Merge pull request #4620 from a7i/amir/managed-by-label

`karmadactl`: Add the reserved label `karmada.io/system` to resources created by the `join` command
karmada-io · Jul 12, 2024 · 2ae4592 · 2ae4592
2 parents a2e7828 + 284dd27
commit 2ae4592
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 20 deletions.
diff --git a/pkg/karmadactl/register/register.go b/pkg/karmadactl/register/register.go
@@ -378,7 +378,7 @@ func (o *CommandRegisterOption) Run(parentCommand string) error {
 
 	// It's necessary to set the label of namespace to make sure that the namespace is created by Karmada.
 	labels := map[string]string{
-		karmadautil.ManagedByKarmadaLabel: karmadautil.ManagedByKarmadaLabelValue,
+		karmadautil.KarmadaSystemLabel: karmadautil.KarmadaSystemLabelValue,
 	}
 	// ensure namespace where the karmada-agent resources be deployed exists in the member cluster
 	if _, err := karmadautil.EnsureNamespaceExistWithLabels(o.memberClusterClient, o.Namespace, o.DryRun, labels); err != nil {
@@ -523,6 +523,9 @@ func (o *CommandRegisterOption) constructKarmadaAgentConfig(bootstrapClient *kub
 	certificateSigningRequest := &certificatesv1.CertificateSigningRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: csrName,
+			Labels: map[string]string{
+				karmadautil.KarmadaSystemLabel: karmadautil.KarmadaSystemLabelValue,
+			},
 		},
 		Spec: certificatesv1.CertificateSigningRequestSpec{
 			Request: pem.EncodeToMemory(&pem.Block{
@@ -591,6 +594,11 @@ func (o *CommandRegisterOption) createSecretAndRBACInMemberCluster(karmadaAgentC
 		return fmt.Errorf("failure while serializing karmada-agent kubeConfig. %w", err)
 	}
 
+	// It's necessary to set the label of namespace to make sure that the namespace is created by Karmada.
+	labels := map[string]string{
+		karmadautil.KarmadaSystemLabel: karmadautil.KarmadaSystemLabelValue,
+	}
+
 	kubeConfigSecret := &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "v1",
@@ -599,6 +607,7 @@ func (o *CommandRegisterOption) createSecretAndRBACInMemberCluster(karmadaAgentC
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      KarmadaKubeconfigName,
 			Namespace: o.Namespace,
+			Labels:    labels,
 		},
 		Type:       corev1.SecretTypeOpaque,
 		StringData: map[string]string{KarmadaKubeconfigName: string(configBytes)},
@@ -611,7 +620,8 @@ func (o *CommandRegisterOption) createSecretAndRBACInMemberCluster(karmadaAgentC
 
 	clusterRole := &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: KarmadaAgentName,
+			Name:   KarmadaAgentName,
+			Labels: labels,
 		},
 		Rules: []rbacv1.PolicyRule{
 			{
@@ -635,6 +645,7 @@ func (o *CommandRegisterOption) createSecretAndRBACInMemberCluster(karmadaAgentC
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      KarmadaAgentServiceAccountName,
 			Namespace: o.Namespace,
+			Labels:    labels,
 		},
 	}
 
@@ -646,7 +657,8 @@ func (o *CommandRegisterOption) createSecretAndRBACInMemberCluster(karmadaAgentC
 
 	clusterRoleBinding := &rbacv1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: KarmadaAgentName,
+			Name:   KarmadaAgentName,
+			Labels: labels,
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",

diff --git a/pkg/util/constants.go b/pkg/util/constants.go
@@ -52,9 +52,14 @@ const (
 	// FederatedResourceQuotaNameLabel is added to Work to specify associated FederatedResourceQuota's name.
 	FederatedResourceQuotaNameLabel = "federatedresourcequota.karmada.io/name"
 
-	// ManagedByKarmadaLabel is a reserved karmada label to indicate whether resources are managed by karmada controllers.
+	// ManagedByKarmadaLabel is a reserved karmada label to indicate whether resources are member cluster resources
+	// synchronized by karmada controllers.
 	ManagedByKarmadaLabel = "karmada.io/managed"
 
+	// KarmadaSystemLabel is a reserved karmada label to indicate whether resources are system level resources
+	// managed by karmada controllers.
+	KarmadaSystemLabel = "karmada.io/system"
+
 	// EndpointSliceDispatchControllerLabelValue indicates the endpointSlice are controlled by Karmada
 	EndpointSliceDispatchControllerLabelValue = "endpointslice-dispatch-controller.karmada.io"
 
@@ -71,9 +76,12 @@ const (
 )
 
 const (
-	// ManagedByKarmadaLabelValue indicates that resources are managed by karmada controllers.
+	// ManagedByKarmadaLabelValue indicates that these are workloads in member cluster synchronized by karmada controllers.
 	ManagedByKarmadaLabelValue = "true"
 
