diff --git a/enhancements/sig-architecture/30-clusterset-override/README.md b/enhancements/sig-architecture/30-clusterset-override/README.md index dc31eb94..4692fcff 100644 --- a/enhancements/sig-architecture/30-clusterset-override/README.md +++ b/enhancements/sig-architecture/30-clusterset-override/README.md @@ -30,7 +30,7 @@ So, In this proposal, we change the managedClusterSets spec and want to provide ```go type ManagedClusterSetSpec struct { - // Selector represents a selector of ManagedClusters by labels and names. + // Selector represents a selector of ManagedClusters. ClusterSelector ManagedClusterSelector `json:"clusterSelector"` } @@ -327,62 +327,40 @@ So we could finish the migration by four steps, and step 1 and step 2 will be fi 1. [Implement in OCM 0.7.0]Update the managedClusterSet API which only includes an exclusive way to select target managedClusters. ```go +// ManagedClusterSetSpec describes the attributes of the ManagedClusterSet type ManagedClusterSetSpec struct { - // Selector represents a selector of ManagedClusters by labels and names. - ClusterSelector ManagedClusterSelector `json:"clusterSelector"` + // ClusterSelector represents a selector of ManagedClusters + // +optional + // +kubebuilder:default:={selectorType: LegacyClusterSetLabel} + ClusterSelector ManagedClusterSelector `json:"clusterSelector,omitempty"` } -type ManagedClusterSelector struct{ - // "" means to use the current mechanism of matching label . - // (future) "LabelSelector" means to use the LabelSelector to select target managedClusters - // "ExclusiveLabel" means to use a particular cluster label. It is guaranteed that clustersets with same label key are exclusive with each others - // +optional - SelectorType SelectorType `json:"selectorType"` - - // ExclusiveLabel defines one label which clusterset could use to select target managedClusters. In this way, we will: - // 1. Guarantee clustersets with same label key are exclusive - // 2. Enable additional permission check when cluster joining/leaving a clusterset (the label key should start with the reserved prefix "cluster.open-cluster-management.io/" and "info.open-cluster-management.io/"); - ExclusiveLabel *ExclusiveLabel `json:"exclusiveLabel"` +// ManagedClusterSelector represents a selector of ManagedClusters +type ManagedClusterSelector struct { + // SelectorType could only be "LegacyClusterSetLabel" now, will support more SelectorType later + // "LegacyClusterSetLabel" means to use label "cluster.open-cluster-management.io/clusterset:"" to select target clusters. + // +kubebuilder:validation:Enum=LegacyClusterSetLabel + // +kubebuilder:default:=LegacyClusterSetLabel + // +required + SelectorType SelectorType `json:"selectorType,omitempty"` } type SelectorType string const ( - ExclusiveLabel SelectorType = "ExclusiveLabel" + LegacyClusterSetLabel SelectorType = "LegacyClusterSetLabel" ) - -//ExclusiveLabel defines one cluster label -type ExclusiveLabel struct { - //Key is "cluster.open-cluster-management.io/clusterset" by default and can only be cluster.open-cluster-management.io/ - Key string `json:"key"` - //Value can only be empty or the name of the clusterset. - Value string `json:"value"` -} ``` -- `LabelSelector` will not be included -- `ExclusiveLabel.Key` must be `cluster.open-cluster-management.io/clusterset` and `ExclusiveLabel.Value` must be `ManagedClusterset Name` -- Both `managedclusterset/join` and `managedclusters/label` permission will be supported - 2. [Implement in OCM 0.7.0]`multicloud-operators-foundation`, `submariner-addon`, `placement` change the code to integrate with new managedClusterSet api a. `multicloud-operators-foundation` uses managedClusterSet for resource group purpose. So it should only watch the following managedClusterSets: - - `spec.ClusterSelector.SelectorType` is `ExclusiveLabel` and the `ExclusiveLabel.Key` must be `cluster.open-cluster-management.io/clusterset` - - `spec.ClusterSelector.SelectorType` is "" - - b. `multicloud-operators-foundation` gives the users `join` permission to a managedClusterSet if the user has "admin" permission to the managedClusterSet. So the `join` permission should be changed with the following rule: - ```yaml - - apiGroups: ["cluster.open-cluster-management.io"] - resources: ["managedclusters/label"] - resourceNames: ["cluster.open-cluster-management.io/clusterset:"] - verbs: ["create"] - ``` - - c. `submariner-addon` uses managedClusterSet group clusters based on the network. And in different managedClusterSet, the clusters should be exclusive. So it should only watch the following managedClusterSet: - - `spec.ClusterSelector.SelectorType` is `ExclusiveLabel` and the `ExclusiveLabel.Key` must be `cluster.open-cluster-management.io/clusterset`, the `ExclusiveLabel.Value` must be managedClusterSet name. - - `spec.ClusterSelector.SelectorType` is "" - - d. `placement` using new `ClusterSelector` to select target clusters. + - `spec.ClusterSelector.SelectorType` is `LegacyClusterSetLabel` + + b. `submariner-addon` uses managedClusterSet group clusters based on the network. And in different managedClusterSet, the clusters should be exclusive. So it should only watch the following managedClusterSet: + - `spec.ClusterSelector.SelectorType` is `LegacyClusterSetLabel` + + c. `placement` using new `ClusterSelector` to select target clusters. 3. [Implement in OCM 0.8.0] Update full managedClusterSet api and RBAC - Include `LabelSelector` diff --git a/enhancements/sig-architecture/30-clusterset-override/metadata.yaml b/enhancements/sig-architecture/30-clusterset-override/metadata.yaml index c51fcef7..e6d76f10 100644 --- a/enhancements/sig-architecture/30-clusterset-override/metadata.yaml +++ b/enhancements/sig-architecture/30-clusterset-override/metadata.yaml @@ -9,5 +9,5 @@ approvers: - "@elgnay" - "@deads2k" creation-date: 2021-11-30 -last-updated: 2022-02-24 +last-updated: 2022-03-29 status: provisional