You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: disable istio inject on controller deployment for webhook (#652)
While working on the [deployment wiki](https://github.com/andyatmiami/kubeflow-notebooks/wiki/Deploying-Kubeflow-Notebooks-2.0-%5BDEVELOPMENT-ONLY%5D) - I ended up stumbling upon an issue whereby if an istio sidecar is injected on the deployment - webhooks traffic starts failing with the following:
```
2025-10-14T14:41:24Z ERROR Reconciler error {"controller": "workspacekind", "controllerGroup": "kubeflow.org", "controllerKind": "WorkspaceKind", "WorkspaceKind": {"name":"jupyterlab"}, "namespace": "", "name": "jupyterlab", "reconcileID": "23977643-4d6a-4c03-93c0-a64fc0002ab2", "error": "Internal error occurred: failed calling webhook \"vworkspacekind.kb.io\": failed to call webhook: Post \"https://webhook-service.kubeflow-workspaces.svc:443/validate-kubeflow-org-v1beta1-workspacekind?timeout=10s\": EOF"}
```
The reason it has not been detected until now is due to the following:
1. istio installed
2. controller gets installed with "vanilla" namespace
- no istio-inject label
3. backend/frontend update namespace with istio-inject label
4. controller redeployed
- deployment now gets injected
5. webhooks calls fail
i.e. given the order of our component manifests getting deployed - its not until **after** `controller` is deployed once `backend` and/or `frontend` applied that this issue manifests.
For now, as a quick fix - this commit simply adds a `patch.yaml` file to decorate the `workspaces-controller` `Deployment` with the `sidecar.istio.io/inject: "false"`.
- we will want to (eventually) restructure the `controller` `manifests` with `kustomize` to better align with `frontend` + `backend` (with `overlays` that specifically handle the `istio` case)
- we will want to (probably) support the `istio` sidecar on `controller` - but configured in such a way to allow webhooks traffic to be allowed to pass
For consistency with `frontend` and `backend` components - this patch also defines the `istio-injection: enabled` label on the `Namespace` manifest of the `controller`.
Signed-off-by: Andy Stoneberg <astonebe@redhat.com>
0 commit comments