When developing an admission webhook to be managed by Operator Lifecycle Manager (OLM), consider the following constraints:
certificate authority constraints
OLM is configured to provide each deployment with a single certificate authority (CA). The logic that generates and mounts the CA into the deployment was originally used by the API service lifecycle logic. As a result:
-
The TLS certificate file is mounted to the deployment at /apiserver.local.config/certificates/apiserver.crt
.
-
The TLS key file is mounted to the deployment at /apiserver.local.config/certificates/apiserver.key
.
Admission webhook rules constraints
To prevent an Operator from configuring the cluster into an unrecoverable state, OLM places the CSV in the failed phase if the rules defined in an admission webhook intercept any of the following requests:
-
Requests that target all groups
-
Requests that target the operators.coreos.com
group
-
Requests that target the ValidatingWebhookConfigurations
or MutatingWebhookConfigurations
resources