Add namespaceSelector and objectSelector to webhook markers

Enables filtering webhooks by namespace and object labels to solve
the webhook bootstrap problem and support namespace-scoped operators.

Assisted-by: Cursor/Claude

Author: camilamacedo86

Makefile

@@ -97,10 +97,11 @@ test-all:
 modules: ## Runs go mod to ensure modules are up to date.
 	go mod tidy
 	cd pkg/applyconfiguration/testdata/cronjob; go mod tidy
+	cd pkg/webhook/testdata; go mod tidy
 
 .PHONY: verify-modules
 verify-modules: modules ## Verify go modules are up to date
-	@if !(git diff --quiet HEAD -- go.sum go.mod); then \
+	@if !(git diff --quiet HEAD -- go.sum go.mod pkg/applyconfiguration/testdata/cronjob/go.sum pkg/applyconfiguration/testdata/cronjob/go.mod pkg/webhook/testdata/go.sum pkg/webhook/testdata/go.mod); then \
 		git diff; \
 		echo "go module files are out of date, please run 'make modules'"; exit 1; \
 	fi

pkg/webhook/parser.go

@@ -23,6 +23,7 @@ limitations under the License.
 package webhook
 
 import (
+	"encoding/json"
 	"fmt"
 	"slices"
 	"strings"
@@ -159,6 +160,24 @@ type Config struct {
 	// The URL configuration should be between quotes.
 	// `url` cannot be specified when `path` is specified.
 	URL string `marker:"url,optional"`
+
+	// NamespaceSelector limits which namespaces trigger this webhook. The webhook runs only for
+	// requests in namespaces that match the selector. The value is a JSON object with the same
+	// shape as the Kubernetes LabelSelector (matchLabels and/or matchExpressions). Use backticks
+	// around the JSON so you do not need to escape quotes (e.g. namespaceSelector=`{"matchLabels":{"key":"value"}}`).
+	//
+	// Example: namespaceSelector=`{"matchLabels":{"webhook-enabled":"true"}}`
+	// Example: namespaceSelector=`{"matchExpressions":[{"key":"environment","operator":"In","values":["dev","staging","prod"]}]}`
+	NamespaceSelector string `marker:"namespaceSelector,optional"`
+
+	// ObjectSelector limits which objects trigger this webhook. The webhook runs only for requests
+	// whose object matches the selector. The value is a JSON object with the same shape as the
+	// Kubernetes LabelSelector (matchLabels and/or matchExpressions). Use backticks around the JSON
+	// so you do not need to escape quotes (e.g. objectSelector=`{"matchLabels":{"key":"value"}}`).
+	//
+	// Example: objectSelector=`{"matchLabels":{"managed-by":"my-operator"}}`
+	// Example: objectSelector=`{"matchExpressions":[{"key":"app-type","operator":"In","values":["web","api","worker"]}]}`
+	ObjectSelector string `marker:"objectSelector,optional"`
 }
 
 // verbToAPIVariant converts a marker's verb to the proper value for the API.
@@ -180,6 +199,26 @@ func verbToAPIVariant(verbRaw string) admissionregv1.OperationType {
 	}
 }
 
+// parseLabelSelector parses a JSON string into a LabelSelector. The JSON must match the
+// Kubernetes LabelSelector type (matchLabels and/or matchExpressions). Returns nil for empty input.
+func parseLabelSelector(selectorStr string) (*metav1.LabelSelector, error) {
+	selectorStr = strings.TrimSpace(selectorStr)
+	if selectorStr == "" {
+		return nil, nil
+	}
+
+	var selector metav1.LabelSelector
+	if err := json.Unmarshal([]byte(selectorStr), &selector); err != nil {
+		return nil, fmt.Errorf("label selector must be valid JSON (e.g. {\"matchLabels\":{\"key\":\"value\"}}): %w", err)
+	}
+
+	if selector.MatchLabels == nil && len(selector.MatchExpressions) == 0 {
+		return nil, fmt.Errorf("label selector must specify at least one of matchLabels or matchExpressions")
+	}
+
+	return &selector, nil
+}
+
 // ToMutatingWebhookConfiguration converts this WebhookConfig to its Kubernetes API form.
 func (c WebhookConfig) ToMutatingWebhookConfiguration() (admissionregv1.MutatingWebhookConfiguration, error) {
 	if !c.Mutating {
@@ -222,6 +261,16 @@ func (c Config) ToMutatingWebhook() (admissionregv1.MutatingWebhook, error) {
 		return admissionregv1.MutatingWebhook{}, err
 	}
 
