From fcee784ffbabd0ab1b48614beac6caa90b681434 Mon Sep 17 00:00:00 2001
From: Chao Xu <xuchao@google.com>
Date: Thu, 11 Jan 2018 18:05:54 -0800
Subject: [PATCH] Never let cluster-scoped resources skip webhooks

Kubernetes-commit: 0d717272ccbec12189946325594a8a5f29d6bd68
---
 pkg/admission/plugin/webhook/namespace/matcher.go      | 4 ++--
 pkg/admission/plugin/webhook/namespace/matcher_test.go | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkg/admission/plugin/webhook/namespace/matcher.go b/pkg/admission/plugin/webhook/namespace/matcher.go
index b9157b9ba..a05411915 100644
--- a/pkg/admission/plugin/webhook/namespace/matcher.go
+++ b/pkg/admission/plugin/webhook/namespace/matcher.go
@@ -90,10 +90,10 @@ func (m *Matcher) MatchNamespaceSelector(h *v1beta1.Webhook, attr admission.Attr
 	namespaceName := attr.GetNamespace()
 	if len(namespaceName) == 0 && attr.GetResource().Resource != "namespaces" {
 		// If the request is about a cluster scoped resource, and it is not a
-		// namespace, it is exempted from all webhooks for now.
+		// namespace, it is never exempted.
 		// TODO: figure out a way selective exempt cluster scoped resources.
 		// Also update the comment in types.go
-		return false, nil
+		return true, nil
 	}
 	namespaceLabels, err := m.GetNamespaceLabels(attr)
 	// this means the namespace is not found, for backwards compatibility,
diff --git a/pkg/admission/plugin/webhook/namespace/matcher_test.go b/pkg/admission/plugin/webhook/namespace/matcher_test.go
index e8f77ba90..d0aee1499 100644
--- a/pkg/admission/plugin/webhook/namespace/matcher_test.go
+++ b/pkg/admission/plugin/webhook/namespace/matcher_test.go
@@ -113,7 +113,7 @@ func TestGetNamespaceLabels(t *testing.T) {
 	}
 }
 
-func TestExemptClusterScopedResource(t *testing.T) {
+func TestNotExemptClusterScopedResource(t *testing.T) {
 	hook := &registrationv1beta1.Webhook{
 		NamespaceSelector: &metav1.LabelSelector{},
 	}
@@ -123,7 +123,7 @@ func TestExemptClusterScopedResource(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if matches {
-		t.Errorf("cluster scoped resources (but not a namespace) should be exempted from all webhooks")
+	if !matches {
+		t.Errorf("cluster scoped resources (but not a namespace) should not be exempted from webhooks")
 	}
 }