deploy: add CR restrictions to the helm config

Signed-off-by: AhmedGrati <ahmedgrati1999@gmail.com> Signed-off-by: AhmedThresh <ahmed.grati@insat.ucar.tn> Signed-off-by: AhmedGrati <ahmedgrati1999@gmail.com> Signed-off-by: AhmedThresh <ahmed.grati@insat.ucar.tn> Signed-off-by: AhmedGrati <ahmedgrati1999@gmail.com>
kubernetes-sigs · Sep 13, 2024 · ff4b343 · ff4b343
1 parent 925a071
commit ff4b343
Show file tree

Hide file tree

Showing 16 changed files with 586 additions and 468 deletions.
diff --git a/deployment/base/rbac/master-clusterrole.yaml b/deployment/base/rbac/master-clusterrole.yaml
@@ -3,6 +3,13 @@ kind: ClusterRole
 metadata:
   name: nfd-master
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - watch
+  - list
 - apiGroups:
   - ""
   resources:

diff --git a/deployment/components/master-config/nfd-master.conf.example b/deployment/components/master-config/nfd-master.conf.example
@@ -6,6 +6,21 @@
 # enableTaints: false
 # labelWhiteList: "foo"
 # resyncPeriod: "2h"
+# restrictions:
+#   disableLabels: true
+#   disableTaints: true
+#   disableExtendedResources: true
+#   disableAnnotations: true
+#   allowOverwrite: false
+#   denyNodeFeatureLabels: true
+#   nodeFeatureNamespaceSelector:
+#    matchLabels:
+#      kubernetes.io/metadata.name: "node-feature-discovery"
+#    matchExpressions:
+#      - key: "kubernetes.io/metadata.name"
+#        operator: "In"
+#        values:
+#           - "node-feature-discovery"
 # klog:
 #    addDirHeader: false
 #    alsologtostderr: false

diff --git a/deployment/helm/node-feature-discovery/templates/clusterrole.yaml b/deployment/helm/node-feature-discovery/templates/clusterrole.yaml
@@ -6,6 +6,13 @@ metadata:
   labels:
     {{- include "node-feature-discovery.labels" . | nindent 4 }}
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - watch
+  - list
 - apiGroups:
   - ""
   resources:

diff --git a/deployment/helm/node-feature-discovery/values.yaml b/deployment/helm/node-feature-discovery/values.yaml
@@ -28,6 +28,21 @@ master:
     # enableTaints: false
     # labelWhiteList: "foo"
     # resyncPeriod: "2h"
+    # restrictions:
+    #   disableLabels: true
+    #   disableTaints: true
+    #   disableExtendedResources: true
+    #   disableAnnotations: true
+    #   allowOverwrite: false
+    #   denyNodeFeatureLabels: true
+    #   nodeFeatureNamespaceSelector:
+    #    matchLabels:
+    #      kubernetes.io/metadata.name: "node-feature-discovery"
+    #    matchExpressions:
+    #      - key: "kubernetes.io/metadata.name"
+    #        operator: "In"
+    #        values:
+    #           - "node-feature-discovery"
     # klog:
     #    addDirHeader: false
     #    alsologtostderr: false

diff --git a/docs/reference/master-configuration-reference.md b/docs/reference/master-configuration-reference.md
@@ -339,25 +339,24 @@ Default: *empty*
 
 Run-time configurable: yes
 
-
 ## restrictions
 
-The following options specify the restrictions that can be applied by nfd-master
-on the deployed Custom Resources in the cluster.
+The following options specify the restrictions that can be applied by the
+nfd-master on the deployed Custom Resources in the cluster.
 
-### restrictions.allowedNamespaces
+### restrictions.nodeFeatureNamespaceSelector
 
-The `allowedNamespaces` option specifies the NodeFeatures namespaces to watch.
-To select the appropriate namespaces to watch, you can use the `metav1.LabelSelector`
-as a type for this option.
+The `nodeFeatureNamespaceSelector` option specifies the NodeFeatures namespaces
+to watch, which can be selected by using `metav1.LabelSelector` as a type for
+this option. An empty value selects all namespaces to be watched.
 
-Default: all namespaces are allowed to be watched.
+Default: *empty*
 
 Example:
 
 ```yaml
 restrictions:
-  allowedNamespaces:
+  nodeFeatureNamespaceSelector:
     matchLabels:
       kubernetes.io/metadata.name: "node-feature-discovery"
     matchExpressions:
@@ -367,80 +366,70 @@ restrictions:
           - "node-feature-discovery"
 ```
 
-### restrictions.maxLabelsPerCR
-
-The `maxLabelsPerCR` option specifies the maximum number of labels that can
-be generated by a single CustomResource.
-
-Default: no limit
-
-Example:
-
-```yaml
-restrictions:
-  maxLabelsPerCR: 20
-```
-
-### restrictions.maxTaintsPerCR
+### restrictions.disableLabels
 
-The `maxTaintsPerCR` option specifies the maximum number of taints that can
-be generated by a single CustomResource.
+The `disableLabels` option controls whether to allow creation of node labels
+from NodeFeature and NodeFeatureRule CRs or not.
 
