feat/nfd-master: configure CR restrictions

[AhmedThresh]

Resolves #1380
Features implemented:

• NodeFeatures Namespace selection by using selectors.
• Max number of Taints, Labels, and ERs that can be generated by a single CR.
• Enable/Disable overriding labels.
• Enable/Disable NodeFeatures labels.

Result of e2e tests:

[k8s-ci-robot]

Welcome @AhmedThresh!

It looks like this is your first PR to kubernetes-sigs/node-feature-discovery 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/node-feature-discovery has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @AhmedThresh. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[netlify]

✅ Deploy Preview for kubernetes-sigs-nfd ready!

Name	Link
🔨 Latest commit	28b40c9
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-nfd/deploys/66e83b574e309400089f2011
😎 Deploy Preview	https://deploy-preview-1592--kubernetes-sigs-nfd.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[AhmedThresh]

/cc @marquiz

[AhmedThresh]

ping @marquiz

[marquiz]

Thanks for the update @AhmedThresh

/ok-to-test

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: TessaIO (7bad0d5, 28b40c9, 925a071)

[TessaIO]

ping @marquiz. Any more thoughts on this?

[ArangoGutierrez]

/assign @marquiz

[marquiz]

This still only affects the 'DisableAutoPrefix` feature gate, not whether the NF labels are skipped or not

[marquiz]

Looking at this, I think the whole function could be refactored. The outer loop could be rewritten (and we shouldn't need to if len(filteredObjs) > 0). For example, something like (haven't tested):

features := &nfdv1alpha1.NodeFeatureSpec{}

for _, o := range filteredObjs {
	s := o.Spec.DeepCopy()
	if m.config.Restrictions.DenyNodeFeatureLabels && m.isThirdPartyNodeFeature(o, nodeName, m.namespace) {
		klog.V(2).InfoS("node feature labels are disabled in configuration (restrictions.denyNodeFeatureLabels=true)")
		s.Labels = nil
	}

	if !nfdfeatures.NFDFeatureGate.Enabled(nfdfeatures.DisableAutoPrefix) && m.config.AutoDefaultNs {
		s.Labels = addNsToMapKeys(s.Labels, nfdv1alpha1.FeatureLabelNs)
	}

	s.MergeInto(features)
}

return &nfdv1alpha1.NodeFeature{
	ObjectMeta: metav1.ObjectMeta{
		Name: nodeName,
	},
	Spec: *features
}, nil

EDIT: code fixed. We don't need this heavy refactoring but could be done (to keep it simpler). WDYT?

EDIT2: maybe we can keep the original optimization features := filteredObjs[0].Spec.DeepCopy()

[marquiz]

There has been so much devilish details in this feature that it would be good to verify that the non-3rd-party NF labels ARE still created. Either by deploying nfd-worker or faking a NF.

You could also just add a note and we could add it in a separate PR. WDYT?

[marquiz]

How about this?

[marquiz]

Note: the else is not necessary but

Suggested change

	} else {
	if !nfdfeatures.NFDFeatureGate.Enabled(nfdfeatures.DisableAutoPrefix) && m.config.AutoDefaultNs {
	features.Labels = addNsToMapKeys(features.Labels, nfdv1alpha1.FeatureLabelNs)
	}
	if !nfdfeatures.NFDFeatureGate.Enabled(nfdfeatures.DisableAutoPrefix) && m.config.AutoDefaultNs {
	features.Labels = addNsToMapKeys(features.Labels, nfdv1alpha1.FeatureLabelNs)
	}

[marquiz]

We shouldn't skip the whole NF, just set labels to nil.

Suggested change

continue

Why didn't the e2e tests catch this? 🤔 We should have a NFR there to verify that the features are still present. You can also just add a note about this there for now.

[TessaIO]

ping @marquiz

[marquiz]

One last comment. Should we call this EXPERIMENTAL in this release(?) There have been so many subtle details during the review process that we've certainly missed something 😊 WDYT?

[TessaIO]

Yes, please. I will create another issue to cover those unseen details. If you have some bullet points in mind you can leave them here.

[TessaIO]

@marquiz PTAL

[marquiz]

Thanks @TessaIO for this monumental effort with a lot of twists, turns and surprises 💯 🚀 I'm ready to merge this now.

We have some TODO items to improve the e2e-tests and will address those later

I'll let @ArangoGutierrez to take a final look. E.g. check the docs if you understand what we're trying to do here 😜
/assign @ArangoGutierrez

[TessaIO]

Thanks @TessaIO for this monumental effort with a lot of twists, turns and surprises 💯 🚀 I'm ready to merge this now.

Thanks for your thorough and precise review! 🚀

[TessaIO]

ping @ArangoGutierrez

[TessaIO]

kind reminder @ArangoGutierrez @marquiz

[ArangoGutierrez]

/test all

[ArangoGutierrez]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 491d4d21569336c2bdca3d723df02e1d1af61431

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AhmedThresh, ArangoGutierrez, marquiz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ArangoGutierrez,marquiz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[marquiz]

Ach, finally 🚀 ☺️