FR: Make list of namespaces used by the namespace selector configurable (#600)

* webhook scope

* FR: make ignore namespaces configurable

* chore: adjust ignoreNamespace selection, add tests, update changelog

---------

Co-authored-by: Kayla Ondracek <112117836+kondracek-nr@users.noreply.github.com>
Co-authored-by: Kayla Ondracek <kondracek@newrelic.com>

Author: dpacheconr

CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+### enhancement
+- Add default ignoredNamespace and make configurable @dpacheconr [#600](https://github.com/newrelic/k8s-metadata-injection/pull/600/)
+
 ## v1.36.0 - 2025-08-25
 
 ### 🚀 Enhancements

charts/nri-metadata-injection/ci/test-values.yaml

@@ -10,3 +10,5 @@ ports:
 service:
   port: 443
   targetPort: ""
+
+ignoreNamespaces: ['kube-public', 'kube-node-lease', 'kube-system']

charts/nri-metadata-injection/templates/admission-webhooks/mutatingWebhookConfiguration.yaml

@@ -24,11 +24,19 @@ webhooks:
     apiGroups: [""]
     apiVersions: ["v1"]
     resources: ["pods"]
-{{- if .Values.injectOnlyLabeledNamespaces }}
+{{- if or .Values.ignoreNamespaces .Values.injectOnlyLabeledNamespaces }}
     scope: Namespaced
   namespaceSelector:
+{{- if .Values.ignoreNamespaces }}
+    matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: NotIn
+        values: {{ .Values.ignoreNamespaces | toJson }}
+{{- end }}
+{{- if .Values.injectOnlyLabeledNamespaces }}
     matchLabels:
       newrelic-metadata-injection: enabled
+{{- end }}
 {{- end }}
   failurePolicy: Ignore
   timeoutSeconds: {{ .Values.timeoutSeconds }}

charts/nri-metadata-injection/tests/webhook_test.yaml

@@ -0,0 +1,41 @@
+suite: test mutatingwebhookconfiguraton values
+templates:
+  - templates/admission-webhooks/mutatingWebhookConfiguration.yaml
+release:
+  name: release
+  namespace: ns
+tests:
+  - it: default ignored namespaces are set
+    set:
+      cluster: my-cluster
+    asserts:
+      - equal:
+          path: webhooks[0].namespaceSelector.matchExpressions[0].values
+          value: ['kube-public', 'kube-node-lease', 'kube-system']
+  - it: custom ignored namespaces are set
+    set:
+      cluster: my-cluster
+      ignoreNamespaces: ['custom-namespace1', 'custom-namespace2']
+    asserts:
+      - equal:
+          path: webhooks[0].namespaceSelector.matchExpressions[0].values
+          value: [ 'custom-namespace1', 'custom-namespace2' ]
+  - it: empty ignoreNamespaces results in no namespaceSelector
+    set:
+      cluster: my-cluster
+      ignoreNamespaces: []
+    asserts:
+      - notExists:
+          path: webhooks[0].namespaceSelector
+  - it: injectOnlyLabeledNamespaces=true results in namespaceSelector with matchLabels
+    set:
+      cluster: my-cluster
+      injectOnlyLabeledNamespaces: true
+    asserts:
+      - equal:
+          path: webhooks[0].namespaceSelector.matchLabels
+          value:
+            newrelic-metadata-injection: enabled
+      - equal:
+          path: webhooks[0].namespaceSelector.matchExpressions[0].values
+          value: [ 'kube-public', 'kube-node-lease', 'kube-system' ]

charts/nri-metadata-injection/values.yaml

@@ -92,6 +92,9 @@ tolerations: []
 # with 'newrelic-metadata-injection=enabled'.
 injectOnlyLabeledNamespaces: false
 
+# -- This is a list of namespaces that will be ignored by the webhook.
+ignoreNamespaces: ['kube-public', 'kube-node-lease', 'kube-system']
+
 # -- Use custom tls certificates for the webhook, or let the chart handle it
 # automatically.
 # Ref: https://docs.newrelic.com/docs/integrations/kubernetes-integration/link-your-applications/link-your-applications-kubernetes#configure-injection