pepr 0.49.0 → 0.50.0-nightly.1

package/dist/sdk/sdk.d.ts

@@ -38,6 +38,8 @@ export declare function getOwnerRefFrom(customResource: GenericKind, blockOwnerD
  *
  * @param name the name of the resource to sanitize
  * @returns the sanitized resource name
+ *
+ * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
  */
 export declare function sanitizeResourceName(name: string): string;
 //# sourceMappingURL=sdk.d.ts.map

package/dist/sdk/sdk.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EACpE,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,GACtE,WAAW,EAAE,CAef;AAED;;;;;;;;;GASG;AAEH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,OAAO,EAAE;IACP,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;CAC3B,GACA,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,cAAc,EAAE,WAAW,EAC3B,kBAAkB,CAAC,EAAE,OAAO,EAC5B,UAAU,CAAC,EAAE,OAAO,GACnB,gBAAgB,EAAE,CAcpB;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAYzD"}
+{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EACpE,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,GACtE,WAAW,EAAE,CAef;AAED;;;;;;;;;GASG;AAEH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,OAAO,EAAE;IACP,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;CAC3B,GACA,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,cAAc,EAAE,WAAW,EAC3B,kBAAkB,CAAC,EAAE,OAAO,EAC5B,UAAU,CAAC,EAAE,OAAO,GACnB,gBAAgB,EAAE,CAcpB;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAazD"}

package/package.json

@@ -14,9 +14,10 @@
     "/src",
     "!src/**/*.test.ts",
     "!src/fixtures/**",
-    "!dist/**/*.test.d.ts*"
+    "!dist/**/*.test.d.ts*",
+    "!src/cli/docs/**"
   ],
-  "version": "0.49.0",
+  "version": "0.50.0-nightly.1",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -29,6 +30,7 @@
     "set:version": "node scripts/set-version.js",
     "test": "npm run test:unit && npm run test:journey && npm run test:journey-wasm",
     "test:artifacts": "npm run build && jest src/build-artifact.test.ts",
+    "test:docs": "jest --verbose src/cli/docs/*.test.ts",
     "test:integration": "npm run test:integration:prep && npm run test:integration:run",
     "test:integration:prep": "./integration/prep.sh",
     "test:integration:run": "jest --maxWorkers=4 integration",
@@ -42,9 +44,9 @@
     "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts",
     "test:journey:unicorn": "npm run test:journey:k3d && npm run test:journey:image:unicorn && npm run test:journey:run",
     "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts",
-    "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='build-artifact.test.ts'",
-    "format:check": "eslint src && prettier --config .prettierrc src --check",
-    "format:fix": "eslint src --fix && prettier --config .prettierrc src --write",
+    "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns=\"build-artifact.test.ts|src/cli/docs/.*\\.test\\.ts\"",
+    "format:check": "eslint --ignore-pattern src/templates/eslint.config.mjs  src && prettier --config .prettierrc src --check",
+    "format:fix": "eslint --fix --ignore-pattern src/templates/eslint.config.mjs  src && prettier --config .prettierrc src --write",
     "prepare": "if [ \"$NODE_ENV\" != 'production' ]; then husky; fi"
   },
   "dependencies": {
@@ -54,7 +56,7 @@
     "heredoc": "^1.3.1",
     "http-status-codes": "^2.3.0",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.5.1",
+    "kubernetes-fluent-client": "3.5.3",
     "pino": "9.6.0",
     "pino-pretty": "13.0.0",
     "prom-client": "15.1.3",
@@ -63,8 +65,8 @@
     "ts-morph": "^25.0.1"
   },
   "devDependencies": {
-    "@commitlint/cli": "19.8.0",
-    "@commitlint/config-conventional": "19.8.0",
+    "@commitlint/cli": "19.8.1",
+    "@commitlint/config-conventional": "19.8.1",
     "@fast-check/jest": "^2.0.1",
     "@jest/globals": "29.7.0",
     "@types/eslint": "9.6.1",
@@ -87,15 +89,15 @@
   },
   "peerDependencies": {
     "@types/prompts": "2.4.9",
-    "@typescript-eslint/eslint-plugin": "8.23.0",
-    "@typescript-eslint/parser": "8.23.0",
+    "@typescript-eslint/eslint-plugin": "8.32.1",
+    "@typescript-eslint/parser": "8.32.1",
     "commander": "13.1.0",
     "esbuild": "0.25.0",
-    "eslint": "8.57.0",
+    "eslint": "^9.26.0",
     "node-forge": "1.3.1",
-    "prettier": "3.4.2",
+    "prettier": "3.5.3",
     "prompts": "2.4.2",
-    "typescript": "5.7.3",
-    "uuid": "11.0.5"
+    "typescript": "5.8.3",
+    "uuid": "11.1.0"
   }
-}
+}

