removing namespace filtering from eviction webhook handle, relying on configurations.

tanmayja · tanmayja · commit 005ed306705e · 2025-10-24T15:45:26.000+05:30
diff --git a/api/v1/utils.go b/api/v1/utils.go
@@ -664,18 +664,3 @@ func IsPathParentOrSame(dir1, dir2 string) bool {
 	// Paths are unrelated.
 	return false
 }
-
-// GetWatchNamespace returns the Namespace the operator should be watching for changes
-func GetWatchNamespace() (string, error) {
-	// WatchNamespaceEnvVar is the constant for env variable WATCH_NAMESPACE
-	// which specifies the Namespace to watch.
-	// An empty value means the operator is running with cluster scope.
-	var watchNamespaceEnvVar = "WATCH_NAMESPACE"
-
-	ns, found := os.LookupEnv(watchNamespaceEnvVar)
-	if !found {
-		return "", fmt.Errorf("%s must be set", watchNamespaceEnvVar)
-	}
-
-	return ns, nil
-}
diff --git a/cmd/main.go b/cmd/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"crypto/tls"
 	"flag"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -199,7 +200,7 @@ func main() {
 		})
 	}
 
-	watchNs, err := asdbv1.GetWatchNamespace()
+	watchNs, err := getWatchNamespace()
 	if err != nil {
 		setupLog.Error(err, "Failed to get watch namespace")
 		os.Exit(1)
@@ -397,6 +398,21 @@ func main() {
 	eventBroadcaster.Shutdown()
 }
 
+// getWatchNamespace returns the Namespace the operator should be watching for changes
+func getWatchNamespace() (string, error) {
+	// WatchNamespaceEnvVar is the constant for env variable WATCH_NAMESPACE
+	// which specifies the Namespace to watch.
+	// An empty value means the operator is running with cluster scope.
+	var watchNamespaceEnvVar = "WATCH_NAMESPACE"
+
+	ns, found := os.LookupEnv(watchNamespaceEnvVar)
+	if !found {
+		return "", fmt.Errorf("%s must be set", watchNamespaceEnvVar)
+	}
+
+	return ns, nil
+}
+
 // getEventBurstSize returns the burst size of events that can be handled in the cluster
 func getEventBurstSize() int {
 	// EventBurstSizeEnvVar is the constant for env variable EVENT_BURST_SIZE
diff --git a/internal/webhook/general/eviction_webhook.go b/internal/webhook/general/eviction_webhook.go
@@ -25,8 +25,6 @@ import (
 	"strings"
 	"time"
 
-	lib "github.com/aerospike/aerospike-management-lib"
-
 	"github.com/go-logr/logr"
 	admissionv1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -72,6 +70,13 @@ func (ew *EvictionWebhook) isAerospikePod(pod *corev1.Pod) bool {
 
 // setEvictionBlockedAnnotation sets an annotation on the pod indicating eviction was blocked
 func (ew *EvictionWebhook) setEvictionBlockedAnnotation(ctx context.Context, pod *corev1.Pod) error {
+	// Check if annotation already exists, no update needed
+	if pod.Annotations != nil {
+		if _, exists := pod.Annotations[EvictionBlockedAnnotation]; exists {
+			return nil
+		}
+	}
+
 	// Create a patch to add the annotation
 	patch := client.MergeFrom(pod.DeepCopy())
 
@@ -128,14 +133,6 @@ func (ew *EvictionWebhook) Handle(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Check namespace filtering
-	if !ew.shouldEvaluateNamespace(admissionReview.Request.Namespace) {
-		log.V(1).Info("Namespace not in watch list, allowing eviction", "namespace", admissionReview.Request.Namespace)
-		ew.sendResponse(w, admissionReview, &response)
-
-		return
-	}
-
 	// Process eviction request
 	evictionResult := ew.processEvictionRequest(admissionReview, log)
 	if evictionResult != nil {
@@ -167,23 +164,6 @@ func (ew *EvictionWebhook) isWebhookEnabled() bool {
 	return found && strings.EqualFold(enable, "true")
 }
 
-// shouldEvaluateNamespace checks if the namespace should be evaluated
-func (ew *EvictionWebhook) shouldEvaluateNamespace(namespace string) bool {
-	watchNs, err := asdbv1.GetWatchNamespace()
-	if err != nil {
-		ew.Log.Error(err, "Failed to get watch namespaces")
-		return false
-	}
-
-	if watchNs == "" {
-		return true // No namespace filtering
-	}
-
-	nsList := strings.Split(watchNs, ",")
-
-	return lib.ContainsString(nsList, namespace)
-}
-
 // processEvictionRequest processes the eviction request and returns the response
 func (ew *EvictionWebhook) processEvictionRequest(admissionReview *admissionv1.AdmissionReview,
 	log logr.Logger) *admissionv1.AdmissionResponse {
@@ -229,6 +209,7 @@ func (ew *EvictionWebhook) processEvictionRequest(admissionReview *admissionv1.A
 	log.Info("Blocking eviction of Aerospike pod", "pod", eviction.Name)
 
 	// Set annotation asynchronously (non-blocking)
+	// TODO: do we really want async here?
 	go ew.setEvictionBlockedAnnotationAsync(pod)
 
 	return &admissionv1.AdmissionResponse{
diff --git a/test/cluster/podspec_test.go b/test/cluster/podspec_test.go
@@ -523,7 +523,7 @@ var _ = Describe(
 					},
 				)
 
-				FIt(
+				It(
 					"Should fail adding reserved annotations",
 					func() {
 						aeroCluster := createDummyAerospikeCluster(

Original file line number	Diff line number	Diff line change
`@@ -523,7 +523,7 @@ var _ = Describe(`
`523`	`523`	`},`
`524`	`524`	`)`
`525`	`525`
`526`		`- FIt(`
	`526`	`+ It(`
`527`	`527`	`"Should fail adding reserved annotations",`
`528`	`528`	`func() {`
`529`	`529`	`aeroCluster := createDummyAerospikeCluster(`