openshift · danielmellado · Feb 18, 2026
diff --git a/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml
@@ -10,14 +10,14 @@ tests:
         kind: ClusterMonitoring
         spec:
           userDefined:
-            mode: "Disabled" 
-                       
+            mode: "Disabled"
+
       expected: |
         apiVersion: config.openshift.io/v1alpha1
         kind: ClusterMonitoring
         spec:
           userDefined:
-            mode: "Disabled" 
+            mode: "Disabled"
     - name: Should reject ContainerResource with duplicate names
       initial: |
         apiVersion: config.openshift.io/v1alpha1
@@ -351,3 +351,229 @@ tests:
               - name: "example.com/quux"
                 request: "1"
       expectedError: 'spec.metricsServerConfig.resources: Too many: 11: must have at most 10 items'
+    - name: Should be able to create PrometheusOperatorAdmissionWebhookConfig with valid resources
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            resources:
+              - name: "cpu"
+                request: "50m"
+                limit: "200m"
+              - name: "memory"
+                request: "50Mi"
+                limit: "200Mi"
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            resources:
+              - name: "cpu"
+                request: "50m"
+                limit: "200m"
+              - name: "memory"
+                request: "50Mi"
+                limit: "200Mi"
+    - name: Should be able to create PrometheusOperatorAdmissionWebhookConfig with valid topologySpreadConstraints
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            topologySpreadConstraints:
+              - maxSkew: 1
+                topologyKey: topology.kubernetes.io/zone
+                whenUnsatisfiable: DoNotSchedule
+                labelSelector:
+                  matchLabels:
+                    app: prometheus-operator-admission-webhook
+              - maxSkew: 2
+                topologyKey: kubernetes.io/hostname
+                whenUnsatisfiable: ScheduleAnyway
+                labelSelector:
+                  matchLabels:
+                    app: prometheus-operator-admission-webhook
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            topologySpreadConstraints:
+              - maxSkew: 1
+                topologyKey: topology.kubernetes.io/zone
+                whenUnsatisfiable: DoNotSchedule
+                labelSelector:
+                  matchLabels:
+                    app: prometheus-operator-admission-webhook
+              - maxSkew: 2
+                topologyKey: kubernetes.io/hostname
+                whenUnsatisfiable: ScheduleAnyway
+                labelSelector:
+                  matchLabels:
+                    app: prometheus-operator-admission-webhook
+    - name: Should be able to create PrometheusOperatorAdmissionWebhookConfig with both fields
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            resources:
+              - name: "cpu"
+                request: "50m"
+                limit: "200m"
+            topologySpreadConstraints:
+              - maxSkew: 1
+                topologyKey: topology.kubernetes.io/zone
+                whenUnsatisfiable: DoNotSchedule
+                labelSelector:
+                  matchLabels:
+                    app: prometheus-operator-admission-webhook
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            resources:
+              - name: "cpu"
+                request: "50m"
+                limit: "200m"
+            topologySpreadConstraints:
+              - maxSkew: 1
+                topologyKey: topology.kubernetes.io/zone
+                whenUnsatisfiable: DoNotSchedule
+                labelSelector:
+                  matchLabels:
+                    app: prometheus-operator-admission-webhook
+    - name: Should reject PrometheusOperatorAdmissionWebhookConfig with duplicate resource names
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            resources:
+              - name: "cpu"
+                request: "100m"
+              - name: "cpu"
+                request: "200m"
+      expectedError: "Duplicate value"
+    - name: Should reject PrometheusOperatorAdmissionWebhookConfig with duplicate topologySpreadConstraints
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            topologySpreadConstraints:
+              - maxSkew: 1
+                topologyKey: topology.kubernetes.io/zone
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 2
+                topologyKey: topology.kubernetes.io/zone
+                whenUnsatisfiable: DoNotSchedule
+      expectedError: "Duplicate value"
+    - name: Should reject PrometheusOperatorAdmissionWebhookConfig with empty object
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig: {}
+      expectedError: 'spec.prometheusOperatorAdmissionWebhookConfig: Invalid value: 0: spec.prometheusOperatorAdmissionWebhookConfig in body should have at least 1 properties'
+    - name: Should reject PrometheusOperatorAdmissionWebhookConfig with too many resources
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            resources:
+              - name: "cpu"
+                request: "100m"
+              - name: "memory"
+                request: "64Mi"
+              - name: "hugepages-2Mi"
+                request: "32Mi"
+              - name: "hugepages-1Gi"
+                request: "1Gi"
+              - name: "ephemeral-storage"
+                request: "1Gi"
+              - name: "nvidia.com/gpu"
+                request: "1"
+              - name: "example.com/foo"
+                request: "1"
+              - name: "example.com/bar"
+                request: "1"
+              - name: "example.com/baz"
+                request: "1"
+              - name: "example.com/qux"
+                request: "1"
+              - name: "example.com/quux"
+                request: "1"
+      expectedError: 'spec.prometheusOperatorAdmissionWebhookConfig.resources: Too many: 11: must have at most 10 items'
+    - name: Should reject PrometheusOperatorAdmissionWebhookConfig with limit less than request
