Hey everyone! I've been exploring admission controllers in the Kubernetes space and was curious about whether there's a Kustomize equivalent out there. Specifically, I'm looking to add nodeSelector patches to multiple namespaced deployments all at once, particularly when new updates are pushed through our CI pipeline. It can get a bit tricky using the standard release processes for each app since all of our apps maintain their own Kustomize directories in GitHub. It would be super helpful to find a solution that allows us to make these kinds of changes at scale without the usual headaches. Is there anything like this available? Thanks for your insights!
2 Answers
Yes, you can definitely use any off-the-shelf admission controller or even create your own. Just be cautious, as using webhooks can complicate things and may disrupt your CD workflow if they’re ever down. It's better to use them as a last resort!
You might want to check out Kyverno. It allows you to mutate and generate resources as they're submitted, and it offers quite a bit of functionality for your needs. It can also reconcile in the background, which is a nice feature!
Brilliant, thanks!
Instead of a mutating webhook, why not adopt GitOps-native methods like using Kyverno to mutate or keeping a shared Kustomize base? You could set up a Kyverno policy to add nodeSelector to deployments with a namespaceSelector, start in audit mode, and then enforce it later. Also, consider maintaining an overlay repo as a remote base to roll out changes with tools like Argo CD or Flux!