package/src/cli/build.ts

@@ -71,7 +71,7 @@ export default function (program: RootCmd): void {
     .option("-e, --entry-point [file]", "Specify the entry point file to build with.", peprTS)
     .option(
       "-n, --no-embed",
-      "Disables embedding of deployment files into output module.  Useful when creating library modules intended solely for reuse/distribution via NPM.",
+      "Disables embedding of deployment files into output module. Useful when creating library modules intended solely for reuse/distribution via NPM.",
     )
     .addOption(
       new Option(

package/src/cli/crd/generate.ts

@@ -4,7 +4,7 @@
 import { Command } from "commander";
 import fs from "fs";
 import path from "path";
-import { stringify as toYAML } from "yaml";
+import { stringify } from "yaml";
 import {
   Project,
   InterfaceDeclaration,
@@ -17,6 +17,7 @@ import {
 import { createDirectoryIfNotExists } from "../../lib/filesystemService";
 import { kind as k } from "kubernetes-fluent-client";
 import { V1JSONSchemaProps } from "@kubernetes/client-node";
+import { WarningMessages, ErrorMessages } from "./messages";
 
 export default new Command("generate")
   .description("Generate CRD manifests from TypeScript definitions")
@@ -82,13 +83,13 @@ export function processSourceFile(
   const { kind, fqdn, scope, plural, shortNames } = extractCRDDetails(content, sourceFile);
 
   if (!kind) {
-    console.warn(`Skipping ${sourceFile.getBaseName()}: missing '// Kind: <KindName>' comment`);
+    console.warn(WarningMessages.MISSING_KIND_COMMENT(sourceFile.getBaseName()));
     return;
   }
 
   const spec = sourceFile.getInterface(`${kind}Spec`);
   if (!spec) {
-    console.warn(`Skipping ${sourceFile.getBaseName()}: missing interface ${kind}Spec`);
+    console.warn(WarningMessages.MISSING_INTERFACE(sourceFile.getBaseName(), kind));
     return;
   }
 
@@ -108,7 +109,7 @@ export function processSourceFile(
   });
 
   const outPath = path.join(outputDir, `${kind.toLowerCase()}.yaml`);
-  fs.writeFileSync(outPath, toYAML(crd), "utf8");
+  fs.writeFileSync(outPath, stringify(crd), "utf8");
   console.log(`✔ Created ${outPath}`);
 }
 
@@ -126,7 +127,7 @@ export function extractDetails(sourceFile: SourceFile): {
 } {
   const decl = sourceFile.getVariableDeclaration("details");
   if (!decl) {
-    throw new Error(`Missing 'details' variable declaration.`);
+    throw new Error(ErrorMessages.MISSING_DETAILS);
   }
 
   const init = decl.getInitializerIfKindOrThrow(SyntaxKind.ObjectLiteralExpression);
@@ -135,7 +136,7 @@ export function extractDetails(sourceFile: SourceFile): {
     const prop = init.getProperty(key);
     const value = prop?.getFirstChildByKind(SyntaxKind.StringLiteral)?.getLiteralText();
     if (!value) {
-      throw new Error(`Missing or invalid value for required key: '${key}'`);
+      throw new Error(ErrorMessages.MISSING_OR_INVALID_KEY(key));
     }
     return value;
   };
@@ -149,7 +150,7 @@ export function extractDetails(sourceFile: SourceFile): {
     };
   }
 
