diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml index 9a63169072..05fcfad6e9 100644 --- a/cluster/config-defaults.yaml +++ b/cluster/config-defaults.yaml @@ -678,9 +678,9 @@ teapot_admission_controller_configmap_deletion_protection_factories_enabled: "tr teapot_admission_controller_enable_rolebinding_webhook: "true" # enable the generic admission-controller webhook which catches all resources -teapot_admission_controller_enable_generic_webhook: "false" +teapot_admission_controller_enable_generic_webhook: "true" # prevent write operations for non-admin users in protected namespaces -teapot_admission_controller_prevent_write_operations: "false" +teapot_admission_controller_prevent_write_operations: "true" # Enable and configure Pod Security Policy rules implemented in admission-controller. teapot_admission_controller_pod_security_policy_enabled: "true" diff --git a/cluster/manifests/02-admission-control/deployment.yaml b/cluster/manifests/02-admission-control/deployment.yaml index 397dcb731c..77941ee203 100644 --- a/cluster/manifests/02-admission-control/deployment.yaml +++ b/cluster/manifests/02-admission-control/deployment.yaml @@ -33,7 +33,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: admission-controller - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-224 + image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-225 lifecycle: preStop: exec: diff --git a/cluster/manifests/02-admission-control/teapot.yaml b/cluster/manifests/02-admission-control/teapot.yaml index 65604dbb30..95a7a10560 100644 --- a/cluster/manifests/02-admission-control/teapot.yaml +++ b/cluster/manifests/02-admission-control/teapot.yaml @@ -493,7 +493,8 @@ webhooks: {{- end }} caBundle: "{{ .Cluster.ConfigItems.ca_cert_decompressed }}" admissionReviewVersions: ["v1beta1"] - failurePolicy: Fail + # TODO: Switch back to Fail once we have solved the chicken and egg problem + failurePolicy: Ignore # Fail sideEffects: "NoneOnDryRun" matchPolicy: Equivalent namespaceSelector: