feat: implement namespace selectors

config/inject.go

@@ -6,7 +6,8 @@ import (
 )
 
 type Inject struct {
-	LabelSelector *LabelSelector `yaml:"labelSelector,omitempty"`
+	LabelSelector     *LabelSelector `yaml:"labelSelector,omitempty"`
+	NamespaceSelector *LabelSelector `yaml:"namespaceSelector,omitempty"`
 
 	Annotations map[string]string `yaml:"annotations,omitempty"`
 	Labels      map[string]string `yaml:"labels,omitempty"`
@@ -20,6 +21,9 @@ func (i Inject) Fingerprint() string {
 	sum.Write([]byte("labelSelector:"))
 	i.LabelSelector.hash(sum)
 
+	sum.Write([]byte("namespaceSelector:"))
+	i.NamespaceSelector.hash(sum)
+
 	sum.Write([]byte("annotations:"))
 	for k, v := range i.Annotations {
 		sum.Write([]byte("key:"))

deploy/deployment-fargate.yaml

@@ -71,5 +71,11 @@ data:
           matchLabels:
             app.kubernetes.io/name: dummy-injected-via-deployment
 
+        namespaceSelector:
+          matchExpressions:
+            - key: kubernetes.io/metadata.name
+              operator: NotIn
+              values: [kube-system]
+
         labels:
           eks.amazonaws.com/fargate-profile: default

deploy/deployment-node-exporter.yaml

@@ -72,6 +72,12 @@ data:
             - key: eks.amazonaws.com/fargate-profile
               operator: Exists
 
+        namespaceSelector:
+          matchExpressions:
+            - key: kubernetes.io/metadata.name
+              operator: NotIn
+              values: [kube-system]
+
         labels:
           flashbots.net/fargate-node-exporter: true
 

readme.md

@@ -15,6 +15,12 @@ inject:
         - key: eks.amazonaws.com/fargate-profile
           operator: Exists
 
+    namespaceSelector:
+      matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values: [kube-system]
+
     labels:
       flashbots.net/prometheus-node-exporter: true
 

server/k8s.go

@@ -52,6 +52,10 @@ func (s *Server) upsertMutatingWebhookConfiguration(ctx context.Context) error {
 		if err != nil {
 			return err
 		}
+		namespaceSelector, err := i.NamespaceSelector.LabelSelector()
+		if err != nil {
+			return err
+		}
 
 		fingerprint := i.Fingerprint()
 		pathWebhook := s.cfg.Server.PathWebhook + "/" + fingerprint
@@ -63,6 +67,7 @@ func (s *Server) upsertMutatingWebhookConfiguration(ctx context.Context) error {
 
 			AdmissionReviewVersions: []string{"v1", "v1beta1"},
 			ObjectSelector:          objectSelector,
+			NamespaceSelector:       namespaceSelector,
 
 			FailurePolicy:      &failurePolicy_Ignore,
 			ReinvocationPolicy: &reinvocationPolicy_IfNeeded,
@@ -180,9 +185,9 @@ func (s *Server) mutatePod(
 	if timestamp, alreadyProcessed := pod.Annotations[annotationProcessed]; alreadyProcessed {
 		l.Info("Pod was already processed by inject-configuration with the same fingerprint => skipping...",
 			zap.String("fingerprint", fingerprint),
+			zap.String("fingerprintTimestamp", timestamp),
 			zap.String("namespace", pod.Namespace),
 			zap.String("pod", pod.Name),
-			zap.String("timestamp", timestamp),
 		)
 		return nil, nil
 	}
@@ -191,7 +196,7 @@ func (s *Server) mutatePod(
 
 	inject, exists := s.inject[fingerprint]
 	if !exists {
-		l.Warn("Unknown inject fingerprint => skipping...",
+		l.Warn("Unknown inject-configuration fingerprint => skipping...",
 			zap.String("fingerprint", fingerprint),
 			zap.String("namespace", pod.Namespace),
 			zap.String("pod", pod.Name),