From 4afcfbbb277ce04ca7d84687b95a5d91e63766eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20B=C3=A4hler?= Date: Mon, 27 May 2024 14:33:34 +0200 Subject: [PATCH] fix(controller): use ownerreferences without controller owner relation (#1095) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Oliver Bähler --- controllers/tenant/manager.go | 3 ++- .../namespace/utils.go => utils/reference.go} | 4 ++-- pkg/webhook/namespace/freezed.go | 3 ++- pkg/webhook/namespace/prefix.go | 3 ++- pkg/webhook/namespace/quota.go | 3 ++- pkg/webhook/namespace/user_metadata.go | 5 +++-- pkg/webhook/ownerreference/patching.go | 19 +++++++++++++++++-- 7 files changed, 30 insertions(+), 10 deletions(-) rename pkg/{webhook/namespace/utils.go => utils/reference.go} (85%) diff --git a/controllers/tenant/manager.go b/controllers/tenant/manager.go index f797bfa5..4cfba841 100644 --- a/controllers/tenant/manager.go +++ b/controllers/tenant/manager.go @@ -16,6 +16,7 @@ import ( "k8s.io/client-go/util/retry" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/handler" "sigs.k8s.io/controller-runtime/pkg/reconcile" capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2" @@ -31,11 +32,11 @@ type Manager struct { func (r *Manager) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). For(&capsulev1beta2.Tenant{}). - Owns(&corev1.Namespace{}). Owns(&networkingv1.NetworkPolicy{}). Owns(&corev1.LimitRange{}). Owns(&corev1.ResourceQuota{}). Owns(&rbacv1.RoleBinding{}). + Watches(&corev1.Namespace{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &capsulev1beta2.Tenant{})). Complete(r) } diff --git a/pkg/webhook/namespace/utils.go b/pkg/utils/reference.go similarity index 85% rename from pkg/webhook/namespace/utils.go rename to pkg/utils/reference.go index bb344ae0..a06a0a70 100644 --- a/pkg/webhook/namespace/utils.go +++ b/pkg/utils/reference.go @@ -1,7 +1,7 @@ // Copyright 2020-2023 Project Capsule Authors. // SPDX-License-Identifier: Apache-2.0 -package namespace +package utils import ( "strings" @@ -15,7 +15,7 @@ const ( ObjectReferenceTenantKind = "Tenant" ) -func isTenantOwnerReference(or metav1.OwnerReference) bool { +func IsTenantOwnerReference(or metav1.OwnerReference) bool { parts := strings.Split(or.APIVersion, "/") if len(parts) != 2 { return false diff --git a/pkg/webhook/namespace/freezed.go b/pkg/webhook/namespace/freezed.go index 1f488a6d..43b599fe 100644 --- a/pkg/webhook/namespace/freezed.go +++ b/pkg/webhook/namespace/freezed.go @@ -15,6 +15,7 @@ import ( capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2" "github.com/projectcapsule/capsule/pkg/configuration" + capsuleutils "github.com/projectcapsule/capsule/pkg/utils" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" "github.com/projectcapsule/capsule/pkg/webhook/utils" ) @@ -35,7 +36,7 @@ func (r *freezedHandler) OnCreate(client client.Client, decoder admission.Decode } for _, objectRef := range ns.ObjectMeta.OwnerReferences { - if !isTenantOwnerReference(objectRef) { + if !capsuleutils.IsTenantOwnerReference(objectRef) { continue } diff --git a/pkg/webhook/namespace/prefix.go b/pkg/webhook/namespace/prefix.go index f4e53111..734081a7 100644 --- a/pkg/webhook/namespace/prefix.go +++ b/pkg/webhook/namespace/prefix.go @@ -16,6 +16,7 @@ import ( capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2" "github.com/projectcapsule/capsule/pkg/configuration" + capsuleutils "github.com/projectcapsule/capsule/pkg/utils" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" "github.com/projectcapsule/capsule/pkg/webhook/utils" ) @@ -49,7 +50,7 @@ func (r *prefixHandler) OnCreate(clt client.Client, decoder admission.Decoder, r tnt := &capsulev1beta2.Tenant{} for _, or := range ns.ObjectMeta.OwnerReferences { - if !isTenantOwnerReference(or) { + if !capsuleutils.IsTenantOwnerReference(or) { continue } diff --git a/pkg/webhook/namespace/quota.go b/pkg/webhook/namespace/quota.go index 49b0a1a5..d11b2301 100644 --- a/pkg/webhook/namespace/quota.go +++ b/pkg/webhook/namespace/quota.go @@ -13,6 +13,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook/admission" capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2" + capsuleutils "github.com/projectcapsule/capsule/pkg/utils" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" "github.com/projectcapsule/capsule/pkg/webhook/utils" ) @@ -31,7 +32,7 @@ func (r *quotaHandler) OnCreate(client client.Client, decoder admission.Decoder, } for _, objectRef := range ns.ObjectMeta.OwnerReferences { - if !isTenantOwnerReference(objectRef) { + if !capsuleutils.IsTenantOwnerReference(objectRef) { continue } diff --git a/pkg/webhook/namespace/user_metadata.go b/pkg/webhook/namespace/user_metadata.go index b7627bac..1ca64075 100644 --- a/pkg/webhook/namespace/user_metadata.go +++ b/pkg/webhook/namespace/user_metadata.go @@ -15,6 +15,7 @@ import ( capsulev1beta2 "github.com/projectcapsule/capsule/api/v1beta2" "github.com/projectcapsule/capsule/pkg/api" + capsuleutils "github.com/projectcapsule/capsule/pkg/utils" capsulewebhook "github.com/projectcapsule/capsule/pkg/webhook" "github.com/projectcapsule/capsule/pkg/webhook/utils" ) @@ -35,7 +36,7 @@ func (r *userMetadataHandler) OnCreate(client client.Client, decoder admission.D tnt := &capsulev1beta2.Tenant{} for _, objectRef := range ns.ObjectMeta.OwnerReferences { - if !isTenantOwnerReference(objectRef) { + if !capsuleutils.IsTenantOwnerReference(objectRef) { continue } @@ -90,7 +91,7 @@ func (r *userMetadataHandler) OnUpdate(client client.Client, decoder admission.D tnt := &capsulev1beta2.Tenant{} for _, objectRef := range newNs.ObjectMeta.OwnerReferences { - if !isTenantOwnerReference(objectRef) { + if !capsuleutils.IsTenantOwnerReference(objectRef) { continue } diff --git a/pkg/webhook/ownerreference/patching.go b/pkg/webhook/ownerreference/patching.go index 60469e71..9b32a793 100644 --- a/pkg/webhook/ownerreference/patching.go +++ b/pkg/webhook/ownerreference/patching.go @@ -12,6 +12,7 @@ import ( "strings" corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/tools/record" @@ -71,7 +72,21 @@ func (h *handler) OnUpdate(_ client.Client, decoder admission.Decoder, _ record. return &response } - newNs.OwnerReferences = oldNs.OwnerReferences + var refs []metav1.OwnerReference + + for _, ref := range oldNs.OwnerReferences { + if capsuleutils.IsTenantOwnerReference(ref) { + refs = append(refs, ref) + } + } + + for _, ref := range newNs.OwnerReferences { + if !capsuleutils.IsTenantOwnerReference(ref) { + refs = append(refs, ref) + } + } + + newNs.OwnerReferences = refs c, err := json.Marshal(newNs) if err != nil { @@ -212,7 +227,7 @@ func (h *handler) patchResponseForOwnerRef(tenant *capsulev1beta2.Tenant, ns *co return admission.Errored(http.StatusInternalServerError, err) } - if err = controllerutil.SetControllerReference(tenant, ns, scheme); err != nil { + if err = controllerutil.SetOwnerReference(tenant, ns, scheme); err != nil { recorder.Eventf(tenant, corev1.EventTypeWarning, "Error", "Namespace %s cannot be assigned to the desired Tenant", ns.GetName()) return admission.Errored(http.StatusInternalServerError, err)