Dynamic namespace support #3759
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thallgren
added
the
ok to test
github-actions
bot
removed
the
ok to test
thallgren
added
the
ok to test
github-actions
bot
removed
the
ok to test
thallgren
force-pushed
the
thallgren/namespaces-and-rbac
branch
from
0f7db00 to
0731a0d
Compare
thallgren
added
the
ok to test
github-actions
bot
removed
the
ok to test
thallgren
added
the
ok to test
github-actions
bot
removed
the
ok to test
thallgren
force-pushed
the
thallgren/namespaces-and-rbac
branch
2 times, most recently
from
803e9cb to
80e5bc8
Compare
This commit changes how the Telepresence traffic-manager and mutating webhook deals with namespaces so that everything is controlled by one single namespace selector. A selector can be _dynamic_ or _static_. This in turn controls if telepresence is "cluster-wide" or "namespaced". A _dynamic_ selector requires cluster-wide permissions for the traffic-manager, and only a _static_ selector can serve as base when installing Role/RoleBinding pairs. A selector is considered static if it meets the following conditions: - The selector must not have `matchLabels`. - The selector must have exactly one element in the `matchLabels` or the `matchExpression` list (if the element is in the `matchLabels` list, it is normalized into "key in [value]"). - The element must meet the following criteria: - The `key` of the element must be "kubernetes.io/metadata.name". - The `operator` of the element must be "In" (case-sensitive). - The `values` list of the element must contain at least one value. Signed-off-by: Thomas Hallgren <thomas@tada.se>
Signed-off-by: Thomas Hallgren <thomas@tada.se>
The current order is very incosistent and hard to follow. This commit sorts the list alphabetically, without exceptions. Signed-off-by: Thomas Hallgren <thomas@tada.se>
Add description of new `namespaces` and `namespaceSelector` values, and deprecate the `namespaced` and `namespaces` in `client.Rbac` and `manager.Rbac`. Signed-off-by: Thomas Hallgren <thomas@tada.se>
Signed-off-by: Thomas Hallgren <thomas@tada.se>
Signed-off-by: Thomas Hallgren <thomas@tada.se>
Signed-off-by: Thomas Hallgren <thomas@tada.se>
The traffic-manager's IP is used for DNS in the client, so it must be included in when computing the pod subnets. It must be added explicitly now, because it's no longer required that the traffic-manager's own namespace is managed. Signed-off-by: Thomas Hallgren <thomas@tada.se>
thallgren
force-pushed
the
thallgren/namespaces-and-rbac
branch
from
80e5bc8 to
a9540d9
Compare
thallgren
added
the
ok to test
github-actions
bot
removed
the
ok to test
P0lip
approved these changes
Jan 2, 2025
| @@ -60,7 +54,7 @@ rules: | |||
| - list | |||
| - get | |||
| - watch | |||
| {{- if .Values.agentInjector.enabled }} | |||
| {{- if .agentInjector.enabled }} | |||
There was a problem hiding this comment.
I know it's an older code, but I believe this could be merged with the above. We'd only need to add create here and the previous definition could be dropped.
There was a problem hiding this comment.
No, I don't think that's correct. This entry is specifically for the configmap named "telepresence-agents". The entry above isn't (using create isn't possible for a named resource).
Co-authored-by: Jakub Rożek <jrozek@datawire.io> Signed-off-by: Thomas Hallgren <thomas@tada.se>
- Make k8sapi.CanI a variadic function (and use where applicable). - Sort AgentEnv.Excluded before checking slices for equality. Signed-off-by: Thomas Hallgren <thomas@tada.se>
thallgren
added
the
ok to test
github-actions
bot
removed
the
ok to test
Signed-off-by: Thomas Hallgren <thomas@tada.se>
thallgren
added
the
ok to test
github-actions
bot
removed
the
ok to test
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR changes how the Telepresence traffic-manager and mutating webhook deals with namespaces so that everything is controlled by one single namespace selector.
The top level Helm chart value
namespaceSelectorwas added. It is a verbatim Kubernetes namespace selector, and deprecates theagentInjector.webhook.namespaceSelectorandmanagerRbac.namespaces. It also acts as the default forclientRbac.namespaces.The short form value
namespaceswas also added. It is a list of names and mutually exclusive tonamespaceSelector. The list will get transformed into:A selector can be dynamic or static. This in turn controls if telepresence is "cluster-wide" or "namespaced". A dynamic selector
requires cluster-wide permissions for the traffic-manager, and only a static selector can serve as base when installing
Role/RoleBindingpairs.A selector is considered static if it meets the following conditions:
matchLabelsor thematchExpressionlist (if the element is in thematchLabelslist,it is normalized into "key in [value]").
keyof the element must be "kubernetes.io/metadata.name".operatorof the element must be "In" (case-sensitive).valueslist of the element must contain at least one value.