deploy: add CR restrictions to the helm config

Signed-off-by: AhmedGrati <ahmedgrati1999@gmail.com>
Signed-off-by: AhmedThresh <ahmed.grati@insat.ucar.tn>
Signed-off-by: AhmedGrati <ahmedgrati1999@gmail.com>
Signed-off-by: AhmedThresh <ahmed.grati@insat.ucar.tn>

deployment/components/master-config/nfd-master.conf.example

@@ -6,6 +6,21 @@
 # enableTaints: false
 # labelWhiteList: "foo"
 # resyncPeriod: "2h"
+# restrictions:
+#   disableLabels: true
+#   disableTaints: true
+#   disableExtendedResources: true
+#   disableAnnotations: true
+#   allowOverwrite: false
+#   denyNodeFeatureLabels: true
+#   nodeFeatureNamespaceSelector:
+#    matchLabels:
+#      kubernetes.io/metadata.name: "node-feature-discovery"
+#    matchExpressions:
+#      - key: "kubernetes.io/metadata.name"
+#        operator: "In"
+#        values:
+#           - "node-feature-discovery"
 # klog:
 #    addDirHeader: false
 #    alsologtostderr: false

deployment/helm/node-feature-discovery/values.yaml

@@ -29,6 +29,21 @@ master:
     # enableTaints: false
     # labelWhiteList: "foo"
     # resyncPeriod: "2h"
+    # restrictions:
+    #   disableLabels: true
+    #   disableTaints: true
+    #   disableExtendedResources: true
+    #   disableAnnotations: true
+    #   allowOverwrite: false
+    #   denyNodeFeatureLabels: true
+    #   nodeFeatureNamespaceSelector:
+    #    matchLabels:
+    #      kubernetes.io/metadata.name: "node-feature-discovery"
+    #    matchExpressions:
+    #      - key: "kubernetes.io/metadata.name"
+    #        operator: "In"
+    #        values:
+    #           - "node-feature-discovery"
     # klog:
     #    addDirHeader: false
     #    alsologtostderr: false

docs/reference/master-configuration-reference.md

@@ -345,25 +345,24 @@ Default: *empty*
 
 Run-time configurable: yes
 
-
 ## restrictions
 
-The following options specify the restrictions that can be applied by nfd-master
-on the deployed Custom Resources in the cluster.
+The following options specify the restrictions that can be applied by the
+nfd-master on the deployed Custom Resources in the cluster.
 
-### restrictions.allowedNamespaces
+### restrictions.nodeFeatureNamespaceSelector
 
-The `allowedNamespaces` option specifies the NodeFeatures namespaces to watch.
-To select the appropriate namespaces to watch, you can use the `metav1.LabelSelector`
-as a type for this option.
+The `nodeFeatureNamespaceSelector` option specifies the NodeFeatures namespaces
+to watch, which can be selected by using `metav1.LabelSelector` as a type for
+this option.
 
-Default: all namespaces are allowed to be watched.
+Default: all namespaces are selected to be watched.
 
 Example:
 
 ```yaml
 restrictions:
-  allowedNamespaces:
+  nodeFeatureNamespaceSelector:
     matchLabels:
       kubernetes.io/metadata.name: "node-feature-discovery"
     matchExpressions:
@@ -373,66 +372,66 @@ restrictions:
           - "node-feature-discovery"
 ```
 
-### restrictions.maxLabelsPerCR
+### restrictions.disableLabels
 
-The `maxLabelsPerCR` option specifies the maximum number of labels that can
-be generated by a single CustomResource.
+The `disableLabels` option specifies whether to generate labels
+from NodeFeature CR or not.
 
-Default: no limit
+Default: false
 
 Example:
 
 ```yaml
 restrictions:
-  maxLabelsPerCR: 20
+  disableLabels: true
 ```
 
-### restrictions.maxTaintsPerCR
+### restrictions.disableTaints
 
-The `maxTaintsPerCR` option specifies the maximum number of taints that can
-be generated by a single CustomResource.
+The `disableLabels` option specifies whether to generate taints
+from NodeFeature CR or not.
 
-Default: no limit
+Default: false
 
 Example:
 
 ```yaml
 restrictions:
-  maxTaintsPerCR: 10
+  disableTaints: true
 ```
 
-### restrictions.maxExtendedResourcesPerCR
+### restrictions.disableExtendedResources
 
-The `maxExtendedResourcesPerCR` option specifies the maximum number of extended
-resources that can be generated by a single CustomResource.
+The `disableExtendedResources` option specifies whether to generate taints
+from NodeFeature CR or not.
 
