Skip to content

docs(drain cleaner): clarify configuration requirements or webhook resource #12046

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 17, 2025
Merged

docs(drain cleaner): clarify configuration requirements or webhook resource #12046

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 15 additions & 12 deletions documentation/assemblies/deploying/assembly-drain-cleaner.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,20 +22,10 @@ This informs the Cluster Operator to perform a rolling update of an evicted pod.

NOTE: If you are not using the Strimzi Drain Cleaner, you can xref:proc-manual-rolling-update-pods-str[add pod annotations to perform rolling updates manually].

.Webhook configuration
The Strimzi Drain Cleaner deployment files include a `ValidatingWebhookConfiguration` resource file.
The resource provides the configuration for registering the webhook with the Kubernetes API.
== Default webhook configuration

The configuration defines the `rules` for the Kubernetes API to follow in the event of a pod eviction request.
The rules specify that only `CREATE` operations related to `pods/eviction` sub-resources are intercepted.
If these rules are met, the API forwards the notification.
The Strimzi Drain Cleaner deployment includes a `ValidatingWebhookConfiguration` resource that registers the webhook with the Kubernetes API:

The `clientConfig` points to the Strimzi Drain Cleaner service and `/drainer` endpoint that exposes the webhook.
The webhook uses a secure TLS connection, which requires authentication.
The `caBundle` property specifies the certificate chain to validate HTTPS communication.
Certificates are encoded in Base64.

.Webhook configuration for pod eviction notifications
[source,yaml,subs="attributes+"]
----
apiVersion: admissionregistration.k8s.io/v1
Expand All @@ -59,6 +49,19 @@ webhooks:
# ...
----

Unless you are using your own TLS certificates, no manual configuration is required.

The webhook intercepts pod eviction requests based on the `rules` defined in the configuration.
Only `CREATE` operations targeting the `pods/eviction` sub-resource are evaluated.
When these conditions are met, the API forwards the request to the webhook.

The `clientConfig` section specifies the target service and endpoint for the webhook.
The webhook listens on the `/drainer` path and requires a secure TLS connection.

The `caBundle` property provides the Base64-encoded certificate chain used to validate HTTPS communication.
By default, the TLS certificates are generated and injected into the configuration automatically.
If you supply your own TLS certificates, you must manually update the `caBundle` value.

//steps for deploying drain cleaner
include::../../modules/drain-cleaner/proc-drain-cleaner-deploying.adoc[leveloffset=+1]
ifdef::Section[]
Expand Down