-Default: no limit
+Default: false
 
 Example:
 
 ```yaml
 restrictions:
-  maxTaintsPerCR: 10
+  disableLabels: true
 ```
 
-### restrictions.maxExtendedResourcesPerCR
+### restrictions.disableExtendedResources
 
-The `maxExtendedResourcesPerCR` option specifies the maximum number of extended
-resources that can be generated by a single CustomResource.
+The `disableExtendedResources` option controls whether to allow creation of
+node extended resources from NodeFeatureRule CR or not.
 
-Default: no limit
+Default: false
 
 Example:
 
 ```yaml
 restrictions:
-  maxExtendedResourcesPerCR: 15
+  disableExtendedResources: true
 ```
 
-### restrictions.maxExtendedResourcesPerCR
+### restrictions.disableAnnotations
 
-The `maxExtendedResourcesPerCR` option specifies the maximum number of extended
-resources that can be generated by a single CustomResource.
+he `disableAnnotations` option controls whether to allow creation of node annotations
+from NodeFeatureRule CR or not.
 
-Default: no limit
+Default: false
 
 Example:
 
 ```yaml
 restrictions:
-  maxExtendedResourcesPerCR: 15
+  disableAnnotations: true
 ```
 
-### restrictions.overwriteLabels
+### restrictions.allowOverwrite
 
-The `overwriteLabels` option specifies whether to overwrite existing
-labels, if there's an overlap, or not.
+The `allowOverwrite` option controls whether NFD is allowed to overwrite and
+take over management of existing node labels, annotations, and extended resources.
+Labels, annotations and extended resources created by NFD itself are not affected
+(overwrite cannot be disabled). NFD tracks the labels, annotations and extended
+resources that it manages with specific
+[node annotations](../get-started/introduction.md#node-annotations).
 
 Default: true
 
 Example:
 
 ```yaml
 restrictions:
-  overwriteLabels: false
+  allowOverwrite: false
 ```
 
 ### restrictions.denyNodeFeatureLabels
 
-The `denyNodeFeatureLabels` option specifies whether to deny labels from NodeFeature
-objects or not.
+The `denyNodeFeatureLabels` option specifies whether to deny labels from 3rd party
+NodeFeature objects or not. NodeFeature objects created by nfd-worker are not affected.
 
 Default: false
 

diff --git a/examples/nodefeature.yaml b/examples/nodefeature.yaml
@@ -4,7 +4,7 @@ apiVersion: nfd.k8s-sigs.io/v1alpha1
 kind: NodeFeature
 metadata:
   labels:
-    nfd.node.kubernetes.io/node-name: nfd-control-plane
+    nfd.node.kubernetes.io/node-name: example-node
   name: example-node
   namespace: node-feature-discovery
 spec:

diff --git a/go.mod b/go.mod
@@ -2,8 +2,6 @@ module sigs.k8s.io/node-feature-discovery
 
 go 1.22.2
 
-toolchain go1.22.0
-
 require (
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/golang/protobuf v1.5.4

diff --git a/nfd-master.conf b/nfd-master.conf
diff --git a/pkg/nfd-master/namespace-lister.go b/pkg/nfd-master/namespace-lister.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package nfdmaster
+
+import (
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/informers"
+	k8sclient "k8s.io/client-go/kubernetes"
+	v1lister "k8s.io/client-go/listers/core/v1"
+)
+
+// NamespaceLister lists kubernetes namespaces.
+type NamespaceLister struct {
+	namespaceLister v1lister.NamespaceLister
+	labelsSelector  labels.Selector
+	stopChan        chan struct{}
+}
+
+func newNamespaceLister(k8sClient k8sclient.Interface, labelsSelector labels.Selector) *NamespaceLister {
+	factory := informers.NewSharedInformerFactory(k8sClient, time.Hour)
+	namespaceLister := factory.Core().V1().Namespaces().Lister()
+
+	stopChan := make(chan struct{})
+	factory.Start(stopChan) // runs in background
+	factory.WaitForCacheSync(stopChan)
+
+	return &NamespaceLister{
+		namespaceLister: namespaceLister,
+		labelsSelector:  labelsSelector,
+		stopChan:        stopChan,
+	}
+}
+
+// list returns all kubernetes namespaces.
+func (lister *NamespaceLister) list() ([]*corev1.Namespace, error) {
+	return lister.namespaceLister.List(lister.labelsSelector)
+}
+
+// stop closes the channel used by the lister
+func (lister *NamespaceLister) stop() {
+	close(lister.stopChan)
+}