✨ feat: Add resource field-scoped fields

[TheSpiritXIII]

This feature adds resource field-scoped fields.

Why?

While working on Google Managed Service for Prometheus, we identified a need to have namespaced and cluster-scoped versions of the same structs.

How

This solution adds a new marker on fields that appear conditionally depending on the top-level CRD scope.

For example, we may have a struct:

type SecretSelector struct {
	// These fields appear regardless of scope.
	Name string  `json:"name"`
	Key string  `json:"key"`

	// This field only appears for cluster-scoped objects, since we could use the namespace of the top-level object.
	// +kubebuilder:field:scope=Cluster
	Namespace string `json:"namespace"`
}

For a namespaced CRD, the namespace field will not be generated as part of the OpenAPI specification because the namespace field is marked as being cluster-scoped.

The opposite is true as well. A field can be marked namespaced and will not be generated for cluster-scoped resources.

Defaults apply too. A CRD is considered namespaced by default, so cluster-scoped fields will not appear.

Implementation

The implementation is admittedly a bit hacky. A special property is inserted at schema parse-time, and later removed when processing the resource. I couldn't figure out a better way to do this. The comments in the code should describe why it was done this way.

[k8s-ci-robot]

Welcome @TheSpiritXIII!

It looks like this is your first PR to kubernetes-sigs/controller-tools 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/controller-tools has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @TheSpiritXIII. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bwplotka]

+1 for this one (not maintainer, but reviewed the code)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bwplotka, TheSpiritXIII
Once this PR has been reviewed and has the lgtm label, please assign sbueringer for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[JoelSpeed]

Not a maintainer here, but I do API reviews. In general it is recommended not to recycle structs between types unless they are closely related. For example, imagine sharing a struct for a reference type and then someone starts adding a new field to it. You are unaware of this change, but they have now added a new field to your API, not desirable.

So the use case here, is to use this for closely aligned structs, but, I'm wondering how we promote people to only use this feature for that use case 🤔

I am curious, can you expand on the need for a cluster and namespaced version of the same CRD? Does the cluster scoped version apply everywhere in the cluster and the namespaced version apply only to specific namespaces? Is the idea that different actors can configure the cluster wide policy but namespaced versions override that?

[TheSpiritXIII]

I am curious, can you expand on the need for a cluster and namespaced version of the same CRD?

I work on Google Cloud Managed Service for Prometheus. It's similar to prometheus-operator but slightly more opinionated.

When you want to capture metrics for pods, you can use either PodMonitoring or ClusterPodMonitoring. Both let you specify pod selectors but the former requires a namespace and only captures pods in that namespace. In general, we recommend using PodMonitoring for proper multi-tenancy design.

Does the cluster scoped version apply everywhere in the cluster and the namespaced version apply only to specific namespaces?

Exactly.

Is the idea that different actors can configure the cluster wide policy but namespaced versions override that?

The namespace-scoped version is the more restrictive one. There's no concept of overriding in my use-case. If you have both, you get duplicate metrics.

In general it is recommended not to recycle structs between types unless they are closely related.

I totally agree! In my case, they are closely related. I have deeply nested configurations which use a common type (similar to core's SecretKeySelector) and I need different fields depending on the top-level CRD scope. Cluster-scoped resources can specify namespaces, but namespace-scoped resources cannot. This PR helps me reduce the amount of duplication I would need to do otherwise, which is quite large.

I'd love to see more opinions on this. It's possible that this particular use-case is a one-off. :)

Thanks!