This is unreleased documentation for Admission Controller 1.36-dev.

Managing Kubewarden Admission Controller with Rancher Fleet

You can manage Kubewarden Admission Controller Helm charts, like other Helm charts, with Rancher Fleet. Rancher Fleet uses Kubernetes CRDs to define a GitOps approach to managing Kubernetes clusters. It does this by defining Fleet Bundles.

Installing

The Admission Controller charts are standard charts, they depend transitively on each other:

kubewarden-crdskubewarden-controllerkubewarden-defaults

See the Quickstart docs for more information.

Using Rancher Fleet, you can code the chart dependencies using dependsOn in the fleet.yaml file.

You may see transient errors until the charts are ready, such as:

ErrApplied(1) [Cluster fleet-local/local: dependent bundle(s) are not ready:
[kubewarden-example-helm-kubewarden-controller]]

These errors don’t signify a problem, and once the charts have finished deployment, they no longer appear.

Removing

When removing the GitRepo, all 3 Admission Controller charts get removed at once. This means the kubewarden-crds chart gets removed.

Admission Controller Kubewarden uses a pre-delete helm hook job in kubewarden-controller chart that deletes the default PolicyServer. Deleting the PolicyServer ensures the webhook configurations of all bound policies are cleaned up at the same time as the PolicyServer is removed. However, if the kubewarden-controller itself is removed before this cleanup completes, webhooks may be left behind, causing admission requests to fail cluster-wide.

Removing the GitRepo, and hence the kubewarden-crds chart at the same time as the kubewarden-controller chart makes the pre-delete hook job fail.

Removing the kubewarden-controller before the kubewarden-defaults will also dangerously skip the pre-delete hook run.

Uninstalling CRDs automatically isn’t normally supported by any tooling, and Rancher Fleet is no exception.

To perform a correct removal, make sure to first remove the Bundle for kubewarden-defaults from the cluster. Do this by committing those changes to the repository holding the Fleet configuration and then waiting until it’s applied. Then remove kubewarden-controller in the same way, and lastly, remove kubewarden-crds.

Example

For an example of Fleet bundle definitions see github.com/kubewarden/fleet-example.