add NamespaceSelector to select namespaces for Initializers #1191
Conversation
k8s-ci-robot
requested review from
ahmetb,
caesarxuchao,
gyliu513,
liggitt and
smarterclayton
k8s-ci-robot
added
size/S
|
/assign @caesarxuchao |
|
@cheftako could you also take a look? This is very similar to the webhook bootstrapping problem. |
| * Apply initializer to limited namespaces using label selector; | ||
|
|
||
| Since most users won't add extra labels for namespaces explicitly when creating new resources, the selector matching should only be applied to | ||
| `labels.Set(map[string]string{"namespace": namespace})` instead of widely-used `metadata.Labels`. |
There was a problem hiding this comment.
is this proposing matching on an artificial label set, disconnected from the actual namespace labels?
There was a problem hiding this comment.
Yes. Getnamespace value from attributeRecord when admitting, metadata.Labels is not used/referenced here.
There was a problem hiding this comment.
@dixudx sorry, do not quite catch this, can you please show an example here? How to handle the case if a namespaces do not have labels?
There was a problem hiding this comment.
@gyliu513 Please refer to findInitializers of PR #53879 for the matching implementation.
And the namespace here is retrieved from admission.Attributes when admitting initializers. So metadata.Labels is not used.
There was a problem hiding this comment.
I'll bring this idea up when discussing the bootstrap problem of webhooks. I want to avoid artificial label set if possible.
| ## Enforce initializers to specific namespaces | ||
|
|
||
| Current `InitializerConfiguration` is at the cluster level and all of the to-be-created resources (such as rc and deployments) defined in `Rules` | ||
| will be appended with the pending initializers automatically during creating, regardless of the namespace. |
| * Apply initializer to limited namespaces using label selector; | ||
|
|
||
| Since most users won't add extra labels for namespaces explicitly when creating new resources, the selector matching should only be applied to | ||
| `labels.Set(map[string]string{"namespace": namespace})` instead of widely-used `metadata.Labels`. |
There was a problem hiding this comment.
@dixudx sorry, do not quite catch this, can you please show an example here? How to handle the case if a namespaces do not have labels?
dixudx
force-pushed
the
add_namespaceSelector_for_initializer
branch
from
64fad5a
to
ee12917
Compare
k8s-ci-robot
added
the
lgtm
|
/cc @caesarxuchao for review |
|
@gyliu513: GitHub didn't allow me to request PR reviews from the following users: for, review. Note that only kubernetes members can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Automatic merge from submit-queue. |
|
Do not know why a "lgtm" trigger this merge? |
|
this should not have merged. opened revert in #1243 |
Automatic merge from submit-queue. Revert initializer namespace selector change #1191 was accidentally merged
|
Please take a look at a similar API we proposed for the webhook configuration. We'll keep the webhook configuration aligned with the initializer configuration. |
Automatic merge from submit-queue. Add a design doc for admission webhook bootstrapping Originally distributed as a [google doc](https://docs.google.com/document/d/1pw6FyobY3pVxfWYwmAFuF5WJpvjfq-M3Ciz996kblVc/edit?ts=59f1d824#). The idea is from an Oct. 23 meeting with lavalamp, cheftako, deads2k, smarterclayton, liggitt. It also draws inspiration from #1191. cc @kubernetes/sig-api-machinery-api-reviews @lavalamp @deads2k
…for_initializer Automatic merge from submit-queue. add NamespaceSelector to select namespaces for Initializers issue kubernetes/kubernetes#51290, kubernetes/kubernetes#53859 xref PR kubernetes/kubernetes#53879 /cc @ahmetb @gyliu513 @liggitt @smarterclayton @caesarxuchao
…r-webhook Automatic merge from submit-queue. Add a design doc for admission webhook bootstrapping Originally distributed as a [google doc](https://docs.google.com/document/d/1pw6FyobY3pVxfWYwmAFuF5WJpvjfq-M3Ciz996kblVc/edit?ts=59f1d824#). The idea is from an Oct. 23 meeting with lavalamp, cheftako, deads2k, smarterclayton, liggitt. It also draws inspiration from kubernetes#1191. cc @kubernetes/sig-api-machinery-api-reviews @lavalamp @deads2k
issue kubernetes/kubernetes#51290, kubernetes/kubernetes#53859
xref PR kubernetes/kubernetes#53879
/cc @ahmetb @gyliu513 @liggitt @smarterclayton @caesarxuchao