deploy: add CR restrictions to the helm config

Signed-off-by: AhmedGrati <ahmedgrati1999@gmail.com>

deployment/components/master-config/nfd-master.conf.example

@@ -6,6 +6,20 @@
 # enableTaints: false
 # labelWhiteList: "foo"
 # resyncPeriod: "2h"
+# restrictions:
+#   maxLabelsPerCR: 10
+#   maxTaintsPerCR: 20
+#   maxExtendedResourcesPerCR: 15
+#   overwriteLabels: false
+#   denyNodeFeatureLabels: true
+#   nodeFeatureNamespaceSelector:
+#    matchLabels:
+#      kubernetes.io/metadata.name: "node-feature-discovery"
+#    matchExpressions:
+#      - key: "kubernetes.io/metadata.name"
+#        operator: "In"
+#        values:
+#           - "node-feature-discovery"
 # klog:
 #    addDirHeader: false
 #    alsologtostderr: false

deployment/helm/node-feature-discovery/values.yaml

@@ -23,6 +23,20 @@ master:
     # enableTaints: false
     # labelWhiteList: "foo"
     # resyncPeriod: "2h"
+    # restrictions:
+    #   maxLabelsPerCR: 10
+    #   maxTaintsPerCR: 20
+    #   maxExtendedResourcesPerCR: 15
+    #   overwriteLabels: false
+    #   denyNodeFeatureLabels: true
+    #   nodeFeatureNamespaceSelector:
+    #    matchLabels:
+    #      kubernetes.io/metadata.name: "node-feature-discovery"
+    #    matchExpressions:
+    #      - key: "kubernetes.io/metadata.name"
+    #        operator: "In"
+    #        values:
+    #           - "node-feature-discovery"
     # klog:
     #    addDirHeader: false
     #    alsologtostderr: false

docs/reference/master-configuration-reference.md

@@ -340,25 +340,24 @@ Default: *empty*
 
 Run-time configurable: yes
 
-
 ## restrictions
 
-The following options specify the restrictions that can be applied by nfd-master
-on the deployed Custom Resources in the cluster.
+The following options specify the restrictions that can be applied by the
+nfd-master on the deployed Custom Resources in the cluster.
 
-### restrictions.allowedNamespaces
+### restrictions.nodeFeatureNamespaceSelector
 
-The `allowedNamespaces` option specifies the NodeFeatures namespaces to watch.
-To select the appropriate namespaces to watch, you can use the `metav1.LabelSelector`
-as a type for this option.
+The `nodeFeatureNamespaceSelector` option specifies the NodeFeatures namespaces
+to watch, which can be selected by using `metav1.LabelSelector` as a type for
+this option.
 
-Default: all namespaces are allowed to be watched.
+Default: all namespaces are selected to be watched.
 
 Example:
 
 ```yaml
 restrictions:
-  allowedNamespaces:
+  nodeFeatureNamespaceSelector:
     matchLabels:
       kubernetes.io/metadata.name: "node-feature-discovery"
     matchExpressions:
@@ -410,20 +409,6 @@ restrictions:
   maxExtendedResourcesPerCR: 15
 ```
 
-### restrictions.maxExtendedResourcesPerCR
-
-The `maxExtendedResourcesPerCR` option specifies the maximum number of extended
-resources that can be generated by a single CustomResource.
-
-Default: no limit
-
-Example:
-
-```yaml
-restrictions:
-  maxExtendedResourcesPerCR: 15
-```
-
 ### restrictions.overwriteLabels
 
 The `overwriteLabels` option specifies whether to overwrite existing

examples/nodefeature.yaml

@@ -4,7 +4,7 @@ apiVersion: nfd.k8s-sigs.io/v1alpha1
 kind: NodeFeature
 metadata:
   labels:
-    nfd.node.kubernetes.io/node-name: nfd-control-plane
+    nfd.node.kubernetes.io/node-name: example-node
   name: example-node
   namespace: node-feature-discovery
 spec:

