Add dependency loop advice.

Source PR: #46798 Co-authored-by: Shaun Crampton <[email protected]> Co-authored-by: Kat Cosgrove <[email protected]> Co-authored-by: Tim Bannister <[email protected]>
kubernetes · Feb 19, 2025 · 58a1ab9 · 58a1ab9
1 parent b2bb8a3
commit 58a1ab9
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/content/en/docs/concepts/security/mutating-webhooks-good-practices.md b/content/en/docs/concepts/security/mutating-webhooks-good-practices.md
@@ -371,6 +371,27 @@ result, the migration cannot happen.
 Exclude the namespace where your webhook is running with a
 [`namespaceSelector`](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector).
 
+### Avoid dependency loops {#avoid-dependency-loops}
+
+Dependency loops can occur in scenarios like the following:
+
+* Two webhooks check each other's Pods. If both webhooks become unavailable
+  at the same time, neither webhook can start.
+* Your webhook intercepts cluster add-on components, such as networking plugins
+  or storage plugins, that your webhook depends on. If both the webhook and the
+  dependent add-on become unavailable, neither component can function.
+
+To avoid these dependency loops, try the following:
+
+* Use
+  [ValidatingAdmissionPolicies](/docs/reference/access-authn-authz/validating-admission-policy/)
+  to avoid introducing dependencies.
+* Prevent webhooks from validating or mutating other webhooks. Consider
+  [excluding specific namespaces](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
+  from triggering your webhook.
+* Prevent your webhooks from acting on dependent add-ons by using an
+  [`objectSelector`](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector).
+
 ### Fail open and validate the final state {#fail-open-validate-final-state}
 
 Mutating admission webhooks support the `failurePolicy` configuration field.