-  throw new Error(`'scope' must be either "Cluster" or "Namespaced", got "${scope}"`);
+  throw new Error(ErrorMessages.INVALID_SCOPE(scope));
 }
 
 export function getJsDocDescription(node: Node): string {

package/src/cli/crd/messages.ts

@@ -0,0 +1,15 @@
+export const ErrorMessages = {
+  MISSING_DETAILS: "Missing 'details' variable declaration.",
+  INVALID_SCOPE: (scope: string): string =>
+    `'scope' must be either "Cluster" or "Namespaced", got "${scope}"`,
+  MISSING_OR_INVALID_KEY: (key: string): string =>
+    `Missing or invalid value for required key: '${key}'`,
+};
+
+export const WarningMessages = {
+  MISSING_DETAILS: "Missing 'details' variable declaration.",
+  MISSING_KIND_COMMENT: (fileName: string): string =>
+    `Skipping ${fileName}: missing '// Kind: <KindName>' comment`,
+  MISSING_INTERFACE: (fileName: string, kind: string): string =>
+    `Skipping ${fileName}: missing interface ${kind}Spec`,
+};

package/src/cli/deploy.ts

@@ -11,7 +11,8 @@ import { deployImagePullSecret, deployWebhook } from "../lib/assets/deploy";
 import { namespaceDeploymentsReady } from "../lib/deploymentChecks";
 import { sanitizeName } from "./init/utils";
 import { validateCapabilityNames } from "../lib/helpers";
-
+import { namespaceComplianceValidator } from "../lib/helpers";
+import { loadCapabilities } from "../lib/assets/loader";
 export interface ImagePullSecretDetails {
   pullSecret?: string;
   dockerServer?: string;
@@ -106,7 +107,16 @@ async function buildAndDeployModule(image: string, force: boolean): Promise<void
     [],
   );
   webhook.image = image ?? webhook.image;
-
+  const capabilities = await loadCapabilities(webhook.path);
+  for (const capability of capabilities) {
+    namespaceComplianceValidator(capability, webhook.alwaysIgnore?.namespaces);
+    namespaceComplianceValidator(
+      capability,
+      webhook.config.admission?.alwaysIgnore?.namespaces,
+      false,
+    );
+    namespaceComplianceValidator(capability, webhook.config.watch?.alwaysIgnore?.namespaces, true);
+  }
   try {
     await webhook.deploy(deployWebhook, force, builtModule.cfg.pepr.webhookTimeout ?? 10);
 

package/src/cli/{format.ts → format/index.ts}

@@ -4,13 +4,13 @@
 import { ESLint } from "eslint";
 import { formatWithPrettier } from "./format.helpers";
 
-import { RootCmd } from "./root";
+import { RootCmd } from "../root";
 
 export default function (program: RootCmd): void {
   program
     .command("format")
     .description("Lint and format this Pepr module")
-    .option("-v, --validate-only", "Do not modify files, only validate formatting")
+    .option("-v, --validate-only", "Do not modify files, only validate formatting.")
     .action(async opts => {
       const success = await peprFormat(opts.validateOnly);
 

package/src/cli/init/templates.ts

@@ -4,8 +4,9 @@
 import { dumpYaml } from "@kubernetes/client-node";
 import { inspect } from "util";
 import { v4 as uuidv4 } from "uuid";
+import { readFileSync } from "fs";
+import path from "path";
 
-import eslintJSON from "../../templates/.eslintrc.template.json";
 import peprSnippetsJSON from "../../templates/pepr.code-snippets.json";
 import prettierJSON from "../../templates/.prettierrc.json";
 import samplesJSON from "../../templates/capabilities/hello-pepr.samples.json";
@@ -33,6 +34,8 @@ export type peprPackageJSON = {
       webhookTimeout: number;
       customLabels: CustomLabels;
       alwaysIgnore: { namespaces: string[] };
+      admission: { alwaysIgnore: { namespaces: string[] } };
+      watch: { alwaysIgnore: { namespaces: string[] } };
       includedFiles: string[];
       env: object;
       rbac?: PolicyRule[];
@@ -79,6 +82,16 @@ export function genPkgJSON(opts: InitOptions, pgkVerOverride?: string): peprPack
       alwaysIgnore: {
         namespaces: [],
       },
+      admission: {
+        alwaysIgnore: {
+          namespaces: [],
+        },
+      },
+      watch: {
+        alwaysIgnore: {
+          namespaces: [],
+        },
+      },
       includedFiles: [],
       env: pgkVerOverride ? testEnv : {},
     },
@@ -147,6 +160,19 @@ export const prettier = {
 };
 
 export const eslint = {
-  path: ".eslintrc.json",
-  data: eslintJSON,
+  path: "eslint.config.mjs",
+  data: readFileSync(
+    path.resolve(
+      ((): string => {
+        const fullPath = __dirname;
+        const lengthOfSuffix = "pepr/".length;
+        // Find the last occurrence of "pepr/"
+        const lastPeprIndex = fullPath.lastIndexOf("pepr/");
+        // Return the path up to and including the last "pepr/"
+        return fullPath.substring(0, lastPeprIndex + lengthOfSuffix);
+      })(),
+      "src/templates/eslint.config.mjs",
+    ),
+    "utf-8",
+  ),
 };

package/src/cli/{update.ts → update/index.ts}

@@ -13,9 +13,9 @@ import {
   samplesYaml,
   snippet,
   tsConfig,
-} from "./init/templates";
-import { write } from "./init/utils";
-import { RootCmd } from "./root";
+} from "../init/templates";
+import { write } from "../init/utils";
+import { RootCmd } from "../root";
 
 export default function (program: RootCmd): void {
   program
@@ -41,6 +41,33 @@ export default function (program: RootCmd): void {
       console.log("Updating the Pepr module...");
 
       try {
+        // Check if eslint v8 is a project dependency and warn about future upgrade
+        let packageLockContent = "";
+        let foundPackageLock = false;
+
+        try {
+          // Try to find package-lock.json in the current directory
+          if (fs.existsSync("./package-lock.json")) {
+            packageLockContent = fs.readFileSync("./package-lock.json", "utf-8");
+            foundPackageLock = true;
+          }
+        } catch {
+          // Ignore errors and continue with installation
+        }
+
+        // If we found the package-lock.json and could read it, check for eslint v8
+        if (foundPackageLock && packageLockContent) {
+          // Look for eslint version 8.x.x pattern in the file content
+          if (
+            packageLockContent.indexOf('"eslint":') >= 0 &&
+            packageLockContent.match(/"eslint":\s*"[~^]?8\.[0-9]+\.[0-9]+"/)
+          ) {
+            console.warn(
+              "\nWarning: This Pepr module uses ESLint v8. Pepr will be upgraded to use v9 in a future release.\nSee eslint@9.0.0 release notes for more details: https://eslint.org/blog/2024/04/eslint-v9.0.0-released/",
+            );
+          }
+        }
+
         // Update Pepr for the module
         execSync("npm install pepr@latest", {
           stdio: "inherit",

package/src/lib/assets/assets.ts

@@ -101,7 +101,14 @@ export class Assets {
     this.capabilities = await loadCapabilities(this.path);
     // give error if namespaces are not respected
     for (const capability of this.capabilities) {
+      // until deployment, Pepr does not distinguish between watch and admission
       namespaceComplianceValidator(capability, this.alwaysIgnore?.namespaces);
+      namespaceComplianceValidator(
+        capability,
+        this.config.admission?.alwaysIgnore?.namespaces,
+        false,
+      );
+      namespaceComplianceValidator(capability, this.config.watch?.alwaysIgnore?.namespaces, true);
     }
 
     const code = await fs.readFile(this.path);

