-
Notifications
You must be signed in to change notification settings - Fork 828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix dependencies distributor buildAttachedBinding Namespace #3044
fix dependencies distributor buildAttachedBinding Namespace #3044
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks! |
@jwcesign yes, that's right。 For the previous implementation, configmap's rb be created in default ns , config map ceate in ns-2 ns, configmap's rb will be a Orphan binding. https://github.com/yanfeng1992/karmada/blob/85fcf2f627dd12cbf9849b49090451dcaa7b2a29/pkg/dependenciesdistributor/dependencies_distributor.go#L453 Do I understand correctly? |
Hi @yanfeng1992, I have a question, why do you need to use resources across ns? |
for example,we need a pv, pv is provided by another company, pv provider company configmap in specific ns。 Doesn't karmada plan to support use resources across ns? @XiShanYongYe-Chang |
Thanks for your explanation!
No, I just wanted to know the scene. |
Hi @yanfeng1992, can you help add an E2E to cover this case? |
Codecov Report
@@ Coverage Diff @@
## master #3044 +/- ##
==========================================
+ Coverage 37.90% 38.97% +1.06%
==========================================
Files 207 207
Lines 19350 19365 +15
==========================================
+ Hits 7335 7547 +212
+ Misses 11578 11361 -217
- Partials 437 457 +20
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
i add an E2E case cover this case, but but ran into a problem. After the configmap is updated, it cannot be synchronized to the member cluster. need your help. @XiShanYongYe-Chang |
Let me take a look. |
https://github.com/yanfeng1992/karmada/blob/69a1b993415fe13633c41bdcd95ca6621d67b8b5/pkg/dependenciesdistributor/dependencies_distributor.go#L173 @XiShanYongYe-Chang I found the problem, can we list all namespace? |
E2E done @XiShanYongYe-Chang |
Could you please squash your commits? |
f5d8896
to
6bcc7c0
Compare
done @RainbowMango |
Hi @yanfeng1992, first of all, I apologize for my wrong advice. I tried to solve the problem using the above thinking, but I found that there was one situation that I couldn't solve: the resource creation situation. In this case, the target But back to the previous question, is it worth it? Ask @RainbowMango for help. |
ea38152
to
a77b37f
Compare
Hi @XiShanYongYe-Chang @RainbowMango @jwcesign There are two advantages of adding labels for resourceBinding in this way |
Hi @yanfeng1992, I feel that this solution is still a little incomplete, and if there are a large number of In addition, the problem itself is that cross-namespace resource distribution is likely to encounter permissions issues, because for some users, he may not have permissions on all namespaces. In this case, distributing resources across namespaces may not work.
For this application scenario, ask for @RainbowMango to take a look. |
a77b37f
to
67d5347
Compare
hi @XiShanYongYe-Chang @RainbowMango
Your previous suggestion is correct. There was a bit of a problem with my previous implementation, which I have fixed. I think there are two advantages to doing this now The first, can support support use resources across ns. In addition, why do we need to use resources across namespaces. When PV is mounted, xsky needs a cm. This cm is in a fixed ns. One pv corresponds to one cm, and other vendors’ csi implementations don’t seem to have this problem |
67d5347
to
75bd750
Compare
Do we need to continue discussing this issue? Should it be considered a new feature rather than a bug? @XiShanYongYe-Chang |
I think it's a new feature. How about adding a talk in the today's community meeting: https://docs.google.com/document/d/1y6YLVC-v7cmVAdbjedoyR5WL0-q45DBRXTvz5_I7bkA/edit#heading=h.g61sgp7w0d0c |
OK, we can join the meeting, do you want me to edit this document? |
Yes, you can edit it directly. |
I just looked at the implementation, and I feel that this problem has not been solved. |
I feel that in the previous implementation,the resource creation situation the target |
When a resource is created, it queues all matched rbs. |
I understand what you mean. |
Yes, it is. |
50ed70f
to
19c5407
Compare
Signed-off-by: huangyanfeng <huangyanfeng1992@gmail.com>
19c5407
to
86ecd8f
Compare
Hi @yanfeng1992, what are your plans for the issue now? Pack the whole application? |
There is currently no plan to package it into an application. I am now trying to solve the problem by adding a dependent resource label in rb. Have a look at my latest implementation? The implementation of packaging the application into a whole package is a good suggestion. I understand this suggestion in this way. In actual development, business developers may be more inclined to use the same crd in a single cluster and multi-cluster . |
Please take a look at my latest commit. I feel that the resource creation situation not find the target ResourceBinding has been solved.@XiShanYongYe-Chang |
Hi @yanfeng1992, this patch is functionally satisfactory. However, this solution may be different from the one we discussed at the meeting on Tuesday (2023-01-31). One of the considerations is the authority, which I think should also be taken into account. |
Many thanks to the Karmada community help with this issue. I think packaging the app is a better approach. Using resources across namespaces is not a reasonable and common scenario. I think this issue can be closed. Do you have any opinion? |
@yanfeng1992 Thanks for your hard trying! 👍 |
My primary concern must be security. Karmada and K8S's multi-tenant concepts are based on namespaces, if a resource depends on a resource in another namespace, it'll cause a potential security risk. Anyway, thanks for spotting and this is definitely a valuable discussion. For your case, my suggestion would be |
Signed-off-by: huangyanfeng huangyanfeng1992@gmail.com
What type of PR is this?
/kind bug
What this PR does / why we need it:
When creating a dependent resourceBinding, the namespace should use the namespace of the object itself to support cross-namespace references to dependent resources.
For example, we have a crd virtualmachine, create virtualmachine cr test in ns defalut, webhook get virtualmachine cr test dependece configmap test-cm in ns test-2。
Which issue(s) this PR fixes:
Fixes #
dependencies distributor buildAttachedBinding namespace need
Special notes for your reviewer:
Does this PR introduce a user-facing change?: