Never let cluster-scoped resources skip webhooks

Kubernetes-commit: 0d717272ccbec12189946325594a8a5f29d6bd68
2018-01-11 18:05:54 -08:00 · 2018-01-11 18:05:54 -08:00 · fcee784ffb
parent d48bded43d
commit fcee784ffb
2 changed files with 5 additions and 5 deletions
--- a/pkg/admission/plugin/webhook/namespace/matcher.go
+++ b/pkg/admission/plugin/webhook/namespace/matcher.go
@ -90,10 +90,10 @@ func (m *Matcher) MatchNamespaceSelector(h *v1beta1.Webhook, attr admission.Attr
 	namespaceName := attr.GetNamespace()
 	if len(namespaceName) == 0 && attr.GetResource().Resource != "namespaces" {
 		// If the request is about a cluster scoped resource, and it is not a
-		// namespace, it is exempted from all webhooks for now.
+		// namespace, it is never exempted.
 		// TODO: figure out a way selective exempt cluster scoped resources.
 		// Also update the comment in types.go
-		return false, nil
+		return true, nil
 	}
 	namespaceLabels, err := m.GetNamespaceLabels(attr)
 	// this means the namespace is not found, for backwards compatibility,
--- a/pkg/admission/plugin/webhook/namespace/matcher_test.go
+++ b/pkg/admission/plugin/webhook/namespace/matcher_test.go
@ -113,7 +113,7 @@ func TestGetNamespaceLabels(t *testing.T) {
 	}
 }

-func TestExemptClusterScopedResource(t *testing.T) {
+func TestNotExemptClusterScopedResource(t *testing.T) {
 	hook := &registrationv1beta1.Webhook{
 		NamespaceSelector: &metav1.LabelSelector{},
 	}
@ -123,7 +123,7 @@ func TestExemptClusterScopedResource(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if matches {
-		t.Errorf("cluster scoped resources (but not a namespace) should be exempted from all webhooks")
+	if !matches {
+		t.Errorf("cluster scoped resources (but not a namespace) should not be exempted from webhooks")
 	}
 }