Make excluded namespace configurable #1444
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
approved
yiqigao217
requested review from
adrianludwin
and removed request for
srampal and
Fei-Guo
|
/assign @adrianludwin (See commit message) I was not able to think of a good e2e test case for this, so I did a manual test. Please let me know if you have any sugguestions, thanks! |
|
Please note in this PR, I added the I will update the design doc to reflect it if it SGTY @adrianludwin @rjbez17 . Additionally the e2e tests always pass on a clean cluster but may be flaky on problematic cluster (with resource stuck on terminating status). I will look further into it tomorrow. |
| @@ -99,6 +106,16 @@ func (v *Namespace) handle(req *nsRequest) admission.Response { | |||
| return allow("") | |||
| } | |||
|
|
|||
| func (v *Namespace) illegalExcludedNamespaceLabel(req *nsRequest) admission.Response { | |||
| for l := range req.ns.Labels { | |||
| if l == api.LabelExcludedNamespace && !config.ExcludedNamespaces[req.ns.Name] { | |||
There was a problem hiding this comment.
What about if that namespace already has the label? Should we block further changes to that namespace until the label is deleted?
There was a problem hiding this comment.
Yes, I updated the message to say "Please remove the %q label. See http://... for detail".
There was a problem hiding this comment.
I'm not a huge fan of this. I feel like webhooks should only validate the changes in a resource, not what's already there. For example, imagine an automated process that's trying to make some unrelated change; we shouldn't block them. And we shouldn't have to ask the user to remove the label given that we've got a reconciler that can do it automatically.
There was a problem hiding this comment.
sg. Changed the message back to "You cannot exclude this namespace using the %q label. See..for detail"
and commented here with:
// Note: this only blocks the request if it has a newly added illegal
// excluded-namespace label because existing illegal excluded-namespace
// label should have already been removed by our reconciler. For example,
// even when the VWHConfiguration is removed, adding the label to a non-
// excluded namespace would pass but the label is immediately removed; when
// the VWHConfiguration is there but the reconcilers are down, any request
// gets denied anyway.
Fixes 374, 1023 Part of 1443. See design https://bit.ly/hnc-excluded-namespaces. Add `excluded-namespace` container args in the config/manager/manager.yaml to allow user defined excluded namespaces. The default excluded namespaces are kube-system, kube-public, hnc-system and kube-node-lease. Add excluded-namespace label to hnc-system by default to avoid deadlock (between cert-rotator writing secret vs object webhook failing CLOSE) when installing HNC. Let users to add excluded-namespaces to other namespaces. Replace the hard-coded `EX` excluded namespaces. Add webhook patch only to the object validator with namespaceSelector to filter excluded namespaces. Add comments on why not patching other validators. Make object validator fail CLOSE now. Patch object webhook to only apply on "namespaced" scope objects, so that cert-rotator can insert certs to VWHConfiguration and namespaced objects are indeed what we care in HNC. Add webhook rules: 1) Do not allow creating/updating non-excluded namespace with excluded label; 2) Do not allow excluded namespaces to be created as a subnamespace; 3) Do not allow setting an excluded namespace as a child. Make hierarchyConfiguration reconciler remove excluded-namespace label on non-excluded namespaces. Add excluded-namespace label to user-guide/concepts.md doc. Tested by make test and make test-e2e.
|
/lgtm |
k8s-ci-robot
added
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adrianludwin, yiqigao217 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
FYI the doc is updated in the "Detailed Design" section. PTAL thanks! |
| Setting this label on namespaces that are not | ||
| listed in the HNC deployment as an `excluded-namespace` is not allowed. | ||
|
|
||
| As of March 2021, the default excluded namespaces listed in [config/manager/manager.yaml](https://github.com/kubernetes-sigs/multi-tenancy/blob/master/incubator/hnc/config/manager/manager.yaml) |
There was a problem hiding this comment.
I kind of feel this should be called out in the installation section or linked from their. As it's a pre/post installation action that is somewhat hidden away but also highly recommended for users to do.
There was a problem hiding this comment.
Yeah, it should probably be mentioned here, but it will be more important to call it out in the release notes, which is where the latest installation instructions are.
There was a problem hiding this comment.
Filed #1466 to add excluded namespace configuration to v0.8 release notes and the installation instruction.
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
Fixes #374, #1023.
Part of #1443.
See design https://bit.ly/hnc-excluded-namespaces.
Add
excluded-namespacecontainer args in theconfig/manager/manager.yaml to allow user defined excluded namespaces.
The default excluded namespaces are kube-system, kube-public, hnc-system
and kube-node-lease. Add excluded-namespace label to hnc-system by
default to avoid deadlock (between cert-rotator writing secret vs object
webhook failing CLOSE) when installing HNC. Let users to add
excluded-namespaces to other namespaces.
Replace the hard-coded
EXexcluded namespaces.Add webhook patch only to the object validator with namespaceSelector to
filter excluded namespaces. Add comments on why not patching other
validators. Make object validator fail CLOSE now.
Patch object webhook to only apply on "namespaced" scope objects, so
that cert-rotator can insert certs to VWHConfiguration and namespaced
objects are indeed what we care in HNC.
Add webhook rules:
label;
Make hierarchyConfiguration reconciler remove excluded-namespace label
on non-excluded namespaces.
Add excluded-namespace label to user-guide/concepts.md doc.
Tested by make test and make test-e2e.