karmada-io · jabellard · Oct 12, 2025 · Oct 12, 2025 · Oct 12, 2025 · Oct 12, 2025
diff --git a/charts/karmada-operator/templates/karmada-operator-deployment.yaml b/charts/karmada-operator/templates/karmada-operator-deployment.yaml
@@ -5,11 +5,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels: {{- include "common.labels.standard" . | nindent 4 }}
     app: {{ include "karmada.operator.fullname" . }}
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- if .Values.operator.labels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.operator.labels "context" $ ) | nindent 4 }}
     {{- end }}
-  {{- if .Values.commonAnnotations }}
-  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- if .Values.operator.annotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.operator.annotations "context" $ ) | nindent 4 }}
   {{- end }}
 spec:
   replicas: {{  .Values.operator.replicaCount }}
@@ -27,32 +27,42 @@ spec:
       {{- end }}
       labels: {{- include "common.labels.standard" . | nindent 8 }}
         app: {{ include "karmada.operator.fullname" . }}
-        {{- if .Values.podLabels }}
+        {{- if .Values.operator.podLabels }}
         {{- include "common.tplvalues.render" (dict "value" .Values.operator.podLabels "context" $) | nindent 8 }}
         {{- end }}
     spec:
       {{- include "karmada.operator.imagePullSecrets" . | indent 6 }}
       containers:
-      - name: {{ include "karmada.operator.fullname" . }}
-        image: {{ template "karmada.operator.image" . }}
-        imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
-        ports:
-        - containerPort: 8080
-          name: metrics
-          protocol: TCP
-        command:
-        - /bin/karmada-operator
-        - --leader-elect-resource-namespace={{ .Release.Namespace }}
-        - --v=2
+        - name: {{ include "karmada.operator.fullname" . }}
+          image: {{ template "karmada.operator.image" . }}
+          imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
+          ports:
+            - containerPort: 8080
+              name: metrics
+              protocol: TCP
+            - containerPort: 9443
+              name: webhook
+              protocol: TCP
+          command:
+            - /bin/karmada-operator
+            - --leader-elect-resource-namespace={{ .Release.Namespace }}
+            - --register-admission-webhooks={{ .Values.operator.admissionControl.registerAdmissionWebhooks }}
+            - --v=2
         {{- range .Values.operator.extraArgs }}
-        - {{ . }}
+            - {{ . }}
         {{- end }}
         {{- with .Values.operator.env }}
-        env:
+          env:
         {{- toYaml . | nindent 10 }}
         {{- end }}
         {{- if .Values.operator.resources }}
-        resources: {{- toYaml .Values.operator.resources | nindent 12 }}
+          resources: {{- toYaml .Values.operator.resources | nindent 12 }}
+        {{- end }}
+        {{- if .Values.operator.admissionControl.registerAdmissionWebhooks }}
+          volumeMounts:
+            - name: karmada-operator-webhook-cert
+              mountPath: /tmp/k8s-webhook-server/serving-certs
+              readOnly: true
         {{- end }}
       serviceAccountName: {{ include "karmada.operator.fullname" . }}
       {{- if .Values.operator.affinity }}
@@ -64,3 +74,9 @@ spec:
       {{- if .Values.operator.tolerations }}
       tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.operator.tolerations "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.operator.admissionControl.registerAdmissionWebhooks }}
+      volumes:
+        - name: karmada-operator-webhook-cert
+          secret:
+            secretName: karmada-operator-webhook-cert
+      {{- end }}
diff --git a/charts/karmada-operator/templates/webhook-cert.yaml b/charts/karmada-operator/templates/webhook-cert.yaml
@@ -0,0 +1,26 @@
+{{- if .Values.operator.admissionControl.registerAdmissionWebhooks }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: karmada-operator-webhook-cert
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: karmada-operator-webhook-cert
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: karmada-operator-webhook-cert
+  issuerRef:
+    kind: Issuer
+    name: karmada-operator-webhook-cert
+  dnsNames:
+    - karmada-operator-webhook
+    - karmada-operator-webhook.{{ .Release.Namespace }}
+    - karmada-operator-webhook.{{ .Release.Namespace }}.svc
+    - karmada-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local
+{{- end }}
diff --git a/charts/karmada-operator/templates/webhook-configs.yaml b/charts/karmada-operator/templates/webhook-configs.yaml
@@ -0,0 +1,46 @@
+{{- if .Values.operator.admissionControl.registerAdmissionWebhooks }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: karmada-mutating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/karmada-operator-webhook-cert
+webhooks:
+  - name: karmada-v1alpha1.kb.io
+    admissionReviewVersions: ["v1"]
+    clientConfig:
+      service:
+        name: karmada-operator-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /mutate-operator-karmada-io-v1alpha1-karmada
+    failurePolicy: Fail
+    sideEffects: None
+    rules:
+      - apiGroups: ["operator.karmada.io"]
+        apiVersions: ["v1alpha1"]
+        operations: ["CREATE","UPDATE"]
+        resources: ["karmadas"]
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: karmada-validating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/karmada-operator-webhook-cert
+webhooks:
+  - name: karmada-v1alpha1.kb.io
+    admissionReviewVersions: ["v1"]
+    clientConfig:
+      service:
+        name: karmada-operator-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validate-operator-karmada-io-v1alpha1-karmada
+    failurePolicy: Fail
+    sideEffects: None
+    rules:
+      - apiGroups: ["operator.karmada.io"]
+        apiVersions: ["v1alpha1"]
+        operations: ["CREATE","UPDATE"]
+        resources: ["karmadas"]
+{{- end }}
diff --git a/charts/karmada-operator/templates/webhook-service.yaml b/charts/karmada-operator/templates/webhook-service.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.operator.admissionControl.registerAdmissionWebhooks }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: karmada-operator-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "karmada.operator.fullname" . }}
+spec:
+  type: ClusterIP
+  ports:
+    - name: webhook
+      port: 443
+      targetPort: webhook
+      protocol: TCP
+  selector:
+    app: {{ include "karmada.operator.fullname" . }}
+{{- end }}
diff --git a/charts/karmada-operator/values.yaml b/charts/karmada-operator/values.yaml
@@ -37,8 +37,14 @@ kubectl:
 
