feat: Watch Namespaces based on labels and label selectors #9976
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
keep pr updated
davidjumani
commented
Aug 30, 2024
| @@ -1,11 +1,10 @@ | |||
| package clients | |||
| package vault | |||
There was a problem hiding this comment.
Moved this file to prevent an import cycle
|
Visit the preview URL for this PR (updated for commit 19bcb53): https://gloo-edge--pr9976-watch-namespace-sele-twteibok.web.app (expires Tue, 01 Oct 2024 18:58:43 GMT) 🔥 via Firebase Hosting GitHub Action 🌎 Sign: 77c2b86e287749579b7ff9cadb81e099042ef677 |
|
Issues linked to changelog: |
davidjumani
changed the title
davidjumani
commented
Aug 30, 2024
davidjumani
commented
Sep 17, 2024
Comment on lines
210
to
219
| func HandleResourceDeletion(snapshot *v1snap.ApiSnapshot, resource resources.Resource) error { | ||
| if _, ok := resource.(*sk_kubernetes.KubeNamespace); ok { | ||
| // Special case to handle namespace deletion | ||
| snapshot.RemoveAllResourcesInNamespace(resource.GetMetadata().GetName()) | ||
| return nil | ||
| } else { | ||
| return snapshot.RemoveFromResourceList(resource) | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Would change to
diff --git a/projects/gloo/pkg/validation/server.go b/projects/gloo/pkg/validation/server.go
index 7621d7433..630086eae 100644
--- a/projects/gloo/pkg/validation/server.go
+++ b/projects/gloo/pkg/validation/server.go
@@ -210,7 +210,9 @@ func (s *validator) Validate(ctx context.Context, req *validation.GlooValidation
func HandleResourceDeletion(snapshot *v1snap.ApiSnapshot, resource resources.Resource) error {
if _, ok := resource.(*sk_kubernetes.KubeNamespace); ok {
// Special case to handle namespace deletion
- snapshot.RemoveAllResourcesInNamespace(resource.GetMetadata().GetName())
+ snapshot.RemoveMatches(func(metadata *core.Metadata) bool {
+ return resource.GetMetadata().GetNamespace() == metadata.GetNamespace()
+ })
return nil
} else {
return snapshot.RemoveFromResourceList(resource)
after the solo-kit bump
jbohanon
reviewed
Sep 17, 2024
pkg/utils/namespaces/namespaces.go
Outdated
|
|
||
| resp, err := clientset.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, &selfCheck, metav1.CreateOptions{}) | ||
| if err != nil { | ||
| return &FakeKubeNamespaceWatcher{} |
There was a problem hiding this comment.
For example, if we failed here and just silently returned a no-op, it would not be clear to a user or dev that we may be running into some RBAC issues. Returning a nil client and an error would lead to better debugging I think
projects/gateway/pkg/services/k8sadmission/validating_admission_webhook.go
Show resolved
Hide resolved
Comment on lines
445
to
446
| // Kubernetes' Secrets and namespace deletions are the only non-Solo API resource operations we support validation requests for. | ||
| // For a these resources, we want to skip validation on operations we don't support. We only support DELETEs. |
There was a problem hiding this comment.
Suggested change
| // Kubernetes' Secrets and namespace deletions are the only non-Solo API resource operations we support validation requests for. | |
| // For a these resources, we want to skip validation on operations we don't support. We only support DELETEs. | |
| // Kubernetes Secrets and Namespace are the only non-Solo API resources we support validation requests for. | |
| // For a these resources, we want to skip validation on operations we don't support. For Namespaces, we | |
| // support DELETE and UPDATE. For Secrets, we support DELETE. |
| @@ -49,6 +49,8 @@ type BaseTestingSuite struct { | |||
|
|
|||
| func NewBaseTestingSuite(ctx context.Context, testInst *e2e.TestInstallation, testHelper *helper.SoloTestHelper, setup SimpleTestCase, testCase map[string]*TestCase) *BaseTestingSuite { | |||
| namespace = testInst.Metadata.InstallNamespace | |||
| ctx = context.WithValue(ctx, "namespace", namespace) | |||
There was a problem hiding this comment.
The provider has a reference to the gloogateway.Context which has the InstallationNamespace
davidjumani
changed the title
|
closing in favour of solo-io#10104 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The watchNamespaces setting allows users to restrict the namespaces in which Edge watches resources. Since this is a static list, users need to update it when they need to modify namespaces to watch
This feature aims to dynamically determine the list of namespaces to watch by defining labels on namespaces or filtering namespaces based on a label expression.
This feature identifies namespaces with label selectors. These can be :
This will introduce a new setting to select namespaces :
API changes
watchNamespaceSelectorsto the settings CRCCode changes
Added a KubeNamespaceWatcher to the setup snapshot emitter. This will trigger a new snapshot if any namespace has been created / deleted / modified and not necessarily if the namespace belongs to the list we watch. The syncer will determine whether to sync based on whether :
Context
Watch Namespaces based on labels and label selectors
Design doc
Interesting decisions
Testing steps
Added kubernetes e2e tests
Notes for reviewers
Checklist: