kubernetes
/
community
mirror of https://github.com/kubernetes/community.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add NamespaceSelector to select namespaces for Initializers

This commit is contained in:
Di Xu 2017-10-15 21:20:59 +08:00
parent 3469142b07
commit ee1291784b
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
contributors/design-proposals/api-machinery/dynamic-admission-control-configuration.md
View File

@ -24,6 +24,8 @@ default admission controls. This document hashes out the implementation details.
* Do not block the entire cluster if the intializers/webhooks are not ready
after registration.
* Admin can enforce initializers to specific namespaces.
## Specification
We assume initializers could be "fail open". We need to update the extensible
@ -73,6 +75,13 @@ type Initializer struct {
// if the timeout is reached. The default timeout for each initializer is
// 5s.
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty"`
// Selects Namespaces using cluster scoped-labels. This
// matches all pods in all namespaces selected by this label selector.
// This field follows standard label selector semantics.
// If present but empty, this selector selects all namespaces.
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
}
// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
@ -273,6 +282,23 @@ crashes, so it is rare.
See [Considered but REJECTED alternatives](#considered-but-rejected-alternatives) for considered alternatives.
## Enforce initializers to specific namespaces
Current `InitializerConfiguration` is at the cluster level and all of the to-be-created resources (such as rc and deployments) defined in `Rules`
will be appended with the pending initializers automatically during creation, regardless of the namespace.
There is no way to only apply the initializers to specific namespaces.
For example, when running a multi-tenant cluster, it'd be quite useful to only apply the rules in just certain namespaces. Sometimes we
don't want to enforce in "kube-*" related namespaces as well.
With the help of `NamespaceSelector`, we can
* Apply initializer to ALL namespaces (by default);
* Apply initializer to limited namespaces using label selector;
Since most users won't add extra labels for namespaces explicitly when creating new resources, the selector matching should only be applied to
`labels.Set(map[string]string{"namespace": namespace})` instead of widely-used `metadata.Labels`.
## Future work
1. Figuring out a better schema to represent the order among