+	// KarmadaSystemLabelValue indicates that resources are system level resources managed by karmada controllers.
+	KarmadaSystemLabelValue = "true"
+
 	// RetainReplicasValue is an optional value of RetainReplicasLabel, indicating retain
 	RetainReplicasValue = "true"
 

diff --git a/pkg/util/credential.go b/pkg/util/credential.go
@@ -59,7 +59,7 @@ func ObtainCredentialsFromMemberCluster(clusterKubeClient kubeclient.Interface,
 	var err error
 	// It's necessary to set the label of namespace to make sure that the namespace is created by Karmada.
 	labels := map[string]string{
-		ManagedByKarmadaLabel: ManagedByKarmadaLabelValue,
+		KarmadaSystemLabel: KarmadaSystemLabelValue,
 	}
 	// ensure namespace where the karmada control plane credential be stored exists in cluster.
 	if _, err = EnsureNamespaceExistWithLabels(clusterKubeClient, opts.ClusterNamespace, opts.DryRun, labels); err != nil {
@@ -68,9 +68,13 @@ func ObtainCredentialsFromMemberCluster(clusterKubeClient kubeclient.Interface,
 
 	if opts.IsKubeImpersonatorEnabled() {
 		// create a ServiceAccount for impersonation in cluster.
-		impersonationSA := &corev1.ServiceAccount{}
-		impersonationSA.Namespace = opts.ClusterNamespace
-		impersonationSA.Name = names.GenerateServiceAccountName("impersonator")
+		impersonationSA := &corev1.ServiceAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: opts.ClusterNamespace,
+				Name:      names.GenerateServiceAccountName("impersonator"),
+				Labels:    labels,
+			},
+		}
 		if impersonationSA, err = EnsureServiceAccountExist(clusterKubeClient, impersonationSA, opts.DryRun); err != nil {
 			return nil, nil, err
 		}
@@ -82,26 +86,38 @@ func ObtainCredentialsFromMemberCluster(clusterKubeClient kubeclient.Interface,
 	}
 	if opts.IsKubeCredentialsEnabled() {
 		// create a ServiceAccount in cluster.
-		serviceAccountObj := &corev1.ServiceAccount{}
-		serviceAccountObj.Namespace = opts.ClusterNamespace
-		serviceAccountObj.Name = names.GenerateServiceAccountName(opts.ClusterName)
+		serviceAccountObj := &corev1.ServiceAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: opts.ClusterNamespace,
+				Name:      names.GenerateServiceAccountName(opts.ClusterName),
+				Labels:    labels,
+			},
+		}
 		if serviceAccountObj, err = EnsureServiceAccountExist(clusterKubeClient, serviceAccountObj, opts.DryRun); err != nil {
 			return nil, nil, err
 		}
 
 		// create a ClusterRole in cluster.
-		clusterRole := &rbacv1.ClusterRole{}
-		clusterRole.Name = names.GenerateRoleName(serviceAccountObj.Name)
-		clusterRole.Rules = ClusterPolicyRules
+		clusterRole := &rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   names.GenerateRoleName(serviceAccountObj.Name),
+				Labels: labels,
+			},
+			Rules: ClusterPolicyRules,
+		}
 		if _, err = EnsureClusterRoleExist(clusterKubeClient, clusterRole, opts.DryRun); err != nil {
 			return nil, nil, err
 		}
 
 		// create a ClusterRoleBinding in cluster.
-		clusterRoleBinding := &rbacv1.ClusterRoleBinding{}
-		clusterRoleBinding.Name = clusterRole.Name
-		clusterRoleBinding.Subjects = BuildRoleBindingSubjects(serviceAccountObj.Name, serviceAccountObj.Namespace)
-		clusterRoleBinding.RoleRef = BuildClusterRoleReference(clusterRole.Name)
+		clusterRoleBinding := &rbacv1.ClusterRoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   clusterRole.Name,
+				Labels: labels,
+			},
+			Subjects: BuildRoleBindingSubjects(serviceAccountObj.Name, serviceAccountObj.Namespace),
+			RoleRef:  BuildClusterRoleReference(clusterRole.Name),
+		}
 		if _, err = EnsureClusterRoleBindingExist(clusterKubeClient, clusterRoleBinding, opts.DryRun); err != nil {
 			return nil, nil, err
 		}
@@ -120,7 +136,7 @@ func ObtainCredentialsFromMemberCluster(clusterKubeClient kubeclient.Interface,
 func RegisterClusterInControllerPlane(opts ClusterRegisterOption, controlPlaneKubeClient kubeclient.Interface, generateClusterInControllerPlane generateClusterInControllerPlaneFunc) error {
 	// It's necessary to set the label of namespace to make sure that the namespace is created by Karmada.
 	labels := map[string]string{
-		ManagedByKarmadaLabel: ManagedByKarmadaLabelValue,
+		KarmadaSystemLabel: KarmadaSystemLabelValue,
 	}
 	// ensure namespace where the cluster object be stored exists in control plane.
 	if _, err := EnsureNamespaceExistWithLabels(controlPlaneKubeClient, opts.ClusterNamespace, opts.DryRun, labels); err != nil {
@@ -137,6 +153,7 @@ func RegisterClusterInControllerPlane(opts ClusterRegisterOption, controlPlaneKu
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: opts.ClusterNamespace,
 				Name:      names.GenerateImpersonationSecretName(opts.ClusterName),
+				Labels:    labels,
 			},
 			Data: map[string][]byte{
 				clusterv1alpha1.SecretTokenKey: opts.ImpersonatorSecret.Data[clusterv1alpha1.SecretTokenKey],
@@ -154,6 +171,7 @@ func RegisterClusterInControllerPlane(opts ClusterRegisterOption, controlPlaneKu
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: opts.ClusterNamespace,
 				Name:      opts.ClusterName,
+				Labels:    labels,
 			},
 			Data: map[string][]byte{
 				clusterv1alpha1.SecretCADataKey: opts.Secret.Data["ca.crt"],