 ## operator manager config
 operator:
+  ## @param operator.admissionControl admission control configuration
+  admissionControl:
+    ## @param operator.admissionControl.registerAdmissionWebhooks whether to register admission webhooks
+    registerAdmissionWebhooks: false
   ## @param operator.labels
   labels: {}
+  ## @param operator.annotations Operator deployment annotations
+  annotations: {}
   ## @param operator.replicaCount target replicas
   replicaCount: 1
   ## @param operator.podAnnotations

diff --git a/operator/cmd/operator/app/operator.go b/operator/cmd/operator/app/operator.go
@@ -20,8 +20,9 @@
 	"context"
 	"flag"
 	"fmt"
+	"github.com/karmada-io/karmada/operator/internal/webhook/v1alpha1"
 	"os"
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/util/sets"
 	restclient "k8s.io/client-go/rest"
@@ -50,6 +51,8 @@
 	"github.com/karmada-io/karmada/pkg/version/sharedcommand"
 )
 
+var admissionWebhooksRegistered = false
+
 // NewOperatorCommand creates a *cobra.Command object with default parameters
 func NewOperatorCommand(ctx context.Context) *cobra.Command {
 	o := options.NewOptions()
@@ -79,6 +82,13 @@
 				return err
 			}
 			logs.InitLogs()
+
+			// Starting from version 0.15.0, controller-runtime expects its consumers to set a logger through log.SetLogger.
+			// If SetLogger is not called within the first 30 seconds of a binaries lifetime, it will get
+			// set to a NullLogSink and report an error. Here's to silence the "log.SetLogger(...) was never called; logs will not be displayed" error
+			// by setting a logger through log.SetLogger.
+			// More info refer to: https://github.com/karmada-io/karmada/pull/4885.
+			controllerruntime.SetLogger(klog.Background())
 			return nil
 		},
 		RunE: func(_ *cobra.Command, _ []string) error {
@@ -116,6 +126,16 @@
 		return err
 	}
 
+	if o.RegisterAdmissionWebhooks {
+		klog.Info("Registering admission webhooks with the controller manager")
+		err = v1alpha1.SetupKarmadaWebhookWithManager(manager)
+		if err != nil {
+			klog.Errorf("Failed to setup karmada-operator webhook: %v", err)
+			return err
+		}
+		admissionWebhooksRegistered = true
+	}
+
 	if err := manager.AddHealthzCheck("ping", healthz.Ping); err != nil {
 		klog.Errorf("Failed to add health check endpoint: %v", err)
 		return err
@@ -153,9 +173,10 @@
 
 func startKarmadaController(ctx ctrlctx.Context) (bool, error) {
 	ctrl := &karmada.Controller{
-		Config:        ctx.Manager.GetConfig(),
-		Client:        ctx.Manager.GetClient(),
-		EventRecorder: ctx.Manager.GetEventRecorderFor(karmada.ControllerName),
+		Config:                      ctx.Manager.GetConfig(),
+		Client:                      ctx.Manager.GetClient(),
+		EventRecorder:               ctx.Manager.GetEventRecorderFor(karmada.ControllerName),
+		AdmissionWebhooksRegistered: admissionWebhooksRegistered,
 	}
 	if err := ctrl.SetupWithManager(ctx.Manager); err != nil {
 		klog.ErrorS(err, "unable to setup with manager", "controller", karmada.ControllerName)

diff --git a/operator/cmd/operator/app/options/options.go b/operator/cmd/operator/app/options/options.go
@@ -57,6 +57,8 @@ type Options struct {
 	HealthProbeBindAddress string
 	// ConcurrentKarmadaSyncs is the number of karmada objects that are allowed to sync concurrently.
 	ConcurrentKarmadaSyncs int
+	// RegisterAdmissionWebhooks decides whether to register admission webhooks.
+	RegisterAdmissionWebhooks bool
 }
 
 // NewOptions creates a new Options with a default config.
@@ -91,6 +93,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet, allControllers []string, disabledB
 		"named 'foo', '-foo' disables the controller named 'foo'.\nAll controllers: %s .\nDisabled-by-default controllers: %s .",
 		strings.Join(allControllers, ", "), strings.Join(disabledByDefaultControllers, ", ")))
 	fs.IntVar(&o.ConcurrentKarmadaSyncs, "concurrent-karmada-syncs", o.ConcurrentKarmadaSyncs, "The number of karmada objects that are allowed to sync concurrently.")
+	fs.BoolVar(&o.RegisterAdmissionWebhooks, "register-admission-webhooks", false, "Whether to register admission webhooks.")
 	options.BindLeaderElectionFlags(&o.LeaderElection, fs)
 }