Retrieving labels and annotations in scale subresource admission webhook

Why are annotations and labels not passed in the object payload for an admission webhook for deployments/scale updates?

Currently I solved this problem by creating a metadata informer to list-watch all deployments, but there are a few issues:

  • unnecessary cache leading to huge memory expenses
  • race condition between labelUpdate → informer and scaleUpdate → webhook. This problem is unsolvable because resource versions are supposedly uncollatable (even though they technically are)

I also understand that I can use objectSelector in the webhook configuration to filter inputs, but this approach does not help with reading values from annotations.

For example, if I create a webhook that restricts the number of replicas a user can create for a specific deployment based on an annotation value (let’s say the user only has permission to UPDATE deployments/scale but not patch annotations), I have to do this:

func HandleWebhook(review *AdmissionReview) (allowed bool) {
    if maxReplicas, restricted := deploymentLister.Get(review.Request.Name).GetAnnotations()["max-replicas"] {
        return review.request.NewObject.Spec.Replicas <= strconv.Itoa(maxReplicas)
    return true

This means we are comparing values from two different resource versions, because deploymentLister.Get is not necessarily the same version as review.NewObject. Using a client directly to penetrate the local cache does not work either, because we cannot request a specific resource version in a GET request (only a version ≥ the specified version). In fact, NewObject may never even make it to the apiserver (e.g. due to conflict uin the persistence phase). This implies that the webhook server will never get to know the desired annotation for that version.

Indeed, in this particular case, the scaling user may just backoff-retry until it succeeds. But this scenario in general poses many possible concurrency issues that prevent strong consistence in webhook server implementation.

Are there any actual reasons not to simply pass the labels and annotations from the apiserver copy? Is it a permission issue, or are there other concerns?