Kubernetes cluster configuration and compliance with Jetstack Preflight

Jetstack formed as a way to help companies get value out of Kubernetes, and since the early days of the project, we have learned plenty about what it takes to run Kubernetes successfully - sometimes the hard way! It’s this valuable experience that we bring to our customers, giving them the confidence to take services to production and scale their platforms. As Kubernetes permeates businesses, we see customers run clusters in a huge variety of ways.

How a simple admission webhook lead to a cluster outage

Jetstack often works with customers to provision multi-tenant platforms on Kubernetes. Sometimes special requirements arise that we cannot control with stock Kubernetes configuration. In order to implement such requirements, we’ve recently started making use of the Open Policy Agent project as an admission controller to enforce custom policies.

This post is a write up of an incident caused by misconfiguration of this integration.