✨ Create one DNS nameserver per workspace

[lionelvillard]

Summary

Dynamically deploy DNS nameserver k8s resources, one set per workspace. Each set of resources is composed of:

• a serviceaccount
• a role with one rule to access only one configmap
• a rolebinding
• a deployment (the DNS nameserver for the workspace)
• a service

The spec controller checks for DNS endpoint readiness before syncing to pclusters.

All DNS objects associated to all workspaces bound to the workload ws are deployed in the synctarget namespace. Initial network policies design document review with @davidfestal shows this approach allows workspaces segmentation.

This PR does not support:

• upgrade: once created, DNS objects are never updated
• workspace deletion (yet). The DNS objects are currently never deleted
• SyncTarget deletion might be supported (not tested)

Related issue(s)

Fixes #1987

[openshift-ci]

Hi @lionelvillard. Thanks for your PR.

I'm waiting for a kcp-dev member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[lionelvillard]

@davidfestal @jmprusi this is now ready for a first round of reviews. Keep in mind that I haven't updated the tests yet.

[davidfestal]

/ok-to-test

[davidfestal]

Additional, is it possible to create a followup PR for the update, and most importantly for the cleanup case, and add it into the related EPIC: kcp-dev/contrib-tmc#95 ?

[lionelvillard]

This PR is now ready @davidfestal @jmprusi. It needs some follow-up PRs which will be captured in issues.

[lionelvillard]

/test e2e-multiple-runs

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davidfestal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [davidfestal]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[qiujian16]

do we always need to sync role/rolebinding after this is merged? should we add role/rolebinding by default to the virtual workspace?

[lionelvillard]

@qiujian16 yes we always need to sync role/rolebinding. Role restricts the DNS pod to only access the configmap associated to the workspace. See https://github.com/kcp-dev/kcp/blob/main/pkg/syncer/spec/dns/role_dns.yaml#L11. There is also one ServiceAccount per workspace.

[qiujian16]

cc @davidfestal shouldn't we add role/rolebinding as default api resources in syncer virtual workspace and let syncer always sync them?