+	namespaceSelector, err := c.namespaceSelector()
+	if err != nil {
+		return admissionregv1.MutatingWebhook{}, fmt.Errorf("invalid namespaceSelector: %w", err)
+	}
+
+	objectSelector, err := c.objectSelector()
+	if err != nil {
+		return admissionregv1.MutatingWebhook{}, fmt.Errorf("invalid objectSelector: %w", err)
+	}
+
 	return admissionregv1.MutatingWebhook{
 		Name:                    c.Name,
 		Rules:                   c.rules(),
@@ -232,6 +281,8 @@ func (c Config) ToMutatingWebhook() (admissionregv1.MutatingWebhook, error) {
 		TimeoutSeconds:          c.timeoutSeconds(),
 		AdmissionReviewVersions: c.AdmissionReviewVersions,
 		ReinvocationPolicy:      c.reinvocationPolicy(),
+		NamespaceSelector:       namespaceSelector,
+		ObjectSelector:          objectSelector,
 	}, nil
 }
 
@@ -251,6 +302,16 @@ func (c Config) ToValidatingWebhook() (admissionregv1.ValidatingWebhook, error)
 		return admissionregv1.ValidatingWebhook{}, err
 	}
 
+	namespaceSelector, err := c.namespaceSelector()
+	if err != nil {
+		return admissionregv1.ValidatingWebhook{}, fmt.Errorf("invalid namespaceSelector: %w", err)
+	}
+
+	objectSelector, err := c.objectSelector()
+	if err != nil {
+		return admissionregv1.ValidatingWebhook{}, fmt.Errorf("invalid objectSelector: %w", err)
+	}
+
 	return admissionregv1.ValidatingWebhook{
 		Name:                    c.Name,
 		Rules:                   c.rules(),
@@ -260,6 +321,8 @@ func (c Config) ToValidatingWebhook() (admissionregv1.ValidatingWebhook, error)
 		SideEffects:             c.sideEffects(),
 		TimeoutSeconds:          c.timeoutSeconds(),
 		AdmissionReviewVersions: c.AdmissionReviewVersions,
+		NamespaceSelector:       namespaceSelector,
+		ObjectSelector:          objectSelector,
 	}, nil
 }
 
@@ -402,6 +465,16 @@ func (c Config) reinvocationPolicy() *admissionregv1.ReinvocationPolicyType {
 	return &reinvocationPolicy
 }
 
+// namespaceSelector returns the LabelSelector for the webhook's namespace filter, or nil if unset.
+func (c Config) namespaceSelector() (*metav1.LabelSelector, error) {
+	return parseLabelSelector(c.NamespaceSelector)
+}
+
+// objectSelector returns the LabelSelector for the webhook's object filter, or nil if unset.
+func (c Config) objectSelector() (*metav1.LabelSelector, error) {
+	return parseLabelSelector(c.ObjectSelector)
+}
+
 // webhookVersions returns the target API versions of the {Mutating,Validating}WebhookConfiguration objects for a webhook.
 func (c Config) webhookVersions() ([]string, error) {
 	// If WebhookVersions is not specified, we default it to `v1`.

pkg/webhook/parser_integration_test.go

@@ -526,6 +526,146 @@ var _ = Describe("Webhook Generation From Parsing to CustomResourceDefinition",
 		Expect(err).To(HaveOccurred())
 	})
 
