = env.Value | ||
| } | ||
|
|
||
| Expect(envMap).To(HaveKeyWithValue("KUBEWARDEN_PORT", strconv.Itoa(9443))) | ||
| Expect(envMap).To(HaveKeyWithValue("KUBEWARDEN_READINESS_PROBE_PORT", strconv.Itoa(9081))) | ||
|
|
Comment on lines
60
to
69
| if r.MetricsEnabled { | ||
| svc.Spec.Ports = append( | ||
| svc.Spec.Ports, | ||
| corev1.ServicePort{ | ||
| Name: "metrics", | ||
| Port: getMetricsPort(), | ||
| Protocol: corev1.ProtocolTCP, | ||
| Name: "metrics", | ||
| Port: policyServer.EffectiveMetricsPort(r.PolicyServerMetricsPort), | ||
| TargetPort: intstr.FromInt32(r.PolicyServerMetricsPort), | ||
| Protocol: corev1.ProtocolTCP, | ||
| }, | ||
| ) |
| crdMetricsPort: int32Ptr(9091), | ||
| expectMetricsPort: true, | ||
| expectedPort: 9091, | ||
| expectedTargetPort: 9090, |
Comment on lines
+242
to
+249
| fmt.Sprintf("metricsPort must differ from webhookPort (%d)", webhookPort), | ||
| )) | ||
| } | ||
| if readinessPort == metricsPort { | ||
| allErrs = append(allErrs, field.Invalid( | ||
| field.NewPath("spec").Child("metricsPort"), | ||
| metricsPort, | ||
| fmt.Sprintf("metricsPort must differ from readinessProbePort (%d)", readinessPort), |
Comment on lines
+78
to
+84
| crdFiles, err := filepath.Glob(filepath.Join(crdSourceDir, "policies.kubewarden.io_*.yaml")) | ||
| Expect(err).NotTo(HaveOccurred()) | ||
| for _, src := range crdFiles { | ||
| data, readErr := os.ReadFile(src) | ||
| Expect(readErr).NotTo(HaveOccurred()) | ||
| Expect(os.WriteFile(filepath.Join(crdTempDir, filepath.Base(src)), data, 0o600)).To(Succeed()) | ||
| } |
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
5be5364 to
bd7e005
Compare
This commit adds the support to enable host network in the Kubewarden stack. This is done by enabling a CLI flag in the controller. Once this is done, all the policy server deployments are configured to use host network as well. Furthermore, to allow user to fix port conflicts issues, 3 new fields have been added to the policy server spec. This fields allow users to define the ports to be used by the policy server deployment. Assisted-by: Github Copilot Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
jvanz
force-pushed
the
issue1658-hostnetwork-v2
branch
from
bd7e005 to
20319ac
Compare
jvanz
commented
Apr 27, 2026
Comment on lines
1
to
+19
| @@ -10,16 +11,12 @@ metadata: | |||
| {{- include "kubewarden-controller.annotations" . | nindent 4 }} | |||
| spec: | |||
| ports: | |||
| {{- if .Values.telemetry.metrics }} | |||
| - name: metrics | |||
| port: 8080 | |||
| targetPort: 8080 | |||
| {{- end}} | |||
| - name: https | |||
| port: 8443 | |||
| targetPort: https | |||
| targetPort: {{ .Values.ports.metrics }} | |||
| selector: | |||
| {{- include "kubewarden-controller.selectorLabels" . | nindent 4 }} | |||
| {{- end}} | |||
Member
Author
There was a problem hiding this comment.
@kubewarden/kubewarden-developers do you know we add this service with the webhook port if it should be used for metric collection?
@copilot can you investigate the git story and let us know what you found?
There was a problem hiding this comment.
Here's what the git history shows:
Original state (base, before this PR): The metrics-service always had two ports:
metrics(8080 → 8080) — conditional ontelemetry.metricshttps(8443 → named porthttps) — always present, unconditionally
The https port appears to be a legacy artifact from when the project was likely scaffolded with kubebuilder using a kube-rbac-proxy sidecar (which serves HTTPS metrics on 8443). However, the actual deployment never had a container port named https — it only exposed the webhook-server port. So the https port in the service was pointing to a non-existent named port and was essentially dead/non-functional code.
An intermediate PR commit (5be5364) accidentally wired that https port to target .Values.ports.webhook, which was caught in review as creating a second access path to the webhook endpoint.
Current state (commit 20319ac): This PR cleans it up:
- The
metrics-serviceis now fully conditional ontelemetry.metrics(since it's only useful when metrics are enabled), and itstargetPortis the configurable{{ .Values.ports.metrics }}(default 8088) - The
httpsdead-code port is removed entirely - The
webhook-serviceremains separate withtargetPort: {{ .Values.ports.webhook }}
So no — the metrics-service was never intentionally for the webhook port. The original https/8443 port was legacy scaffolding that was never backed by a real container port. This PR removes it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds host-network support to the Kubewarden. When the
--host-networkcontroller flag is enabled, all PolicyServer deployments are configured withhostNetwork: trueanddnsPolicy: ClusterFirstWithHostNet. Three new optional fields (webhookPort,readinessProbePort,metricsPort) are added to the PolicyServer CRD spec, allowing users to resolve host-port conflicts on a per-PolicyServer basis.A key design decision is that the controller does not auto-inject pod anti-affinity rules. Instead, affinity configuration is fully user-managed. This keeps the controller simple and gives operators full control over scheduling when host networking is enabled.
Fix #1597