package/src/lib/assets/helm.ts

@@ -94,7 +94,13 @@ export function watcherDeployTemplate(buildTimestamp: string): string {
             terminationGracePeriodSeconds: {{ .Values.watcher.terminationGracePeriodSeconds }}
             serviceAccountName: {{ .Values.uuid }}
             securityContext:
-              {{- toYaml .Values.admission.securityContext | nindent 8 }}
+              {{- toYaml .Values.watcher.securityContext | nindent 8 }}
+            nodeSelector:
+              {{- toYaml .Values.watcher.nodeSelector | nindent 8 }}
+            tolerations:
+              {{- toYaml .Values.watcher.tolerations | nindent 8 }}
+            affinity:
+              {{- toYaml .Values.watcher.affinity | nindent 8 }}
             containers:
               - name: watcher
                 image: {{ .Values.watcher.image }}
@@ -179,6 +185,27 @@ export function admissionDeployTemplate(buildTimestamp: string): string {
               app: {{ .Values.uuid }}
               pepr.dev/controller: admission
           spec:
+            {{- if or .Values.admission.antiAffinity .Values.admission.affinity }}
+            affinity:
+            {{- if .Values.admission.antiAffinity }}
+              podAntiAffinity:
+                requiredDuringSchedulingIgnoredDuringExecution:
+                  - labelSelector:
+                      matchExpressions:
+                        - key: pepr.dev/controller
+                          operator: In
+                          values:
+                            - admission
+                    topologyKey: "kubernetes.io/hostname"
+            {{- end }}
+            {{- if .Values.admission.affinity }}
+              {{- toYaml .Values.admission.affinity | nindent 8 }}
+            {{- end }}
+            {{- end }}
+            nodeSelector:
+              {{- toYaml .Values.admission.nodeSelector | nindent 8 }}
+            tolerations:
+              {{- toYaml .Values.admission.tolerations | nindent 8 }}
             terminationGracePeriodSeconds: {{ .Values.admission.terminationGracePeriodSeconds }}
             priorityClassName: system-node-critical
             serviceAccountName: {{ .Values.uuid }}

package/src/lib/assets/ignoredNamespaces.ts

@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+export function resolveIgnoreNamespaces(ignoredNSConfig: string[] = []): string[] {
+  const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES;
+  if (!ignoredNSEnv) {
+    return ignoredNSConfig;
+  }
+
+  const namespaces = ignoredNSEnv.split(",").map(ns => ns.trim());
+
+  // add alwaysIgnore.namespaces to the list
+  if (ignoredNSConfig) {
+    namespaces.push(...ignoredNSConfig);
+  }
+  return namespaces.filter(ns => ns.length > 0);
+}

package/src/lib/assets/webhooks.ts

@@ -8,7 +8,7 @@ import {
 } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { concat, equals, uniqWith } from "ramda";
-
+import { resolveIgnoreNamespaces } from "./ignoredNamespaces";
 import { Assets } from "./assets";
 import { Event, WebhookType } from "../enums";
 import { Binding } from "../types";
@@ -42,21 +42,6 @@ export const validateRule = (
   return ruleObject;
 };
 
-export function resolveIgnoreNamespaces(ignoredNSConfig: string[] = []): string[] {
-  const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES;
-  if (!ignoredNSEnv) {
-    return ignoredNSConfig;
-  }
-
-  const namespaces = ignoredNSEnv.split(",").map(ns => ns.trim());
-
-  // add alwaysIgnore.namespaces to the list
-  if (ignoredNSConfig) {
-    namespaces.push(...ignoredNSConfig);
-  }
-  return namespaces.filter(ns => ns.length > 0);
-}
-
 export async function generateWebhookRules(
   assets: Assets,
   isMutateWebhook: boolean,
@@ -84,7 +69,11 @@ export async function webhookConfigGenerator(
   const { name, tls, config, apiPath, host } = assets;
   const ignoreNS = concat(
     peprIgnoreNamespaces,
-    resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces),
+    resolveIgnoreNamespaces(
+      config?.alwaysIgnore?.namespaces?.length
+        ? config?.alwaysIgnore?.namespaces
+        : config?.admission?.alwaysIgnore?.namespaces,
+    ),
   );
 
