@@ -61,6 +61,33 @@ following operating systems:
6161MongoDB, Inc. updates all packages on these images before releasing
6262them every three weeks.
6363
64+ .. _k8s-validation-webhook:
65+
66+ Validation Webhook
67+ ~~~~~~~~~~~~~~~~~~
68+
69+ The |k8s-op-short| uses a webhook to prevent users from applying invalid
70+ resource definitions. The webhook rejects creating and updating replica
71+ sets in the following scenarios:
72+
73+ - :setting:`spec.connectivity.replicaSetHorizons` is set, but
74+ :setting:`spec.security.tls.enabled` is ``false`` or not set
75+ - :setting:`spec.connectivity.replicaSetHorizons` has a number of
76+ horizons configured that is not equal to the number of members set in
77+ :setting:`spec.members`
78+
79+ The webhook rejects these requests immediately and the |k8s-op-short|
80+ doesn't create or update the resource.
81+
82+ The ``ClusterRole`` and ``ClusterRoleBinding`` for the webhook are
83+ included in the default configuration files that you apply during
84+ installation. To create the role and binding, you must have
85+ :k8sdocs:`cluster-admin privileges
86+ </reference/access-authn-authz/rbac/#user-facing-roles>` . If you have
87+ insufficient privileges or if you choose to remove the role and binding
88+ from the default configuration, the |k8s-op-short| produces error logs
89+ and continues to function normally, but without validation rejections.
90+
6491.. _k8s-deployment-scopes:
6592
6693|k8s-op-short| Deployment Scopes
0 commit comments