Added dynamic namespace selector for mutating webhook

[rahtr]

Please provide a description of this PR:
There are instances when users can't use the static namespace selectors. This PR makes the namespace selector as an optional input value. If it isn't provided then use the defaults.

[istio-policy-bot]

😊 Welcome @rahtr! This is either your first contribution to the Istio istio repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

[istio-testing]

Hi @rahtr. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[howardjohn]

Can you give more context on the use case?

These selectors are extremely finnacky, complex, and error prone. Would be good to be really sure we need it before introducing more complexity

[rahtr]

We manage a fleet on K8s multi-tenant clusters which are exposed to our internal teams via various homegrown tools. These tools are managed by different teams and have different ways to provision namespaces. When these namespaces are provisioned, there are certain prefixes that are added to the labels/annotations which are governed by the security policies. For example, if a team wants to create a namespace foo on multi-tenant clusters which has a label with a key istio.io/rev, a prefix like infosec-istio.io/rev automatically gets added to the namespace label.

This PR would take care of such scenarios and make the mutating webhook configuration more dynamic.

[rahtr]

@howardjohn , could you please review my comment above and see if this use case sounds reasonable for this fix?

[costinm]

If your use case is that you add a prefix to the label - why not just add a prefix setting, instead of the far more complicated selector ?

[rahtr]

If your use case is that you add a prefix to the label - why not just add a prefix setting, instead of the far more complicated selector ?

Could you please share an example? Where do we add this prefix setting?

[howardjohn]

I suggest tackling this problem outside Istio. The webhooks already cause nightmares of complexity as is, and I am not very much in favor of introducing more complexity unless we are 100% sure we require it. https://istio.io/latest/docs/setup/additional-setup/customize-installation-helm/ may be an alternative approach to solve this out of band

[rahtr]

I suggest tackling this problem outside Istio. The webhooks already cause nightmares of complexity as is, and I am not very much in favor of introducing more complexity unless we are 100% sure we require it. https://istio.io/latest/docs/setup/additional-setup/customize-installation-helm/ may be an alternative approach to solve this out of band

There are many ways to tackle this outside this, however this looks like a straightforward approach.
This looks like a pretty common approach for managing selectors. For example check this webhook configuration for cert manager(https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml#L17).

[howardjohn]

I am aware that other projects have different offerings. However, Istio's webhooks are far more complex due to various factors (legacy decisions, namespace + pod labels, revisions) that make them far less appealing to support customization directly in the project.