[add] Support namespace scoped chaos

[STRRL]

What problem does this PR solve?

Make chaos-mesh controller could work without permission of cluster scope, like pod list from cluster scope.

Related issue: #487

What is changed and how does it work?

This PR makes three things:

• Add new configurations to switch on namespace scope mode, and target namespace for chaos injecting within namespace scope mode.
• Make controller manager only watch chaos objects belongs to target namespace; Make pod selector only list pods belongs to target namespace;
• Create configuration validation and other logic to reject out-of-scoped behaviors.

Checklist

Todos:

• kubebuilder controller manager support namespace scoped mode
• K8sConfigMapWatcher support namespace scoped mode
• helm configs
  - [ ] enhance webhook (like, using namespaceSelector)
• controller manager could skip chaos that does not belong to target namespace.
  - [ ] e2e tests It's hard to test as expected operation is NOOP.
• new rbac yaml, as a mininum permission list, for controller serviceaccount
• found the mininum permission list to install chaos-mesh
• update the document

Tests

• Unit test
• E2E test
• Manual test (add detailed scripts or steps below)
• No code

Manually test steps:

WIP

Side effects

• Breaking backward compatibility

Related changes

• Need to update the documentation

Does this PR introduce a user-facing change?

No

NONE

[cwen0]

@Yisaer PTAL

[STRRL]

I found that K8sConfigMapWatcher also need some patches, I will finish these changes very soon.

[STRRL]

Hi @cwen0 @Gallardot mentors, one more thing, shall we consider to split out namespace which inject chaos and namespace which running controller?

For example, running chaos-controller-manager in ns chaos-control-plane, and create a IOChaos in another ns chaos-testing.

Or we should play in ONLY ONE namespace.

[Yisaer]

Basically LGTM except the selector is too complex for now. Maybe we need to find a better way to refactor it. Adding an e2e test to verify the namespace-scoped would be better. @STRRL

[STRRL]

Hi @Yisaer , could you take a little while on this #872 (comment) ? Please give me your opinion about this question.

Thanks!

[STRRL]

Hi @cwen0 @Gallardot mentors, one more thing, shall we consider to split out namespace which inject chaos and namespace which running controller?

For example, running chaos-controller-manager in ns chaos-control-plane, and create a IOChaos in another ns chaos-testing.

Or we should play in ONLY ONE namespace.

I am working on this, it could improve isolation of our system.

[STRRL]

Basically LGTM except the selector is too complex for now. Maybe we need to find a better way to refactor it.

Hi @Yisaer . I create new issue to track this. #886

I do not recommend refactoring while appending new features. :D

[Yisaer]

Basically LGTM except the selector is too complex for now. Maybe we need to find a better way to refactor it.

Hi @Yisaer . I create new issue to track this. #886

I do not recommend refactoring while appending new features. :D

Thanks for your contribution. I didn't mean refactoring selector in this request either. This should be tracked by a new issue and still need to be discussed.

[Yisaer]

I suggest using namespaceSelector for webhook while namespace-scoped is enabled.

As namespaceSelector need apiserver >= 1.15(need to be verified), the if-else template rendering could refer to here

[Yisaer]

ning chaos-controller-manager in ns chaos-control-plane, and create a IOChaos in another ns chaos-testing.

Or we should play in ONLY ONE name

For this question, my answer is no (do not split the manager and chaos in different namespaces). The origin demand for this feature is to limit the range for the chaos mesh (namespace scoped is common for the most controllers while it is more important for chaos-mesh comparing to other controllers as we do need to control the effected range by chaos-mesh)

And this question also remind me that the manager's servceiaccount should be bound by role instead of clusterRole. The role is the only way to guarantee that the manager won't affect other namespaces.

[STRRL]

Hi @Yisaer mentor, I still do not figure out why. 😅

Deploying chaos-controller-manager and applications which are the target of chaos-testing into SAME namespace is DANGEROUS.

For example, if user using a bad selector, it might inject chaos into controller itself.

Other operators like prometheus-operator and openkruise have their own namespace which only running controller. I am very sure that your will NOT put your application into kube-prometheus orkube-system (doge.

And this question also remind me that the manager's servceiaccount should be bound by role instead of clusterRole. The role is the only way to guarantee that the manager won't affect other namespaces.

role and clusterRole is not the key, binding is the key. We could create a RoleBinding related to a ClusterRole. It is the way to grant a serviceaccount cross-namespace permissions.

It seems that we have opposite opinions, I am very pleasure to discuss this question on wechat or slack. :D

[Yisaer]

RoleBinding related to a ClusterRole is great! Thanks for pointing it out! @STRRL

In this way, deploying chaos-mesh into its own namespace and affecting other limit namespaces is ok to me.

[STRRL]

HI, @Yisaer , PTAL

[cwen0]

@Gallardot @Yisaer PTAL

[cwen0]

LGTM

[cwen0]

/merge

[ti-srebot]

/run-all-tests

[ti-srebot]

cherry pick to release-1.0 failed