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            resources:
+              - name: "cpu"
+                request: "500m"
+                limit: "200m"
+      expectedError: 'spec.prometheusOperatorAdmissionWebhookConfig.resources[0]: Invalid value: "object": limit must be greater than or equal to request'
+    - name: Should reject PrometheusOperatorAdmissionWebhookConfig with too many topologySpreadConstraints
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            topologySpreadConstraints:
+              - maxSkew: 1
+                topologyKey: "zone1"
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 1
+                topologyKey: "zone2"
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 1
+                topologyKey: "zone3"
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 1
+                topologyKey: "zone4"
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 1
+                topologyKey: "zone5"
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 1
+                topologyKey: "zone6"
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 1
+                topologyKey: "zone7"
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 1
+                topologyKey: "zone8"
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 1
+                topologyKey: "zone9"
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 1
+                topologyKey: "zone10"
+                whenUnsatisfiable: DoNotSchedule
+              - maxSkew: 1
+                topologyKey: "zone11"
+                whenUnsatisfiable: DoNotSchedule
+      expectedError: 'spec.prometheusOperatorAdmissionWebhookConfig.topologySpreadConstraints: Too many: 11: must have at most 10 items'
+    - name: Should reject PrometheusOperatorAdmissionWebhookConfig with empty topologySpreadConstraints array
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            topologySpreadConstraints: []
+      expectedError: 'spec.prometheusOperatorAdmissionWebhookConfig.topologySpreadConstraints: Invalid value: 0: spec.prometheusOperatorAdmissionWebhookConfig.topologySpreadConstraints in body should have at least 1 items'
+    - name: Should reject PrometheusOperatorAdmissionWebhookConfig with empty resources array
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          prometheusOperatorAdmissionWebhookConfig:
+            resources: []
+      expectedError: 'spec.prometheusOperatorAdmissionWebhookConfig.resources: Invalid value: 0: spec.prometheusOperatorAdmissionWebhookConfig.resources in body should have at least 1 items'
diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go
@@ -99,6 +99,14 @@ type ClusterMonitoringSpec struct {
 	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
 	// +optional
 	PrometheusOperatorConfig PrometheusOperatorConfig `json:"prometheusOperatorConfig,omitempty,omitzero"`
+	// prometheusOperatorAdmissionWebhookConfig is an optional field that can be used to configure the
+	// admission webhook component of Prometheus Operator that runs in the openshift-monitoring namespace.
+	// The admission webhook validates PrometheusRule and AlertmanagerConfig objects to ensure they are
+	// semantically valid, mutates PrometheusRule annotations, and converts AlertmanagerConfig objects
+	// between API versions.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	// +optional
+	PrometheusOperatorAdmissionWebhookConfig PrometheusOperatorAdmissionWebhookConfig `json:"prometheusOperatorAdmissionWebhookConfig,omitempty,omitzero"`
 }
 
 // UserDefinedMonitoring config for user-defined projects.
@@ -507,6 +515,57 @@ type PrometheusOperatorConfig struct {
 	TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
 }
 
+// PrometheusOperatorAdmissionWebhookConfig provides configuration options for the admission webhook
+// component of Prometheus Operator that runs in the `openshift-monitoring` namespace. The admission
+// webhook validates PrometheusRule and AlertmanagerConfig objects, mutates PrometheusRule annotations,
+// and converts AlertmanagerConfig objects between API versions.
+// +kubebuilder:validation:MinProperties=1
+type PrometheusOperatorAdmissionWebhookConfig struct {
+	// resources defines the compute resource requests and limits for the
+	// prometheus-operator-admission-webhook container.
+	// This includes CPU, memory and HugePages constraints to help control scheduling and resource usage.
+	// When not specified, defaults are used by the platform. Requests cannot exceed limits.
+	// This field is optional.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+	// This is a simplified API that maps to Kubernetes ResourceRequirements.
+	// The current default values are:
+	//   resources:
+	//    - name: cpu
+	//      request: 5m
+	//      limit: null
+	//    - name: memory
+	//      request: 30Mi
+	//      limit: null
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Each resource name must be unique within this list.
+	// +optional
+	// +listType=map
+	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=10
+	// +kubebuilder:validation:MinItems=1
+	Resources []ContainerResource `json:"resources,omitempty"`
+	// topologySpreadConstraints defines rules for how admission webhook Pods should be distributed
+	// across topology domains such as zones, nodes, or other user-defined labels.
+	// topologySpreadConstraints is optional.
+	// This helps improve high availability and resource efficiency by avoiding placing
+	// too many replicas in the same failure domain.
+	//
+	// When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time.
+	// This field maps directly to the `topologySpreadConstraints` field in the Pod spec.
+	// Default is empty list.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Entries must have unique topologyKey and whenUnsatisfiable pairs.
+	// +kubebuilder:validation:MaxItems=10
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=topologyKey
+	// +listMapKey=whenUnsatisfiable
+	// +optional
+	TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
+}
+
 // AuditProfile defines the audit log level for the Metrics Server.
 // +kubebuilder:validation:Enum=None;Metadata;Request;RequestResponse
 type AuditProfile string