Fix metadata-webhook cleanup race condition

[cardil]

Problem

The deployment-upgrade-failure test occasionally leaves Route resources stuck with finalizers because the metadata-webhook service is deleted before the Route can be processed by the webhook.

When the webhook service is unavailable, the MutatingWebhookConfiguration still intercepts Route deletion requests, causing a timeout and leaving the Route stuck.

Root Cause

Race condition between:

1. Test cleanup deleting the metadata-webhook Deployment/Service
2. Knative garbage collection trying to finalize Routes
3. Kubernetes webhook cache invalidation timing

Solution

Added namespaceSelector to the webhook configuration to limit its scope to only the serving-tests namespace (which already has the samples.knative.dev/release: devel label). This ensures:

1. The webhook only applies to resources in namespaces with the correct label
2. When the namespace is being torn down, the webhook no longer blocks deletions
3. Other namespaces are not affected by the webhook

Evidence

• The metadata-webhook is only deployed when MESH=true (see hack/lib/serverless.bash:195-198)
• The serving-tests namespace already has the required label in 100-namespace.yaml
• This change scopes the webhook to match its actual intended usage

Related

Upstream issue in knative/serving: cleanup order in deployment_failure.go deletes webhook before tearing down Service (to be reported separately).

---

Assisted-by: 🤖 Claude Opus/Sonnet 4.5

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cardil
Once this PR has been reviewed and has the lgtm label, please assign aliok for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cardil]

/cherrypick main
/cherrypick release-1.38

[openshift-cherrypick-robot]

@cardil: once the present PR merges, I will cherry-pick it on top of main, release-1.38 in new PRs and assign them to you.

Details

In response to this:

/cherrypick main
/cherrypick release-1.38

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cardil]

/retest

[openshift-ci]

@cardil: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/420-mesh-e2e	4d98201	link	false	/test 420-mesh-e2e
ci/prow/420-mesh-upgrade	4d98201	link	false	/test 420-mesh-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.