Question about injecting sidecar proxies to pods in the kube-system namespace

[Flou21]

hey i have a relatively simple question

i have a k3s cluster, in the cluster traefik is deployed as ingress controller in the kube-system namespace
I can add annotations to the deployment or pod with a rancher HelmChartConfig.

But the linkerd-injector does not inject a linkerd sidecar container into the traefik pod
it makes sense that this does not work directly in the kube-system namespace, but is there a way to enable this for the traefik pod?

I would like to use multi cluster communication with it.
unfortunately i have not found anything in the documentation or on github

help would be appreciated

[Flou21]

I have now found the reason for my problem, I could have guessed it beforehand.
In the MutatingWebhookConfiguration of the proxy-injector the namespace kube-system has been blacklisted in the namespaceSelector field.
I don`t have a solution for my problem yet, but this is a good starting point to continue.

[alpeb]

Thanks for coming back with the resolution; what you say is indeed the case. In any case it's always good practice to compartmentalize your workloads into separate namespaces as much as possible, and leave kube-system for the cluster's control plane only.

[Flou21]

Yes, that makes sense so far.
I only have the problem in my single node k3s clusters
By default, k3s delivers a Traefik Ingress Controller in the kube-system namespace. rke2 does the same with nginx in kube-system.
So it's not really a decision I made myself, it's just the default

Anyway, I found a workaround by adjusting the mutatingwebhookconfiguration so that injecting the proxy into the traefik pod works.
I will write a kustomize patch for it to be able to deploy this hack automatically with a gitops tool (rancher fleet in my case).
It's not really a nice way, but it's one that works for me

I mark the discussion as answered, even if the answer feels a bit hacky