go.mod

@@ -1,6 +1,6 @@
 module sigs.k8s.io/node-feature-discovery
 
-go 1.21
+go 1.22
 
 require (
 	github.com/fsnotify/fsnotify v1.7.0

pkg/nfd-master/nfd-api-controller.go

@@ -80,7 +80,7 @@ func newNfdController(config *restclient.Config, nfdApiControllerOptions nfdApiC
 				if c.isNamespaceSelected(nfr.Namespace) {
 					c.updateOneNode("NodeFeature", nfr)
 				} else {
-					klog.InfoS("NodeFeature not in selected namespace", "namespace", nfr.Namespace, "name", nfr.Name)
+					klog.InfoS("NodeFeature namespace is not selected, skipping", "namespace", nfr.Namespace, "name", nfr.Name)
 				}
 			},
 			UpdateFunc: func(oldObj, newObj interface{}) {
@@ -89,7 +89,7 @@ func newNfdController(config *restclient.Config, nfdApiControllerOptions nfdApiC
 				if c.isNamespaceSelected(nfr.Namespace) {
 					c.updateOneNode("NodeFeature", nfr)
 				} else {
-					klog.InfoS("NodeFeature not in selected namespace", "namespace", nfr.Namespace, "name", nfr.Name)
+					klog.InfoS("NodeFeature namespace is not selected, skipping", "namespace", nfr.Namespace, "name", nfr.Name)
 				}
 			},
 			DeleteFunc: func(obj interface{}) {
@@ -98,7 +98,7 @@ func newNfdController(config *restclient.Config, nfdApiControllerOptions nfdApiC
 				if c.isNamespaceSelected(nfr.Namespace) {
 					c.updateOneNode("NodeFeature", nfr)
 				} else {
-					klog.InfoS("NodeFeature not in selected namespace", "namespace", nfr.Namespace, "name", nfr.Name)
+					klog.InfoS("NodeFeature namespace is not selected, skipping", "namespace", nfr.Namespace, "name", nfr.Name)
 				}
 			},
 		}); err != nil {

pkg/nfd-master/nfd-api-controller_test.go

@@ -21,10 +21,10 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	fakeclient "k8s.io/client-go/kubernetes/fake"
 	nfdv1alpha1 "sigs.k8s.io/node-feature-discovery/pkg/apis/nfd/v1alpha1"
-	corev1 "k8s.io/api/core/v1"
 )
 
 func TestGetNodeNameForObj(t *testing.T) {
@@ -45,7 +45,7 @@ func TestGetNodeNameForObj(t *testing.T) {
 	assert.Equal(t, n, "node-1")
 }
 
-func newTestNamespace(name string) *corev1.Namespace{
+func newTestNamespace(name string) *corev1.Namespace {
 	return &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
@@ -56,7 +56,7 @@ func newTestNamespace(name string) *corev1.Namespace{
 	}
 }
 
-func TestIsNamespaceAllowed(t *testing.T) {
+func TestIsNamespaceSelected(t *testing.T) {
 	fakeCli := fakeclient.NewSimpleClientset(newTestNamespace("fake"))
 	c := &nfdController{
 		k8sClient: fakeCli,
@@ -69,8 +69,8 @@ func TestIsNamespaceAllowed(t *testing.T) {
 		expectedResult               bool
 	}{
 		{
-			name:                         "namespace not allowed",
-			objectNamespace:              "random",
+			name:            "namespace not selected",
+			objectNamespace: "random",
 			nodeFeatureNamespaceSelector: &metav1.LabelSelector{
 				MatchExpressions: []metav1.LabelSelectorRequirement{
 					{
@@ -80,15 +80,15 @@ func TestIsNamespaceAllowed(t *testing.T) {
 					},
 				},
 			},
-			expectedResult:               false,
+			expectedResult: false,
 		},
 		{
-			name:                         "namespace is allowed",
-			objectNamespace:              "fake",
+			name:            "namespace is selected",
+			objectNamespace: "fake",
 			nodeFeatureNamespaceSelector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"name": "fake"},
 			},
-			expectedResult:               false,
+			expectedResult: false,
 		},
 	}
 

pkg/nfd-master/nfd-master.go

@@ -72,12 +72,12 @@ type Annotations map[string]string
 
 // Restrictions contains the restrictions on the NF and NFR Crs
 type Restrictions struct {
-	AllowedNamespaces         *metav1.LabelSelector
-	MaxLabelsPerCR            int
-	MaxTaintsPerCR            int
-	MaxExtendedResourcesPerCR int
-	DenyNodeFeatureLabels     bool
-	OverwriteLabels           bool
+	NodeFeatureNamespaceSelector *metav1.LabelSelector
+	MaxLabelsPerCR               int
+	MaxTaintsPerCR               int
+	MaxExtendedResourcesPerCR    int
+	DenyNodeFeatureLabels        bool
+	OverwriteLabels              bool
 }
 
