From 3de4fe1f6f9e95e9a488095bca0b6316571cf4a5 Mon Sep 17 00:00:00 2001
From: zhzhuang-zju <m17799853869@163.com>
Date: Wed, 15 Nov 2023 10:19:45 +0800
Subject: [PATCH] =?UTF-8?q?Restrict=20=E2=80=9Cconfigmap/extension-apiserv?=
 =?UTF-8?q?er-authentication=E2=80=9D=20object=20from=20being=20distribute?=
 =?UTF-8?q?d=20to=20member=20clusters?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: zhzhuang-zju <m17799853869@163.com>
---
 pkg/detector/detector.go      | 15 +++++++++++----
 pkg/detector/detector_test.go | 17 +++++++++++++++++
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/pkg/detector/detector.go b/pkg/detector/detector.go
index 62d40fd4f..a34768273 100644
--- a/pkg/detector/detector.go
+++ b/pkg/detector/detector.go
@@ -233,16 +233,15 @@ func (d *ResourceDetector) Reconcile(key util.QueueKey) error {
 	return d.propagateResource(object, clusterWideKey)
 }
 
-// EventFilter tells if an object should be take care of.
+// EventFilter tells if an object should be taken care of.
 //
-// All objects under Kubernetes reserved namespace should be ignored:
-// - kube-*
 // All objects under Karmada reserved namespace should be ignored:
 // - karmada-system
 // - karmada-cluster
 // - karmada-es-*
 //
-// If '--skipped-propagating-namespaces' is specified, all APIs in the skipped-propagating-namespaces will be ignored.
+// If '--skipped-propagating-namespaces'(defaults to kube-.*) is specified,
+// all resources in the skipped-propagating-namespaces will be ignored.
 func (d *ResourceDetector) EventFilter(obj interface{}) bool {
 	key, err := ClusterWideKeyFunc(obj)
 	if err != nil {
@@ -279,6 +278,14 @@ func (d *ResourceDetector) EventFilter(obj interface{}) bool {
 		}
 	}
 
+	// Prevent configmap/extension-apiserver-authentication from propagating as it is generated
+	// and managed by kube-apiserver.
+	// Refer to https://github.com/karmada-io/karmada/issues/4228 for more details.
+	if clusterWideKey.Namespace == "kube-system" && clusterWideKey.Kind == "ConfigMap" &&
+		clusterWideKey.Name == "extension-apiserver-authentication" {
+		return false
+	}
+
 	return true
 }
 
diff --git a/pkg/detector/detector_test.go b/pkg/detector/detector_test.go
index ff24b4b51..00bf84432 100644
--- a/pkg/detector/detector_test.go
+++ b/pkg/detector/detector_test.go
@@ -125,3 +125,20 @@ func BenchmarkEventFilterMultiSkipNameSpaces(b *testing.B) {
 		})
 	}
 }
+
+func BenchmarkEventFilterExtensionApiserverAuthentication(b *testing.B) {
+	dt := &ResourceDetector{}
+	dt.SkippedPropagatingNamespaces = append(dt.SkippedPropagatingNamespaces, regexp.MustCompile("^kube-.*$"))
+	for i := 0; i < b.N; i++ {
+		dt.EventFilter(&unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "ConfigMap",
+				"metadata": map[string]interface{}{
+					"name":      "extension-apiserver-authentication",
+					"namespace": "kube-system",
+				},
+			},
+		})
+	}
+}