[lineage] Separate webhook from cozy controller

The lineage-controller-webhook makes a lot of outgoing API calls for every event it handles, contributing to a high API server latency, increasing the number of in-flight requests and generally degrading performance. This patch remedies this by separating the lineage component from the cozystack-controller and deploying it as a separate component on all control-plane nodes. Additionally, a new internal label is introduced to track if a resource has already been handled by the webhook. This label is used to exclude such resources from consideration. Addresses #1513. ```release-note [lineage] Break webhook out into a separate daemonset. Reduce unnecessary webhook calls by marking handled resources and excluding them from consideration by the webhook's object selector. ``` Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
2026-01-27 10:18:39 +00:00 · 2025-10-13 19:03:40 +03:00
parent bb8f2047bf
commit 2a82273902
23 changed files with 419 additions and 82 deletions
--- a/1
+++ b/1
@@ -15,6 +15,7 @@ build: build-deps
 	make -C packages/extra/monitoring image
 	make -C packages/system/cozystack-api image
 	make -C packages/system/cozystack-controller image
+	make -C packages/system/lineage-controller-webhook image
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/kubeovn-webhook image
--- a/cmd/cozystack-controller/main.go
+++ b/cmd/cozystack-controller/main.go
@@ -39,7 +39,6 @@ import (
 	cozystackiov1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
 	"github.com/cozystack/cozystack/internal/controller"
 	"github.com/cozystack/cozystack/internal/controller/dashboard"
-	lcw "github.com/cozystack/cozystack/internal/lineagecontrollerwebhook"
 	"github.com/cozystack/cozystack/internal/telemetry"

 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
@@ -222,20 +221,6 @@ func main() {
 		os.Exit(1)
 	}

-	// special one that's both a webhook and a reconciler
-	lineageControllerWebhook := &lcw.LineageControllerWebhook{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}
-	if err := lineageControllerWebhook.SetupWithManagerAsController(mgr); err != nil {
-		setupLog.Error(err, "unable to setup controller", "controller", "LineageController")
-		os.Exit(1)
-	}
-	if err := lineageControllerWebhook.SetupWithManagerAsWebhook(mgr); err != nil {
-		setupLog.Error(err, "unable to setup webhook", "webhook", "LineageWebhook")
-		os.Exit(1)
-	}
-
 	// +kubebuilder:scaffold:builder

 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
--- a/cmd/lineage-controller-webhook/main.go
+++ b/cmd/lineage-controller-webhook/main.go
@@ -0,0 +1,179 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	cozystackiov1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+	lcw "github.com/cozystack/cozystack/internal/lineagecontrollerwebhook"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(cozystackiov1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	// Configure rate limiting for the Kubernetes client
+	config := ctrl.GetConfigOrDie()
+	config.QPS = 50.0  // Increased from default 5.0
+	config.Burst = 100 // Increased from default 10
+
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "8796f12d.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	lineageControllerWebhook := &lcw.LineageControllerWebhook{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}
+	if err := lineageControllerWebhook.SetupWithManagerAsController(mgr); err != nil {
+		setupLog.Error(err, "unable to setup controller", "controller", "LineageController")
+		os.Exit(1)
+	}
+	if err := lineageControllerWebhook.SetupWithManagerAsWebhook(mgr); err != nil {
+		setupLog.Error(err, "unable to setup webhook", "webhook", "LineageWebhook")
+		os.Exit(1)
+	}
+
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}
--- a/docs/changelogs/unreleased.md
+++ b/docs/changelogs/unreleased.md
@@ -0,0 +1,3 @@
+# Changes after v0.37.0
+
+* [lineage] Break webhook out into a separate daemonset. Reduce unnecessary webhook calls by marking handled resources and excluding them from consideration by the webhook's object selector (@lllamnyp in #1515). 
--- a/internal/lineagecontrollerwebhook/webhook.go
+++ b/internal/lineagecontrollerwebhook/webhook.go
@@ -26,6 +26,13 @@ var (
 	AncestryAmbiguous = fmt.Errorf("object ancestry is ambiguous")
 )

