Webhook configuration

Configure the webhook used by the Applier to apply recommendations at admission time

Webhook parameters:

Enable or disable the webhook

Controls whether the Applier uses a mutating admission webhook to apply recommendations.

Parameter Default value
webhook.enabled true

Description

By default, the Applier can use a mutating admission webhook to apply recommendations. This setting also grants the additional RBAC permissions required for webhook operation to the Applier.

When disabled, recommendations are still generated and can be applied as patches, but webhook-based apply methods (WebhookImmediateRollout, WebhookHybridRollout, WebhookDeferredRollout) will not work.

Teams can set live.stormforge.io/apply.method on individual namespaces or workloads to use a webhook-based method. For annotation syntax details, see Apply method in the Apply Settings topic.

Continuous reconciliation, if enabled, doesn’t run for workloads using a webhook-based apply method. Webhook methods rely on admission-time mutation rather than continuous patching.

Valid values

  • true (default)
  • false

Namespace allow and deny lists

Restrict webhook use to specific namespaces.

Parameter Default value
webhook.allowNamespaces []
webhook.denyNamespaces ["kube-system"]

Description

You can restrict webhook use to specific namespaces:

  • To allow webhook use on specific namespaces, configure the webhook.allowNamespaces list.
  • To deny webhook use on specific namespaces, configure the webhook.denyNamespaces list.

If both webhook.allowNamespaces and webhook.denyNamespaces are configured, the denyNamespaces list is ignored and only the allow list is enforced.

If a namespace or workload uses a webhook-based apply method but the webhook is disabled or a namespace list restricts access, recommendations are still generated, but can’t be applied via webhook. In this case, UI and CLI values may differ from the values on Pods.

Valid values

An array of strings or regular expressions to match against namespace names.

To explicitly unset either of these values, use null.

Examples

webhook:
  denyNamespaces:
  - ".*-system"

or

webhook:
  denyNamespaces: null
  allowNamespaces:
  - "monitoring"
  - "frontend"
  - ".ecommerce-*"

TLS configuration

Configure TLS for the webhook.

Parameter Default value
webhook.tlsSecretName ""
webhook.caBundle ""

Description

By default, StormForge uses an integrated cert-controller to provision and rotate TLS certificates for the webhook automatically.

  • Set webhook.tlsSecretName to the name of an existing TLS Secret to disable the integrated cert-controller and use your own certificate.
  • Set webhook.caBundle to provide the CA bundle directly when managing your own TLS certificates without the integrated cert-controller.

Failure policy

Controls what happens if the webhook is unavailable or returns an error.

Parameter Default value
webhook.failurePolicy Ignore

Description

Ignore (default): If the webhook fails, the admission request proceeds — workloads are created and updated normally, but recommendations won’t be applied at admission time.

Fail: If the webhook fails, the admission request is rejected. Use with caution — a webhook outage will block Pod creation in namespaces covered by the webhook.

Valid values

  • Ignore (default)
  • Fail
Last modified June 16, 2026