+	It("should properly generate webhook definition with namespaceSelector", func() {
+		By("switching into testdata to appease go modules")
+		cwd, err := os.Getwd()
+		Expect(err).NotTo(HaveOccurred())
+		Expect(os.Chdir("./testdata/valid-namespaceselector")).To(Succeed())
+		defer func() { Expect(os.Chdir(cwd)).To(Succeed()) }()
+
+		By("loading the roots")
+		pkgs, err := loader.LoadRoots(".")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(pkgs).To(HaveLen(1))
+
+		By("setting up the parser")
+		reg := &markers.Registry{}
+		Expect(reg.Register(webhook.ConfigDefinition)).To(Succeed())
+		Expect(reg.Register(webhook.WebhookConfigDefinition)).To(Succeed())
+
+		By("requesting that the manifest be generated")
+		outputDir, err := os.MkdirTemp("", "webhook-integration-test")
+		Expect(err).NotTo(HaveOccurred())
+		defer os.RemoveAll(outputDir)
+		genCtx := &genall.GenerationContext{
+			Collector:  &markers.Collector{Registry: reg},
+			Roots:      pkgs,
+			OutputRule: genall.OutputToDirectory(outputDir),
+		}
+		Expect(webhook.Generator{}.Generate(genCtx)).To(Succeed())
+		for _, r := range genCtx.Roots {
+			Expect(r.Errors).To(HaveLen(0))
+		}
+
+		By("loading the generated v1 YAML")
+		actualFile, err := os.ReadFile(path.Join(outputDir, "manifests.yaml"))
+		Expect(err).NotTo(HaveOccurred())
+		actualManifest := &admissionregv1.ValidatingWebhookConfiguration{}
+		Expect(yaml.UnmarshalStrict(actualFile, actualManifest)).To(Succeed())
+
+		By("loading the desired v1 YAML")
+		expectedFile, err := os.ReadFile("manifests.yaml")
+		Expect(err).NotTo(HaveOccurred())
+		expectedManifest := &admissionregv1.ValidatingWebhookConfiguration{}
+		Expect(yaml.UnmarshalStrict(expectedFile, expectedManifest)).To(Succeed())
+
+		By("comparing the two")
+		assertSame(actualManifest, expectedManifest)
+	})
+
+	It("should properly generate webhook definition with objectSelector", func() {
+		By("switching into testdata to appease go modules")
+		cwd, err := os.Getwd()
+		Expect(err).NotTo(HaveOccurred())
+		Expect(os.Chdir("./testdata/valid-objectselector")).To(Succeed())
+		defer func() { Expect(os.Chdir(cwd)).To(Succeed()) }()
+
+		By("loading the roots")
+		pkgs, err := loader.LoadRoots(".")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(pkgs).To(HaveLen(1))
+
+		By("setting up the parser")
+		reg := &markers.Registry{}
+		Expect(reg.Register(webhook.ConfigDefinition)).To(Succeed())
+		Expect(reg.Register(webhook.WebhookConfigDefinition)).To(Succeed())
+
+		By("requesting that the manifest be generated")
+		outputDir, err := os.MkdirTemp("", "webhook-integration-test")
+		Expect(err).NotTo(HaveOccurred())
+		defer os.RemoveAll(outputDir)
+		genCtx := &genall.GenerationContext{
+			Collector:  &markers.Collector{Registry: reg},
+			Roots:      pkgs,
+			OutputRule: genall.OutputToDirectory(outputDir),
+		}
+		Expect(webhook.Generator{}.Generate(genCtx)).To(Succeed())
+		for _, r := range genCtx.Roots {
+			Expect(r.Errors).To(HaveLen(0))
+		}
+
+		By("loading the generated v1 YAML")
+		actualFile, err := os.ReadFile(path.Join(outputDir, "manifests.yaml"))
+		Expect(err).NotTo(HaveOccurred())
+		actualManifest := &admissionregv1.MutatingWebhookConfiguration{}
+		Expect(yaml.UnmarshalStrict(actualFile, actualManifest)).To(Succeed())
+
+		By("loading the desired v1 YAML")
+		expectedFile, err := os.ReadFile("manifests.yaml")
+		Expect(err).NotTo(HaveOccurred())
+		expectedManifest := &admissionregv1.MutatingWebhookConfiguration{}
+		Expect(yaml.UnmarshalStrict(expectedFile, expectedManifest)).To(Succeed())
+
+		By("comparing the two")
+		assertSame(actualManifest, expectedManifest)
+	})
+
+	It("should properly generate webhook definition with matchExpressions in selectors", func() {
+		By("switching into testdata to appease go modules")
+		cwd, err := os.Getwd()
+		Expect(err).NotTo(HaveOccurred())
+		Expect(os.Chdir("./testdata/valid-selectors-matchexpressions")).To(Succeed())
+		defer func() { Expect(os.Chdir(cwd)).To(Succeed()) }()
+
+		By("loading the roots")
+		pkgs, err := loader.LoadRoots(".")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(pkgs).To(HaveLen(1))
+
+		By("setting up the parser")
+		reg := &markers.Registry{}
+		Expect(reg.Register(webhook.ConfigDefinition)).To(Succeed())
+		Expect(reg.Register(webhook.WebhookConfigDefinition)).To(Succeed())
+
+		By("requesting that the manifest be generated")
+		outputDir, err := os.MkdirTemp("", "webhook-integration-test")
+		Expect(err).NotTo(HaveOccurred())
+		defer os.RemoveAll(outputDir)
+		genCtx := &genall.GenerationContext{
+			Collector:  &markers.Collector{Registry: reg},
+			Roots:      pkgs,
+			OutputRule: genall.OutputToDirectory(outputDir),
+		}
+		Expect(webhook.Generator{}.Generate(genCtx)).To(Succeed())
+		for _, r := range genCtx.Roots {
+			Expect(r.Errors).To(HaveLen(0))
+		}
+
+		By("loading the generated v1 YAML")
+		actualFile, err := os.ReadFile(path.Join(outputDir, "manifests.yaml"))
+		Expect(err).NotTo(HaveOccurred())
+		actualMutating, actualValidating := unmarshalBothV1(actualFile)
+
+		By("loading the desired v1 YAML")
+		expectedFile, err := os.ReadFile("manifests.yaml")
+		Expect(err).NotTo(HaveOccurred())
+		expectedMutating, expectedValidating := unmarshalBothV1(expectedFile)
+
+		By("comparing the two")
+		assertSame(actualMutating, expectedMutating)
+		assertSame(actualValidating, expectedValidating)
+	})
+
 })
 
 func unmarshalBothV1(in []byte) (mutating admissionregv1.MutatingWebhookConfiguration, validating admissionregv1.ValidatingWebhookConfiguration) {