+const (
+	ManagedObjectKey = "internal.cozystack.io/managed-by-cozystack"
+	ManagerGroupKey  = "apps.cozystack.io/application.group"
+	ManagerKindKey   = "apps.cozystack.io/application.kind"
+	ManagerNameKey   = "apps.cozystack.io/application.name"
+)
+
 // getResourceSelectors returns the appropriate CozystackResourceDefinitionResources for a given GroupKind
 func (h *LineageControllerWebhook) getResourceSelectors(gk schema.GroupKind, crd *cozyv1alpha1.CozystackResourceDefinition) *cozyv1alpha1.CozystackResourceDefinitionResources {
 	switch {
@@ -91,7 +98,7 @@ func (h *LineageControllerWebhook) Handle(ctx context.Context, req admission.Req
 	labels, err := h.computeLabels(ctx, obj)
 	for {
 		if err != nil && errors.Is(err, NoAncestors) {
-			return admission.Allowed("object not managed by app")
+			break // not a problem, mark object as unmanaged
 		}
 		if err != nil && errors.Is(err, AncestryAmbiguous) {
 			warn = append(warn, "object ancestry ambiguous, using first ancestor found")
@@ -119,7 +126,7 @@ func (h *LineageControllerWebhook) Handle(ctx context.Context, req admission.Req
 func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstructured.Unstructured) (map[string]string, error) {
 	owners := lineage.WalkOwnershipGraph(ctx, h.dynClient, h.mapper, h, o)
 	if len(owners) == 0 {
-		return nil, NoAncestors
+		return map[string]string{ManagedObjectKey: "false"}, NoAncestors
 	}
 	obj, err := owners[0].GetUnstructured(ctx, h.dynClient, h.mapper)
 	if err != nil {
@@ -135,7 +142,8 @@ func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstruc
 	}
 	labels := map[string]string{
 		// truncate apigroup to first 63 chars
-		"apps.cozystack.io/application.group": func(s string) string {
+		ManagedObjectKey: "true",
+		ManagerGroupKey: func(s string) string {
 			if len(s) < 63 {
 				return s
 			}
@@ -145,8 +153,8 @@ func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstruc
 			}
 			return s
 		}(gv.Group),
-		"apps.cozystack.io/application.kind": obj.GetKind(),
-		"apps.cozystack.io/application.name": obj.GetName(),
+		ManagerKindKey: obj.GetKind(),
+		ManagerNameKey: obj.GetName(),
 	}
 	templateLabels := map[string]string{
 		"kind":      strings.ToLower(obj.GetKind()),
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -68,6 +68,12 @@ releases:
      disableTelemetry: true
  {{- end }}

+- name: lineage-controller-webhook
+  releaseName: lineage-controller-webhook
+  chart: cozy-lineage-controller-webhook
+  namespace: cozy-system
+  dependsOn: [cozystack-controller,cilium,cert-manager]
+
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
--- a/packages/core/platform/bundles/distro-hosted.yaml
+++ b/packages/core/platform/bundles/distro-hosted.yaml
@@ -36,6 +36,12 @@ releases:
      disableTelemetry: true
  {{- end }}

+- name: lineage-controller-webhook
+  releaseName: lineage-controller-webhook
+  chart: cozy-lineage-controller-webhook
+  namespace: cozy-system
+  dependsOn: [cozystack-controller,cert-manager]
+
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -105,6 +105,12 @@ releases:
      disableTelemetry: true
  {{- end }}

+- name: lineage-controller-webhook
+  releaseName: lineage-controller-webhook
+  chart: cozy-lineage-controller-webhook
+  namespace: cozy-system
+  dependsOn: [cozystack-controller,cilium,kubeovn,cert-manager]
+
 - name: cozystack-resource-definition-crd
  releaseName: cozystack-resource-definition-crd
  chart: cozystack-resource-definition-crd
--- a/packages/core/platform/bundles/paas-hosted.yaml
+++ b/packages/core/platform/bundles/paas-hosted.yaml
@@ -52,6 +52,12 @@ releases:
      disableTelemetry: true
  {{- end }}

