Skip webhook on kube-system by default for tap-injector/jaeger-injector

jaeger/charts/linkerd-jaeger/README.md

@@ -134,7 +134,7 @@ Kubernetes: `>=1.21.0-0`
 | webhook.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. |
 | webhook.keyPEM | string | `""` | Certificate key for the webhook. If not provided and not using an external secret then Helm will generate one. |
 | webhook.logLevel | string | `"info"` |  |
-| webhook.namespaceSelector | string | `nil` |  |
+| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}` | Namespace selector used by admission webhook. |
 | webhook.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information |
 | webhook.objectSelector | string | `nil` |  |
 | webhook.replicas | int | `1` | Number of replicas of the jaeger-injector component |

jaeger/charts/linkerd-jaeger/values.yaml

@@ -284,11 +284,13 @@ webhook:
     pullPolicy: ""
   logLevel: info
 
+  # -- Namespace selector used by admission webhook.
   namespaceSelector:
-    #matchExpressions:
-    #- key: runlevel
-    #  operator: NotIn
-    #  values: ["0","1"]
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kube-system
   objectSelector:
     #matchLabels:
     #  foo: bar

viz/charts/linkerd-viz/README.md

@@ -198,7 +198,7 @@ Kubernetes: `>=1.21.0-0`
 | tapInjector.keyPEM | string | `""` | Certificate key for the tapInjector. If not provided and not using an external secret then Helm will generate one. |
 | tapInjector.logFormat | string | defaultLogFormat | log format of the tapInjector component |
 | tapInjector.logLevel | string | defaultLogLevel | log level of the tapInjector |
-| tapInjector.namespaceSelector | string | `nil` |  |
+| tapInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}` | Namespace selector used by admission webhook. |
 | tapInjector.objectSelector | string | `nil` |  |
 | tapInjector.proxy | string | `nil` |  |
 | tapInjector.replicas | int | `1` | Number of replicas of tapInjector |

viz/charts/linkerd-viz/values.yaml

@@ -246,11 +246,13 @@ tapInjector:
     # @default -- defaultImagePullPolicy
     pullPolicy: ""
 
+  # -- Namespace selector used by admission webhook.
   namespaceSelector:
-    # matchExpressions:
-    # - key: runlevel
-    #   operator: NotIn
-    #   values: ["0","1"]
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kube-system
   objectSelector:
     # matchLabels:
     #   foo: bar