From 49cacf1ad3b7f95f80aba47a13665f0dd41cfef9 Mon Sep 17 00:00:00 2001 From: Baolin Zhu Date: Thu, 19 Feb 2026 17:56:52 +0800 Subject: [PATCH] fix: proxy-webhook selector matches operator pods Both the `tekton-operator` and `tekton-operator-proxy-webhook` Deployments label their Pods with `name: tekton-operator`. The `tekton-operator-proxy-webhook` Service uses this same label as its only selector, so it inadvertently load-balances traffic across both Deployments. Because `tekton-operator` pods do not serve on port 8443, ~50% of admission webhook requests fail: failed calling webhook "proxy.operator.tekton.dev": Post ".../tekton-operator-proxy-webhook.../defaulting": dial tcp :443: connect: connection refused Because MutatingWebhookConfiguration has `failurePolicy: Fail`, each such failure immediately rejects TaskRun Pod creation. Rename the proxy-webhook Deployment's selector matchLabels and pod template label from `name: tekton-operator` to `name: tekton-operator-proxy-webhook`, and update the Service selector to match. The `app: tekton-operator` label is left unchanged. Applies to both Kubernetes and OpenShift manifests. Adding a set-based (NotIn) expression to the Service selector instead was not viable as Kubernetes Services only support equality-based (matchLabels) selectors. --- cmd/kubernetes/operator/kodata/webhook/webhook.yaml | 6 +++--- cmd/openshift/operator/kodata/webhook/webhook.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/kubernetes/operator/kodata/webhook/webhook.yaml b/cmd/kubernetes/operator/kodata/webhook/webhook.yaml index 808f34c544..5f2a3ad938 100644 --- a/cmd/kubernetes/operator/kodata/webhook/webhook.yaml +++ b/cmd/kubernetes/operator/kodata/webhook/webhook.yaml @@ -92,11 +92,11 @@ spec: replicas: 1 selector: matchLabels: - name: tekton-operator + name: tekton-operator-proxy-webhook template: metadata: labels: - name: tekton-operator + name: tekton-operator-proxy-webhook app: tekton-operator spec: serviceAccountName: tekton-operators-proxy-webhook @@ -152,7 +152,7 @@ spec: port: 443 targetPort: 8443 selector: - name: tekton-operator + name: tekton-operator-proxy-webhook --- diff --git a/cmd/openshift/operator/kodata/webhook/webhook.yaml b/cmd/openshift/operator/kodata/webhook/webhook.yaml index 3732d74916..eee9a2ef56 100644 --- a/cmd/openshift/operator/kodata/webhook/webhook.yaml +++ b/cmd/openshift/operator/kodata/webhook/webhook.yaml @@ -95,11 +95,11 @@ spec: replicas: 1 selector: matchLabels: - name: tekton-operator + name: tekton-operator-proxy-webhook template: metadata: labels: - name: tekton-operator + name: tekton-operator-proxy-webhook app: tekton-operator spec: securityContext: @@ -156,7 +156,7 @@ spec: port: 443 targetPort: 8443 selector: - name: tekton-operator + name: tekton-operator-proxy-webhook ---