Merge pull request kubesphere#3344 from wansir/workspace-quota

support workspace resource quota

Author: ks-ci-bot

cmd/controller-manager/app/server.go

@@ -18,6 +18,7 @@ package app
 
 import (
 	"fmt"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"kubesphere.io/kubesphere/pkg/controller/application"
 	"os"
@@ -32,6 +33,7 @@ import (
 	controllerconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
 	"kubesphere.io/kubesphere/pkg/controller/namespace"
 	"kubesphere.io/kubesphere/pkg/controller/network/webhooks"
+	"kubesphere.io/kubesphere/pkg/controller/quota"
 	"kubesphere.io/kubesphere/pkg/controller/serviceaccount"
 	"kubesphere.io/kubesphere/pkg/controller/user"
 	"kubesphere.io/kubesphere/pkg/controller/workspace"
@@ -194,29 +196,32 @@ func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 		klog.Fatalf("unable add APIs to scheme: %v", err)
 	}
 
+	// register common meta types into schemas.
+	metav1.AddToGroupVersion(mgr.GetScheme(), metav1.SchemeGroupVersion)
+
 	workspaceTemplateReconciler := &workspacetemplate.Reconciler{MultiClusterEnabled: s.MultiClusterOptions.Enable}
 	if err = workspaceTemplateReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatal("Unable to create workspace template controller")
+		klog.Fatalf("Unable to create workspace template controller: %v", err)
 	}
 
 	workspaceReconciler := &workspace.Reconciler{}
 	if err = workspaceReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatal("Unable to create workspace controller")
+		klog.Fatalf("Unable to create workspace controller: %v", err)
 	}
 
 	workspaceRoleReconciler := &workspacerole.Reconciler{MultiClusterEnabled: s.MultiClusterOptions.Enable}
 	if err = workspaceRoleReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatal("Unable to create workspace role controller")
+		klog.Fatalf("Unable to create workspace role controller: %v", err)
 	}
 
 	workspaceRoleBindingReconciler := &workspacerolebinding.Reconciler{MultiClusterEnabled: s.MultiClusterOptions.Enable}
 	if err = workspaceRoleBindingReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatal("Unable to create workspace role binding controller")
+		klog.Fatalf("Unable to create workspace role binding controller: %v", err)
 	}
 
 	namespaceReconciler := &namespace.Reconciler{}
 	if err = namespaceReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatal("Unable to create namespace controller")
+		klog.Fatalf("Unable to create namespace controller: %v", err)
 	}
 
 	selector, _ := labels.Parse(s.ApplicationSelector)
@@ -227,13 +232,17 @@ func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 		ApplicationSelector: selector,
 	}
 	if err = applicationReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatal("Unable to create application controller")
+		klog.Fatalf("Unable to create application controller: %v", err)
 	}
 
 	saReconciler := &serviceaccount.Reconciler{}
-
 	if err = saReconciler.SetupWithManager(mgr); err != nil {
-		klog.Fatal("Unable to create ServiceAccount controller")
+		klog.Fatalf("Unable to create ServiceAccount controller: %v", err)
+	}
+
+	resourceQuotaReconciler := quota.Reconciler{}
+	if err := resourceQuotaReconciler.SetupWithManager(mgr, quota.DefaultMaxConcurrentReconciles, quota.DefaultResyncPeriod, informerFactory.KubernetesSharedInformerFactory()); err != nil {
+		klog.Fatalf("Unable to create ResourceQuota controller: %v", err)
 	}
 
 	// TODO(jeff): refactor config with CRD
@@ -263,10 +272,16 @@ func run(s *options.KubeSphereControllerManagerOptions, stopCh <-chan struct{})
 	hookServer := mgr.GetWebhookServer()
 
 	klog.V(2).Info("registering webhooks to the webhook server")
-	hookServer.Register("/validate-email-iam-kubesphere-io-v1alpha2-user", &webhook.Admission{Handler: &user.EmailValidator{Client: mgr.GetClient()}})
+	hookServer.Register("/validate-email-iam-kubesphere-io-v1alpha2", &webhook.Admission{Handler: &user.EmailValidator{Client: mgr.GetClient()}})
 	hookServer.Register("/validate-network-kubesphere-io-v1alpha1", &webhook.Admission{Handler: &webhooks.ValidatingHandler{C: mgr.GetClient()}})
 	hookServer.Register("/mutate-network-kubesphere-io-v1alpha1", &webhook.Admission{Handler: &webhooks.MutatingHandler{C: mgr.GetClient()}})
 
