✨ add namespace filtering

[marek-veber]

What this PR does / why we need it:
This PR adds an option --excluded-namespace=<comma separated list of namespaces>

Which issue(s) this PR fixes:
Fixes #11193

/area/clusterresourceset

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: marek-veber / name: Marek Veber (4c5ea6f)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign fabriziopandini for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

This PR is currently missing an area label, which is used to identify the modified component when generating release notes.

Area labels can be added by org members by writing /area ${COMPONENT} in a comment

Please see the labels list for possible areas.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

Welcome @marek-veber!

It looks like this is your first PR to kubernetes-sigs/cluster-api 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @marek-veber. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sbueringer]

I don't have time to contribute to this now / until code freeze / PTO / .. but let's please make sure we have a very clear understanding how whatever filtering we do works across:

• the cache
• the cached client (mgr.GetClient)
• all our controllers (event filtering)
• ClusterCache
• every other part of Cluster API that is affected

I think something like the cache and the event filtering in our controller watches and especially all the calls we do on the cached client have to be carefully orchestrated with each other. Today we have a lot of options for performance improvements, these might go away if we surface the wrong configuration options to end users.

[fabriziopandini]

Let's also try to get a better understanding of the use case we are trying to address, because our current stance is that support for running multiple instances of Cluster API is should be considered best-effort + the issue linked above are not really well harmonised in term of requirements and proposed solution.

BTW, above statement, and the fact that as @sbueringer noted this is way trickier than it could appear at first sight, are the same reason why we have a few other long standing feature request in this area

[JoelSpeed]

Is there a StringSliceVar? We are using pflag so I think there is

[marek-veber]

used

[JoelSpeed]

I don't think this is the right approach to solving this issue. The suggestion in #11193 uses the FieldSelector concept of an API request to filter resources at the API server level, rather than the controller level.

Given the scale potential here, I think we want to follow that suggestion and move the filtering to the API server where possible.

I'm not sure if that approach also has RBAC advantages, perhaps we don't need permissions on the excluded namespace? But that could also be an advantage of the approach as suggested by Alberto

[marek-veber]

Thanks, @JoelSpeed! Please take a look at the new approach in this PR.

[neolit123]

should it be excluded-namespace (singular, but still a comma separated list) to match the existing flag namespace, which cannot be changed to namespaces without a breaking change?

• ✨ update the --namespace <namespace> option to accept a comma-separated list for watching multiple selected namespaces #11397

[marek-veber]

changed --excluded-namespaces -> --excluded-namespace

[sbueringer]

/hold
xref: #11370 (comment) #11370 (comment)
(just to make sure these comments are not getting missed)

[neolit123]

i recall recent discussions in core k8s on a KEP somewhere that this pattern is not preferred i.e. adding both an allow list and a deny list flag at the same time.

how about keeping this simple and doing the following:

• --namespace not specified == watch all NS
• --namespace specifies some NS as a comma separated list == only watch those NS

that means for a NS to be watched it must be in the --namespace list.
downside of that is that a controller restart is needed every time a new NS must be watched.
then again, same goes for anytime you need to exclude a certain NS.

[marek-veber]

We also need the following behavior (I’ve split it into two separate PRs):

• If --namespace is not specified, it defaults to watching all namespaces.
• Use --exclude-namespace=ns1,ns2,... to watch all namespaces except specified ones (e.g., ns1, ns2).

Additionally, there’s a more flexible option, see: #7775 (comment) that allows for more complex conditions. However, it doesn’t seem to support using a direct "positive" list of namespaces to watch.

[fabriziopandini]

+1 to what @sbueringer said
we should not add flags until we have a clear idea of what we want to achieve.
also, as written in a few comments, this is not as simple as adding a flag.