   // Add any namespaces to ignore

package/src/lib/assets/yaml/overridesFile.ts

@@ -3,7 +3,7 @@ import { CapabilityExport, ModuleConfig } from "../../types";
 import { dumpYaml } from "@kubernetes/client-node";
 import { clusterRole } from "../rbac";
 import { promises as fs } from "fs";
-
+import { resolveIgnoreNamespaces } from "../ignoredNamespaces";
 export type ChartOverrides = {
   apiPath: string;
   capabilities: CapabilityExport[];
@@ -23,7 +23,11 @@ export async function overridesFile(
 
   const overrides = {
     imagePullSecrets,
-    additionalIgnoredNamespaces: [],
+    additionalIgnoredNamespaces: resolveIgnoreNamespaces(
+      config?.alwaysIgnore?.namespaces?.length
+        ? config?.alwaysIgnore?.namespaces
+        : config?.admission?.alwaysIgnore?.namespaces,
+    ),
     rbac: rbacOverrides,
     secrets: {
       apiPath: Buffer.from(apiPath).toString("base64"),
@@ -37,6 +41,7 @@ export async function overridesFile(
     },
     uuid: name,
     admission: {
+      antiAffinity: false,
       terminationGracePeriodSeconds: 5,
       failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
       webhookTimeout: config.webhookTimeout,

package/src/lib/controller/createHooks.ts

@@ -1,5 +1,5 @@
 import { ControllerHooks } from ".";
-import { resolveIgnoreNamespaces } from "../assets/webhooks";
+import { resolveIgnoreNamespaces } from "../assets/ignoredNamespaces";
 import { Capability } from "../core/capability";
 import { isWatchMode, isDevMode } from "../core/envChecks";
 import { setupWatch } from "../processors/watch-processor";

package/src/lib/core/module.ts

@@ -60,7 +60,9 @@ export class PeprModule {
     const controllerHooks = createControllerHooks(
       opts,
       capabilities,
-      pepr?.alwaysIgnore?.namespaces,
+      pepr?.alwaysIgnore?.namespaces?.length
+        ? pepr.alwaysIgnore.namespaces
+        : config?.watch?.alwaysIgnore?.namespaces,
     );
 
     this.#controller = new Controller(config, capabilities, controllerHooks);

package/src/lib/helpers.ts

@@ -138,20 +138,30 @@ export function generateWatchNamespaceError(
 export function namespaceComplianceValidator(
   capability: CapabilityExport,
   ignoredNamespaces?: string[],
+  watch?: boolean,
 ): void {
   const { namespaces: capabilityNamespaces, bindings, name } = capability;
-  const bindingNamespaces: string[] = bindings.flatMap(
-    (binding: Binding) => binding.filters.namespaces,
+
+  const shouldInclude = (binding: Binding): boolean => {
+    if (watch === true) return !!binding.isWatch;
+    if (watch === false) return !!binding.isMutate;
+    return true;
+  };
+
+  const bindingNamespaces: string[] = bindings.flatMap(binding =>
+    shouldInclude(binding) ? binding.filters.namespaces || [] : [],
   );
-  const bindingRegexNamespaces: string[] = bindings.flatMap(
-    (binding: Binding) => binding.filters.regexNamespaces || [],
+
+  const bindingRegexNamespaces: string[] = bindings.flatMap(binding =>
+    shouldInclude(binding) ? binding.filters.regexNamespaces || [] : [],
   );
 
   const namespaceError = generateWatchNamespaceError(
-    ignoredNamespaces ? ignoredNamespaces : [],
+    ignoredNamespaces ?? [],
     bindingNamespaces,
-    capabilityNamespaces ? capabilityNamespaces : [],
+    capabilityNamespaces ?? [],
   );
+
   if (namespaceError !== "") {
     throw new Error(
       `Error in ${name} capability. A binding violates namespace rules. Please check ignoredNamespaces and capability namespaces: ${namespaceError}`,

package/src/lib/processors/mutate-processor.ts

@@ -13,7 +13,7 @@ import { ModuleConfig } from "../types";
 import { PeprMutateRequest } from "../mutate-request";
 import { base64Encode } from "../utils";
 import { OnError } from "../../cli/init/enums";
-import { resolveIgnoreNamespaces } from "../assets/webhooks";
+import { resolveIgnoreNamespaces } from "../assets/ignoredNamespaces";
 import { Operation } from "fast-json-patch";
 import { WebhookType } from "../enums";
 