+- name: lineage-controller-webhook
+  releaseName: lineage-controller-webhook
+  chart: cozy-lineage-controller-webhook
+  namespace: cozy-system
+  dependsOn: [cozystack-controller,cert-manager]
+
 - name: cozystack-resource-definition-crd
  releaseName: cozystack-resource-definition-crd
  chart: cozystack-resource-definition-crd
--- a/packages/system/cozystack-controller/templates/certmanager.yaml
+++ b/packages/system/cozystack-controller/templates/certmanager.yaml
@@ -1,45 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: cozystack-controller-webhook-selfsigned
-  namespace: {{ .Release.Namespace }}
-spec:
-  selfSigned: {}
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: cozystack-controller-webhook-ca
-  namespace: {{ .Release.Namespace }}
-spec:
-  secretName: cozystack-controller-webhook-ca
-  duration: 43800h  # 5 years
-  commonName: cozystack-controller-webhook-ca
-  issuerRef:
-    name: cozystack-controller-webhook-selfsigned
-  isCA: true
---
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: cozystack-controller-webhook-ca
-  namespace: {{ .Release.Namespace }}
-spec:
-  ca:
-    secretName: cozystack-controller-webhook-ca
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: cozystack-controller-webhook
-  namespace: {{ .Release.Namespace }}
-spec:
-  secretName: cozystack-controller-webhook-cert
-  duration: 8760h
-  renewBefore: 720h
-  issuerRef:
-    name: cozystack-controller-webhook-ca
-  commonName: cozystack-controller
-  dnsNames:
-    - cozystack-controller
-    - cozystack-controller.{{ .Release.Namespace }}.svc
--- a/packages/system/cozystack-controller/templates/deployment.yaml
+++ b/packages/system/cozystack-controller/templates/deployment.yaml
@@ -28,15 +28,3 @@ spec:
        {{- if .Values.cozystackController.disableTelemetry }}
        - --disable-telemetry
        {{- end }}
-        ports:
-        - name: webhook
-          containerPort: 9443
-        volumeMounts:
-          - name: webhook-certs
-            mountPath: /tmp/k8s-webhook-server/serving-certs
-            readOnly: true
-      volumes:
-        - name: webhook-certs
-          secret:
-            secretName: cozystack-controller-webhook-cert
-            defaultMode: 0400
--- a/packages/system/lineage-controller-webhook/.gitignore
+++ b/packages/system/lineage-controller-webhook/.gitignore
@@ -0,0 +1,27 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+bin/*
+Dockerfile.cross
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Go workspace file
+go.work
+
+# Kubernetes Generated files - skip generated files, except for vendored files
+!vendor/**/zz_generated.*
+
+# editor and IDE paraphernalia
+.idea
+.vscode
+*.swp
+*.swo
+*~
--- a/packages/system/lineage-controller-webhook/Chart.yaml
+++ b/packages/system/lineage-controller-webhook/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-lineage-controller-webhook
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
--- a/packages/system/lineage-controller-webhook/Makefile
+++ b/packages/system/lineage-controller-webhook/Makefile
@@ -0,0 +1,18 @@
+NAME=lineage-controller-webhook
+NAMESPACE=cozy-system
+
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk
+
+image: image-lineage-controller-webhook
+
+image-lineage-controller-webhook:
+	docker buildx build -f images/lineage-controller-webhook/Dockerfile ../../.. \
+		--tag $(REGISTRY)/lineage-controller-webhook:$(call settag,$(TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/lineage-controller-webhook:latest \
+		--cache-to type=inline \
+		--metadata-file images/lineage-controller-webhook.json \
+		$(BUILDX_ARGS)
+	IMAGE="$(REGISTRY)/lineage-controller-webhook:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/lineage-controller-webhook.json -o json -r)" \
+		yq -i '.lineageControllerWebhook.image = strenv(IMAGE)' values.yaml
+	rm -f images/lineage-controller-webhook.json
--- a/packages/system/lineage-controller-webhook/images/lineage-controller-webhook/Dockerfile
+++ b/packages/system/lineage-controller-webhook/images/lineage-controller-webhook/Dockerfile
@@ -0,0 +1,23 @@
+FROM golang:1.24-alpine AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /workspace
+
+COPY go.mod go.sum ./
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go mod download
+
+COPY api api/
+COPY pkg pkg/
+COPY cmd cmd/
+COPY internal internal/
+
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -ldflags="-extldflags=-static" -o /lineage-controller-webhook cmd/lineage-controller-webhook/main.go
+
+FROM scratch
+
+COPY --from=builder /lineage-controller-webhook /lineage-controller-webhook
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+
+ENTRYPOINT ["/lineage-controller-webhook"]
--- a/packages/system/lineage-controller-webhook/templates/certmanager.yaml
+++ b/packages/system/lineage-controller-webhook/templates/certmanager.yaml
@@ -0,0 +1,45 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: lineage-controller-webhook-selfsigned
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: lineage-controller-webhook-ca