 // NFDConfig contains the configuration settings of NfdMaster.
@@ -1383,7 +1383,7 @@ func (m *nfdMaster) startNfdApiController() error {
 		DisableNodeFeature:           !m.args.EnableNodeFeatureApi,
 		ResyncPeriod:                 m.config.ResyncPeriod.Duration,
 		K8sClient:                    m.k8sClient,
-		NodeFeatureNamespaceSelector: m.config.Restrictions.AllowedNamespaces,
+		NodeFeatureNamespaceSelector: m.config.Restrictions.NodeFeatureNamespaceSelector,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to initialize CRD controller: %w", err)

test/e2e/node_feature_discovery_test.go

@@ -938,10 +938,6 @@ denyLabelNs: []
 				BeforeEach(func(ctx context.Context) {
 					extraMasterPodSpecOpts = []testpod.SpecOption{
 						testpod.SpecWithConfigMap("nfd-master-conf", "/etc/kubernetes/node-feature-discovery"),
-						testpod.SpecWithContainerExtraArgs(
-							"-deny-label-ns=*.denied.ns,random.unwanted.ns,*.vendor.io",
-							"-extra-label-ns=custom.vendor.io",
-						),
 					}
 					cm := testutils.NewConfigMap("nfd-master-conf", "nfd-master.conf", `
 resyncPeriod: "1s"
@@ -1000,14 +996,14 @@ resyncPeriod: "1s"
 				})
 			})
 
-			Context("allowed namespaces restriction is respected or not", func() {
+			Context("selected namespaces restriction is respected or not", func() {
 				BeforeEach(func(ctx context.Context) {
 					extraMasterPodSpecOpts = []testpod.SpecOption{
 						testpod.SpecWithConfigMap("nfd-master-conf", "/etc/kubernetes/node-feature-discovery"),
 					}
 					cm := testutils.NewConfigMap("nfd-master-conf", "nfd-master.conf", `
 restrictions:
-  allowedNamespaces:
+  nodeFeatureNamespaceSelector:
     matchLabels:
       kubernetes.io/metadata.name: "fake"
 `)
@@ -1032,8 +1028,11 @@ restrictions:
 					Expect(err).NotTo(HaveOccurred())
 
 					By("Verifying node labels from NodeFeature object #1 are not created")
-					// No labels should be created since the f.Namespace is not in the allowed Namespaces
-					expectedLabels := map[string]k8sLabels{}
+					// No labels should be created since the f.Namespace is not in the selected Namespaces
+					expectedLabels := map[string]k8sLabels{
+						targetNodeName: {},
+						"*":            {},
+					}
 					eventuallyNonControlPlaneNodes(ctx, f.ClientSet).Should(MatchLabels(expectedLabels, nodes))
 
 					By("Deleting NodeFeature object")
@@ -1089,9 +1088,15 @@ core:
 					Expect(testutils.CreateNodeFeatureRulesFromFile(ctx, nfdClient, "nodefeaturerule-3.yaml")).NotTo(HaveOccurred())
 
 					By("Verifying node taints and annotation from NodeFeatureRules #3")
-					expectedLabels := map[string]k8sLabels{}
+					expectedLabels := map[string]k8sLabels{
+						targetNodeName: {},
+						"*":            {},
+					}
 
-					expectedTaints := map[string][]corev1.Taint{}
+					expectedTaints := map[string][]corev1.Taint{
+						targetNodeName: {},
+						"*":            {},
+					}
 
 					eventuallyNonControlPlaneNodes(ctx, f.ClientSet).Should(MatchLabels(expectedLabels, nodes))
 					eventuallyNonControlPlaneNodes(ctx, f.ClientSet).Should(MatchTaints(expectedTaints, nodes))
@@ -1146,10 +1151,12 @@ core:
 					Expect(testpod.WaitForReady(ctx, f.ClientSet, f.Namespace.Name, workerDS.Spec.Template.Labels["name"], 2)).NotTo(HaveOccurred())
 
 					expectedAnnotations := map[string]k8sAnnotations{
-						"*": {},
+						targetNodeName: {},
+						"*":            {},
 					}
 					expectedCapacity := map[string]corev1.ResourceList{
-						"*": {},
+						targetNodeName: {},
+						"*":            {},
 					}
 
 					By("Creating NodeFeatureRules #4")
@@ -1211,7 +1218,8 @@ restrictions:
 					By("Verifying node labels from NodeFeature object #1 are not created")
 
 					expectedLabels := map[string]k8sLabels{
-						"*": {},
+						targetNodeName: {},
+						"*":            {},
 					}
 					eventuallyNonControlPlaneNodes(ctx, f.ClientSet).Should(MatchLabels(expectedLabels, nodes))