Add dependency loop advice.

Source PR: #46798 Co-authored-by: Shaun Crampton <shaun@tigera.io> Co-authored-by: Kat Cosgrove <kat.cosgrove@gmail.com> Co-authored-by: Tim Bannister <tim@scalefactory.com>

Author: 4 people

content/en/docs/concepts/cluster-administration/admission-webhooks-good-practices.md

@@ -371,6 +371,27 @@ result, the migration cannot happen.
 Exclude the namespace where your webhook is running with a
 [`namespaceSelector`](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector).
 
+### Avoid dependency loops {#avoid-dependency-loops}
+
+Dependency loops can occur in scenarios like the following:
+
+* Two webhooks check each other's Pods. If both webhooks become unavailable
+ at the same time, neither webhook can start.
+* Your webhook intercepts cluster add-on components, such as networking plugins
+ or storage plugins, that your webhook depends on. If both the webhook and the
+ dependent add-on become unavailable, neither component can function.
+
+To avoid these dependency loops, try the following:
+
+* Use
+ [ValidatingAdmissionPolicies](/docs/reference/access-authn-authz/validating-admission-policy/)
+ to avoid introducing dependencies.
+* Prevent webhooks from validating or mutating other webhooks. Consider
+ [excluding specific namespaces](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
+ from triggering your webhook.
+* Prevent your webhooks from acting on dependent add-ons by using an
+ [`objectSelector`](/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector).
+
 ### Fail open and validate the final state {#fail-open-validate-final-state}
 
 Mutating admission webhooks support the `failurePolicy` configuration field.