@@ -149,7 +149,11 @@ export async function mutateProcessor(
         bind.binding,
         bind.req,
         bind.namespaces,
-        resolveIgnoreNamespaces(bind.config?.alwaysIgnore?.namespaces),
+        resolveIgnoreNamespaces(
+          bind?.config?.alwaysIgnore?.namespaces?.length
+            ? bind.config?.alwaysIgnore?.namespaces
+            : bind.config?.admission?.alwaysIgnore?.namespaces,
+        ),
       );
       if (shouldSkip !== "") {
         Log.debug(shouldSkip);

package/src/lib/processors/validate-processor.ts

@@ -10,7 +10,7 @@ import Log from "../telemetry/logger";
 import { convertFromBase64Map } from "../utils";
 import { PeprValidateRequest } from "../validate-request";
 import { ModuleConfig } from "../types";
-import { resolveIgnoreNamespaces } from "../assets/webhooks";
+import { resolveIgnoreNamespaces } from "../assets/ignoredNamespaces";
 import { MeasureWebhookTimeout } from "../telemetry/webhookTimeouts";
 import { WebhookType } from "../enums";
 import { AdmissionRequest } from "../common-types";
@@ -37,7 +37,9 @@ export async function processRequest(
     if (callbackResp.statusCode || callbackResp.statusMessage) {
       valResp.status = {
         code: callbackResp.statusCode || 400,
-        message: callbackResp.statusMessage || `Validation failed for ${name}`,
+        message:
+          callbackResp.statusMessage ||
+          `Validation failed for ${peprValidateRequest.Request.kind.kind.toLowerCase()}/${peprValidateRequest.Request.name}${peprValidateRequest.Request.namespace ? ` in ${peprValidateRequest.Request.namespace} namespace.` : ""}`,
       };
     }
 
@@ -95,7 +97,11 @@ export async function validateProcessor(
         binding,
         req,
         namespaces,
-        resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces),
+        resolveIgnoreNamespaces(
+          config?.alwaysIgnore?.namespaces?.length
+            ? config?.alwaysIgnore?.namespaces
+            : config?.admission?.alwaysIgnore?.namespaces,
+        ),
       );
       if (shouldSkip !== "") {
         Log.debug(shouldSkip);

package/src/lib/types.ts

@@ -292,6 +292,14 @@ export type ModuleConfig = {
   uuid: string;
   /** Configure global exclusions that will never be processed by Pepr. */
   alwaysIgnore: WebhookIgnore;
+  /** admission specific ignore */
+  admission?: {
+    alwaysIgnore: WebhookIgnore;
+  };
+  /** watch specific ignore */
+  watch?: {
+    alwaysIgnore: WebhookIgnore;
+  };
 } & Partial<ModuleConfigOptions>;
 
 export type PackageJSON = {

package/src/sdk/sdk.ts

@@ -109,17 +109,20 @@ export function getOwnerRefFrom(
  *
  * @param name the name of the resource to sanitize
  * @returns the sanitized resource name
+ *
+ * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
  */
 export function sanitizeResourceName(name: string): string {
   return (
     name
-      // The name must be lowercase
       .toLowerCase()
-      // Replace sequences of non-alphanumeric characters with a single '-'
-      .replace(/[^a-z0-9]+/g, "-")
-      // Truncate the name to 250 characters
-      .slice(0, 250)
-      // Remove leading and trailing non-letter characters
-      .replace(/^[^a-z]+|[^a-z]+$/g, "")
+      // Replace invalid characters (anything not a-z, 0-9, or '-') with '-'
+      .replace(/[^a-z0-9-]+/g, "-")
+      // Trim to 63 characters (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#rfc-1035-label-names)
+      .slice(0, 63)
+      // Remove leading non-alphanumeric characters
+      .replace(/^[^a-z0-9]+/, "")
+      // Remove trailing non-alphanumeric characters
+      .replace(/[^a-z0-9]+$/, "")
   );
 }