This is awesome!!!

The only thing that would be needed to merge this PR in is a test.

Basically what you described in your PR comment, but encoded into a test case.

The atc integration tests share a kind instance. We could update it to use a k3d instance and then we could add a test case where a pod tries to curl the atc and expect it to fail.

If needed I can convert the ATC to use k3d instead of kind for testing.

This is awesome!!!

The only thing that would be needed to merge this PR in is a test.

Basically what you described in your PR comment, but encoded into a test case.

The atc integration tests share a kind instance. We could update it to use a k3d instance and then we could add a test case where a pod tries to curl the atc and expect it to fail.

If needed I can convert the ATC to use k3d instead of kind for testing.

yeah gimme sometime, I'll do it by today

This is awesome!!!

The only thing that would be needed to merge this PR in is a test.

Basically what you described in your PR comment, but encoded into a test case.

The atc integration tests share a kind instance. We could update it to use a k3d instance and then we could add a test case where a pod tries to curl the atc and expect it to fail.

If needed I can convert the ATC to use k3d instead of kind for testing.

Do you mean replace with KIND in GitHub CI ?

So if you look here we have a TestMain function where we do the setup of the cluster. All of the invocations do the setup with kind, but we could transform that to the equivalent k3d.

(Forget about the node port mapping stuff, that was just stuff I was doing when I was using the tests for the setting up of demos as well in the early days).

Then once the tests are using k3d, (which I have tested in the past works though I had no reason to switch so I didn't back then), we can add a new test func TestAdmissionExclusiveToKubeSystem where we test that a curl from a container fails.

Okay! Sorry, I had to take over your branch a little to figure out what was going wrong, and exercise it in CI.
I eventually managed to reproduce it locally.

I tweaked the PR to debug more information -> drop the ATC logs when it fails to takeoff and it dropped this:

time=2026-02-22T18:12:32.824Z level=ERROR msg="program exiting with error" error="failed to apply dependent resources: failed to apply webhooks: dry run:\n  - _/admissionregistration.k8s.io/v1/validatingwebhookconfiguration/atc-external-resources: failed to create typed patch object: .webhooks[name=\"external.resources.yoke.cd\"].matchConditions: field not declared in schema\n  - _/admissionregistration.k8s.io/v1/validatingwebhookconfiguration/atc-flight: failed to create typed patch object: .webhooks[name=\"flights.yoke.cd\"].matchConditions: field not declared in schema\n  - _/admissionregistration.k8s.io/v1/validatingwebhookconfiguration/atc-resources: failed to create typed patch object: .webhooks[name=\"resources.yoke.cd\"].matchConditions: field not declared in schema"

Essentially that MatchConditions wasn't part of the schema for the ValidatingWebhookConfiguration API.

This means that the installation of kubernetes doesn't have the MatchConditions field which has been stable since Kubernetes 1.30.

Hence I did the same k3d install as in CI on my machine and running k3d --version I get:

k3d version v5-dev
k3s version v1.21.7-k3s1 (default)

vs my homebrew installation:

k3d version v5.8.3
k3s version v1.33.6-k3s1 (default)

Which shows that the version in CI is using a very old and incompatible version of Kubernetes.
This issue will be fixed if instead of using go install for k3d, we use the official installation instructions.

Hey! Just wondering what the status was for the work on this PR?

I would love to get this shipped soon :)

Sorry for delayed response , currently checking again with atc unit tests , whether they're failing or not .

@davidmdm I made a little bit change , can you approve the workflows for the tests to run in CI ?