Sync namespace metadata on creation.

[CharlieR-o-o-t]

We need to sync namespace metadata (labels, annotation and especially nodeSelector) on namespace creation.
For now, namespace nodeSelector reconciled by controller loop and pod can start before nodeSelector will be set on ns (in case of huge amount of namespaces).

Let's add some extra logic to namespace webhook.

*Have prepared PR for this already.

[prometherion]

I understand you'd like to deploy Pods as quickly as possible. Still, there's another problem: the RBAC need a Tenant reconciliation, and I don't see the benefit of burdening webhooks further with logic when the Kubernetes way is the eventual consistency.

Happy to hear more about your use case, tho: I've strong opinions, weakly held.

@oliverbaehler what are your thoughts on this?

[CharlieR-o-o-t]

The benefits is that pods can started before namespace has node-selector annotation.
We catch these cases on our k8s clusters with high amount of namespaces. Capsule brings nodeSelector after few seconds, during this time lag - pod can be started outside of tenant capacity.

[oliverbaehler]

I am working on something like a Hook components. Where you can define mutations, validations at admission or in the reconciler. We will drop our strongly typed spec in favour of that. I am with the use, especially PodNodeSelector is a very weak implementation, but i would rather takkle this in a generic way.