controlplane: split out SystemNamespaces

Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
2024-04-27 10:01:47 +02:00
parent 7b73ee018c
commit 3daae717c3
9 changed files with 16 additions and 6 deletions
--- a/cmd/kube-apiserver/app/options/options.go
+++ b/cmd/kube-apiserver/app/options/options.go
@@ -22,6 +22,7 @@ import (
 	"strings"
 	"time"

+	v1 "k8s.io/api/core/v1"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	cliflag "k8s.io/component-base/cli/flag"

@@ -92,6 +93,8 @@ func NewServerRunOptions() *ServerRunOptions {
 		},
 	}

+	s.Options.SystemNamespaces = append(s.Options.SystemNamespaces, v1.NamespaceNodeLease)
+
 	return &s
 }

--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@@ -291,6 +291,7 @@ func TestAddFlags(t *testing.T) {
 				ConfigFile: "/var/run/kubernetes/tracing_config.yaml",
 			},
 			AggregatorRejectForwardingRedirects: true,
+			SystemNamespaces:                    []string{"kube-system", "kube-public", "default", "kube-node-lease"},
 		},

 		Extra: Extra{
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@@ -239,6 +239,7 @@ func CreateKubeAPIServerConfig(opts options.CompletedOptions) (
 				EventTTL:                opts.EventTTL,
 				EnableLogsSupport:       opts.EnableLogsHandler,
 				ProxyTransport:          proxyTransport,
+				SystemNamespaces:        opts.SystemNamespaces,

 				ServiceAccountIssuer:        opts.ServiceAccountIssuer,
 				ServiceAccountMaxExpiration: opts.ServiceAccountTokenMaxExpiration,
--- a/pkg/controlplane/apiserver/config.go
+++ b/pkg/controlplane/apiserver/config.go
@@ -76,6 +76,8 @@ type Extra struct {
 	ServiceAccountJWKSURI    string
 	ServiceAccountPublicKeys []interface{}

+	SystemNamespaces []string
+
 	VersionedInformers clientgoinformers.SharedInformerFactory
 }

--- a/pkg/controlplane/apiserver/options/options.go
+++ b/pkg/controlplane/apiserver/options/options.go
@@ -24,6 +24,7 @@ import (
 	"strings"
 	"time"

+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	peerreconcilers "k8s.io/apiserver/pkg/reconcilers"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
@@ -83,6 +84,8 @@ type Options struct {
 	ServiceAccountTokenMaxExpiration time.Duration

 	ShowHiddenMetricsForVersion string
+
+	SystemNamespaces []string
 }

 // completedServerRunOptions is a private wrapper that enforces a call of Complete() before Run can be invoked.
@@ -115,6 +118,7 @@ func NewOptions() *Options {
 		EnableLogsHandler:                   true,
 		EventTTL:                            1 * time.Hour,
 		AggregatorRejectForwardingRedirects: true,
+		SystemNamespaces:                    []string{metav1.NamespaceSystem, metav1.NamespacePublic, metav1.NamespaceDefault},
 	}

 	// Overwrite the default for storage data format.
--- a/pkg/controlplane/apiserver/options/options_test.go
+++ b/pkg/controlplane/apiserver/options/options_test.go
@@ -277,6 +277,7 @@ func TestAddFlags(t *testing.T) {
 			ConfigFile: "/var/run/kubernetes/tracing_config.yaml",
 		},
 		AggregatorRejectForwardingRedirects: true,
+		SystemNamespaces:                    []string{"kube-system", "kube-public", "default"},
 	}

 	expected.Authentication.OIDC.UsernameClaim = "sub"
--- a/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller.go
+++ b/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller.go
@@ -46,8 +46,7 @@ type Controller struct {
 }

 // NewController creates a new Controller to ensure system namespaces exist.
-func NewController(clientset kubernetes.Interface, namespaceInformer coreinformers.NamespaceInformer) *Controller {
-	systemNamespaces := []string{metav1.NamespaceSystem, metav1.NamespacePublic, v1.NamespaceNodeLease, metav1.NamespaceDefault}
+func NewController(systemNamespaces []string, clientset kubernetes.Interface, namespaceInformer coreinformers.NamespaceInformer) *Controller {
 	interval := 1 * time.Minute

 	return &Controller{
--- a/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller_test.go
+++ b/pkg/controlplane/controller/systemnamespaces/system_namespaces_controller_test.go
@@ -30,8 +30,6 @@ import (

 // Test_Controller validates the garbage collection logic for the apiserverleasegc controller.
 func Test_Controller(t *testing.T) {
-	systemNamespaces := []string{metav1.NamespaceSystem, metav1.NamespacePublic, v1.NamespaceNodeLease}
-
 	tests := []struct {
 		name       string
 		namespaces []string
@@ -107,7 +105,8 @@ func Test_Controller(t *testing.T) {
 				namespaceInformer.Informer().GetIndexer().Add(obj)
 			}

-			controller := NewController(clientset, namespaceInformer)
+			systemNamespaces := []string{metav1.NamespaceSystem, metav1.NamespacePublic, v1.NamespaceNodeLease, metav1.NamespaceDefault}
+			controller := NewController(systemNamespaces, clientset, namespaceInformer)

 			clientset.PrependReactor("create", "namespaces", func(action k8stesting.Action) (bool, runtime.Object, error) {
 				create := action.(k8stesting.CreateAction)
--- a/pkg/controlplane/instance.go
+++ b/pkg/controlplane/instance.go
@@ -465,7 +465,7 @@ func (c CompletedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 	}

 	m.GenericAPIServer.AddPostStartHookOrDie("start-system-namespaces-controller", func(hookContext genericapiserver.PostStartHookContext) error {
-		go systemnamespaces.NewController(client, c.ControlPlane.Extra.VersionedInformers.Core().V1().Namespaces()).Run(hookContext.StopCh)
+		go systemnamespaces.NewController(c.ControlPlane.SystemNamespaces, client, c.ControlPlane.Extra.VersionedInformers.Core().V1().Namespaces()).Run(hookContext.StopCh)
 		return nil
 	})