elastic · naemono · Sep 20, 2022 · Sep 13, 2022
diff --git a/pkg/controller/common/webhook/webhook.go b/pkg/controller/common/webhook/webhook.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 
 	admissionv1 "k8s.io/api/admission/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -19,6 +20,14 @@ import (
 	"github.com/elastic/cloud-on-k8s/v2/pkg/utils/set"
 )
 
+// validatableObject is the object to be validated, along with methods
+// that allow retrieval of namespace and name to ignore any objects
+// that are outside of the operator's managed namespaces.
+type validatableObject interface {
+	admission.Validator
+	metav1.Object
+}
+
 // SetupValidatingWebhookWithConfig will register a set of validation functions
 // at a given path, with a given controller manager, ensuring that the objects
 // are within the namespaces that the operator manages.
@@ -61,7 +70,7 @@ func (v *validatingWebhook) InjectDecoder(d *admission.Decoder) error {
 func (v *validatingWebhook) Handle(ctx context.Context, req admission.Request) admission.Response {
 	whlog := ulog.FromContext(ctx).WithName("common-webhook")
 
-	obj, ok := v.validator.DeepCopyObject().(admission.Validator)
+	obj, ok := v.validator.DeepCopyObject().(validatableObject)
 	if !ok {
 		return admission.Errored(http.StatusBadRequest, fmt.Errorf("object (%T) to be validated couldn't be converted to admission.Validator", v.validator))
 	}
@@ -72,6 +81,13 @@ func (v *validatingWebhook) Handle(ctx context.Context, req admission.Request) a
 		return admission.Errored(http.StatusBadRequest, err)
 	}
 
+	// If this resource is not within the set of managed namespaces
+	// for this operator ignore this request.
+	if v.managedNamespaces.Count() > 0 && !v.managedNamespaces.Has(obj.GetNamespace()) {
+		whlog.V(1).Info("Skip resource validation", "name", obj.GetName(), "namespace", obj.GetNamespace())
+		return admission.Allowed("")
+	}
+
 	if err := v.commonValidations(ctx, req, obj); err != nil {
 		return admission.Denied(err.Error())
 	}

diff --git a/pkg/controller/common/webhook/webhook_test.go b/pkg/controller/common/webhook/webhook_test.go
@@ -123,6 +123,34 @@ func Test_validatingWebhook_Handle(t *testing.T) {
 			},
 			want: admission.Allowed(""),
 		},
+		{
+			name: "request from un-managed namespace is ignored, and just accepted",
+			fields: fields{
+				set.Make("elastic"),
+				&agentv1alpha1.Agent{},
+			},
+			req: admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Operation: admissionv1.Delete,
+					Object: runtime.RawExtension{
+						Raw: asJSON(&agentv1alpha1.Agent{
+							ObjectMeta: metav1.ObjectMeta{
+								Name:      "testAgent",
+								Namespace: "unmanaged",
+								Labels: map[string]string{
+									"test": "label1",
+								},
+							},
+							Spec: agentv1alpha1.AgentSpec{
+								Version:    "7.10.0",
+								Deployment: &agentv1alpha1.DeploymentSpec{},
+							},
+						}),
+					},
+				},
+			},
+			want: admission.Allowed(""),
+		},
 		{
 			name: "update agent is allowed when label is updated",
 			fields: fields{