Fix race between rancher-webhook-replicas and pdb-minavailable-check kyverno policies

Francois Eleouetrequested to merge
fe/rancher-init-wait into main

What does this MR do and why?

Bring a couple of improvements to

  • Mutate rancher-webhook in admission controller

The target directive was causing kyverno to handle this request in background controller. This was leading to races conditions with pdb-minavailable-check policy that is implemented in admission controller.

As background controller is handling requests asynchronously, the resource can't be mutated before validation, it probably explains this race condition (the deployment works if rancher-webhook is installed before kyverno-policies)

Remove the target directive in order to have mutation and validation in the same controller.

  • Use wait instead of healthChecks in rancher-init

As this unit is producing various resources dependings on values, it is better to wait for them instead of using custom HealtChecks, all the more as all produced resources seems to expose Ready condition.

Related reference(s)

Closes #1225 (closed)

Edited by Francois Eleouet

Merge request reports