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: lineage-controller-webhook-ca
+  duration: 43800h  # 5 years
+  commonName: lineage-controller-webhook-ca
+  issuerRef:
+    name: lineage-controller-webhook-selfsigned
+  isCA: true
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: lineage-controller-webhook-ca
+  namespace: {{ .Release.Namespace }}
+spec:
+  ca:
+    secretName: lineage-controller-webhook-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: lineage-controller-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: lineage-controller-webhook-cert
+  duration: 8760h
+  renewBefore: 720h
+  issuerRef:
+    name: lineage-controller-webhook-ca
+  commonName: lineage-controller-webhook
+  dnsNames:
+    - lineage-controller-webhook
+    - lineage-controller-webhook.{{ .Release.Namespace }}.svc
--- a/packages/system/lineage-controller-webhook/templates/daemonset.yaml
+++ b/packages/system/lineage-controller-webhook/templates/daemonset.yaml
@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: lineage-controller-webhook
+  labels:
+    app: lineage-controller-webhook
+spec:
+  selector:
+    matchLabels:
+      app: lineage-controller-webhook
+  template:
+    metadata:
+      labels:
+        app: lineage-controller-webhook
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      tolerations:
+      - key: "node-role.kubernetes.io/control-plane"
+        operator: "Exists"
+        effect: "NoSchedule"
+      - key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+        effect: "NoSchedule"
+      serviceAccountName: lineage-controller-webhook
+      containers:
+      - name: lineage-controller-webhook
+        image: "{{ .Values.lineageControllerWebhook.image }}"
+        args:
+        {{- if .Values.lineageControllerWebhook.debug }}
+        - --zap-log-level=debug
+        {{- else }}
+        - --zap-log-level=info
+        {{- end }}
+        ports:
+        - name: webhook
+          containerPort: 9443
+        volumeMounts:
+          - name: webhook-certs
+            mountPath: /tmp/k8s-webhook-server/serving-certs
+            readOnly: true
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: lineage-controller-webhook-cert
+            defaultMode: 0400
--- a/packages/system/lineage-controller-webhook/templates/mutatingwebhookconfiguration.yaml
+++ b/packages/system/lineage-controller-webhook/templates/mutatingwebhookconfiguration.yaml
@@ -3,7 +3,7 @@ kind: MutatingWebhookConfiguration
 metadata:
  name: lineage
  annotations:
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/cozystack-controller-webhook
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/lineage-controller-webhook
  labels:
    app: cozystack-controller
 webhooks:
@@ -12,7 +12,7 @@ webhooks:
    sideEffects: None
    clientConfig:
      service:
-        name: cozystack-controller
+        name: lineage-controller-webhook
        namespace: {{ .Release.Namespace }}
        path: /mutate-lineage
    rules:
@@ -40,3 +40,7 @@ webhooks:
          values:
            - kube-system
            - default
+    objectSelector:
+      matchExpressions:
+        - key: internal.cozystack.io/managed-by-cozystack
+          operator: DoesNotExist
--- a/packages/system/lineage-controller-webhook/templates/rbac-bind.yaml
+++ b/packages/system/lineage-controller-webhook/templates/rbac-bind.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: lineage-controller-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: lineage-controller-webhook
+subjects:
+- kind: ServiceAccount
+  name: lineage-controller-webhook
+  namespace: {{ .Release.Namespace }}
--- a/packages/system/lineage-controller-webhook/templates/rbac.yaml
+++ b/packages/system/lineage-controller-webhook/templates/rbac.yaml
@@ -0,0 +1,8 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: lineage-controller-webhook
+rules:
+- apiGroups: ['*']
+  resources: ['*']
+  verbs: ["get", "list", "watch"]
--- a/packages/system/lineage-controller-webhook/templates/sa.yaml
+++ b/packages/system/lineage-controller-webhook/templates/sa.yaml
@@ -0,0 +1,4 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: lineage-controller-webhook
--- a/packages/system/lineage-controller-webhook/templates/service.yaml
+++ b/packages/system/lineage-controller-webhook/templates/service.yaml
@@ -1,10 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: cozystack-controller
+  name: lineage-controller-webhook
  labels:
-    app: cozystack-controller
+    app: lineage-controller-webhook
 spec:
+  internalTrafficPolicy: Local
  type: ClusterIP
  ports:
    - port: 443
@@ -12,4 +13,4 @@ spec:
      protocol: TCP
      name: webhook
  selector:
-    app: cozystack-controller
+    app: lineage-controller-webhook
--- a/packages/system/lineage-controller-webhook/values.yaml
+++ b/packages/system/lineage-controller-webhook/values.yaml
@@ -0,0 +1,3 @@
+lineageControllerWebhook:
+  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.37.0@sha256:845b8e68cbc277c2303080bcd55597e4334610d396dad258ad56fd906530acc3
+  debug: false