+	resourceQuotaAdmission, err := quota.NewResourceQuotaAdmission(mgr.GetClient(), mgr.GetScheme())
+	if err != nil {
+		klog.Fatalf("unable to create resource quota admission: %v", err)
+	}
+	hookServer.Register("/validate-quota-kubesphere-io-v1alpha2", &webhook.Admission{Handler: resourceQuotaAdmission})
+
 	klog.V(2).Info("registering metrics to the webhook server")
 	hookServer.Register("/metrics", metrics.Handler())
 

config/crds/quota.kubesphere.io_resourcequotas.yaml

@@ -8,9 +8,9 @@ webhooks:
     clientConfig:
       caBundle: <caBundle>
       service:
-        name: webhook-service
+        name: ks-controller-manager
         namespace: kubesphere-system
-        path: /validate-email-iam-kubesphere-io-v1alpha2-user
+        path: /validate-email-iam-kubesphere-io-v1alpha2
     failurePolicy: Fail
     name: vemail.iam.kubesphere.io
     rules:
@@ -22,19 +22,4 @@ webhooks:
           - CREATE
           - UPDATE
         resources:
-          - users
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: webhook-service
-  namespace: kubesphere-system
-spec:
-  ports:
-    - port: 443
-      targetPort: 443
-  selector:
-    app: ks-controller-manager
-    tier: backend
+          - users

config/webhook/iam.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ks-controller-manager
+  namespace: kubesphere-system
+spec:
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: ks-controller-manager
+    tier: backend

config/webhook/ks-controller-manager.yaml

@@ -7,9 +7,9 @@ webhooks:
   - clientConfig:
       caBundle: <caBundle>
       service:
-        name: kubesphere-controller-manager-service
+        name: ks-controller-manager
         namespace: kubesphere-system
-        path: /validate-nsnp-kubesphere-io-v1alpha1-network
+        path: /validate-network-kubesphere-io-v1alpha1
     failurePolicy: Fail
     name: validate.nsnp.kubesphere.io
     rules:

config/webhook/nsnp.yaml config/webhook/network.yaml

@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: resourcesquotas.quota.kubesphere.io
+webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+    clientConfig:
+      caBundle: <caBundle>
+      service:
+        name: ks-controller-manager
+        namespace: kubesphere-system
+        path: /validate-quota-kubesphere-io-v1alpha2
+        port: 443
+    failurePolicy: Ignore
+    matchPolicy: Exact
+    name: resourcesquotas.quota.kubesphere.io
+    namespaceSelector: {}
+    objectSelector: {}
+    rules:
+      - apiGroups:
+          - '*'
+        apiVersions:
+          - '*'
+        operations:
+          - CREATE
+        resources:
+          - pods
+        scope: '*'
+    sideEffects: None

config/webhook/quota.yaml

@@ -43,6 +43,7 @@ require (
 	github.com/google/go-cmp v0.5.0
 	github.com/google/uuid v1.1.1
 	github.com/gorilla/websocket v1.4.1
+	github.com/hashicorp/golang-lru v0.5.4
 	github.com/json-iterator/go v1.1.10
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
@@ -733,7 +734,6 @@ replace (
 	gopkg.in/tchap/go-patricia.v2 => gopkg.in/tchap/go-patricia.v2 v2.2.6
 	gopkg.in/tomb.v1 => gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
 	gopkg.in/warnings.v0 => gopkg.in/warnings.v0 v0.1.2
-	gopkg.in/yaml.v1 => gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0
 	gopkg.in/yaml.v2 => gopkg.in/yaml.v2 v2.3.0
 	gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
 	gotest.tools => gotest.tools v2.2.0+incompatible

go.mod

@@ -2,7 +2,7 @@
 
 set -e
 
-GV="network:v1alpha1 servicemesh:v1alpha2 tenant:v1alpha1 tenant:v1alpha2 devops:v1alpha1 iam:v1alpha2 devops:v1alpha3 cluster:v1alpha1 storage:v1alpha1 auditing:v1alpha1 types:v1beta1"
+GV="network:v1alpha1 servicemesh:v1alpha2 tenant:v1alpha1 tenant:v1alpha2 devops:v1alpha1 iam:v1alpha2 devops:v1alpha3 cluster:v1alpha1 storage:v1alpha1 auditing:v1alpha1 types:v1beta1 quota:v1alpha2"
 
 rm -rf ./pkg/client
 ./hack/generate_group.sh "client,lister,informer" kubesphere.io/kubesphere/pkg/client kubesphere.io/kubesphere/pkg/apis "$GV" --output-base=./  -h "$PWD/hack/boilerplate.go.txt"