-Default: no limit
+Default: false
 
 Example:
 
 ```yaml
 restrictions:
-  maxExtendedResourcesPerCR: 15
+  maxExtendedResourcesPerCR: true
 ```
 
-### restrictions.maxExtendedResourcesPerCR
+### restrictions.disableAnnotations
 
-The `maxExtendedResourcesPerCR` option specifies the maximum number of extended
-resources that can be generated by a single CustomResource.
+The `disableAnnotations` option specifies whether to generate annotations
+from NodeFeature CR or not.
 
-Default: no limit
+Default: false
 
 Example:
 
 ```yaml
 restrictions:
-  maxExtendedResourcesPerCR: 15
+  disableAnnotations: true
 ```
 
-### restrictions.overwriteLabels
+### restrictions.allowOverwrite
 
-The `overwriteLabels` option specifies whether to overwrite existing
-labels, if there's an overlap, or not.
+The `allowOverwrite` option specifies whether to overwrite existing
+labels, annotations, and extended resources if there's an overlap, or not.
 
 Default: true
 

examples/nodefeature.yaml

@@ -4,7 +4,7 @@ apiVersion: nfd.k8s-sigs.io/v1alpha1
 kind: NodeFeature
 metadata:
   labels:
-    nfd.node.kubernetes.io/node-name: nfd-control-plane
+    nfd.node.kubernetes.io/node-name: example-node
   name: example-node
   namespace: node-feature-discovery
 spec:

go.mod

@@ -2,8 +2,6 @@ module sigs.k8s.io/node-feature-discovery
 
 go 1.22.2
 
-toolchain go1.22.0
-
 require (
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/golang/protobuf v1.5.4

pkg/nfd-master/nfd-api-controller.go

@@ -27,6 +27,8 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
 
+	k8sclient "k8s.io/client-go/kubernetes"
+	nfdclientset "sigs.k8s.io/node-feature-discovery/api/generated/clientset/versioned"
 	nfdscheme "sigs.k8s.io/node-feature-discovery/api/generated/clientset/versioned/scheme"
 	nfdinformers "sigs.k8s.io/node-feature-discovery/api/generated/informers/externalversions"
 	nfdlisters "sigs.k8s.io/node-feature-discovery/api/generated/listers/nfd/v1alpha1"
@@ -45,12 +47,17 @@ type nfdController struct {
 	updateOneNodeChan              chan string
 	updateAllNodeFeatureGroupsChan chan struct{}
 	updateNodeFeatureGroupChan     chan string
+
+	nodeFeatureNamespaceSelector *metav1.LabelSelector
+	k8sClient                    k8sclient.Interface
 }
 
 type nfdApiControllerOptions struct {
-	DisableNodeFeature      bool
-	DisableNodeFeatureGroup bool
-	ResyncPeriod            time.Duration
+	DisableNodeFeature           bool
+	DisableNodeFeatureGroup      bool
+	ResyncPeriod                 time.Duration
+	K8sClient                    k8sclient.Interface
+	NodeFeatureNamespaceSelector *metav1.LabelSelector
 }
 
 func init() {
@@ -68,6 +75,7 @@ func newNfdController(config *restclient.Config, nfdApiControllerOptions nfdApiC
 		nodeFeatureNamespaceSelector:   nfdApiControllerOptions.NodeFeatureNamespaceSelector,
 	}
 
+	nfdClient := nfdclientset.NewForConfigOrDie(config)
 	klog.V(2).InfoS("initializing new NFD API controller", "options", utils.DelayedDumper(nfdApiControllerOptions))
 
 	informerFactory := nfdinformers.NewSharedInformerFactory(nfdClient, nfdApiControllerOptions.ResyncPeriod)
@@ -82,7 +90,7 @@ func newNfdController(config *restclient.Config, nfdApiControllerOptions nfdApiC
 				if c.isNamespaceSelected(nfr.Namespace) {
 					c.updateOneNode("NodeFeature", nfr)
 				} else {
-					klog.InfoS("NodeFeature not in selected namespace", "namespace", nfr.Namespace, "name", nfr.Name)
+					klog.InfoS("NodeFeature namespace is not selected, skipping", "nodefeature", klog.KObj(nfr))
 				}
 			},
 			UpdateFunc: func(oldObj, newObj interface{}) {
@@ -91,7 +99,7 @@ func newNfdController(config *restclient.Config, nfdApiControllerOptions nfdApiC
 				if c.isNamespaceSelected(nfr.Namespace) {
 					c.updateOneNode("NodeFeature", nfr)
 				} else {
-					klog.InfoS("NodeFeature not in selected namespace", "namespace", nfr.Namespace, "name", nfr.Name)
+					klog.InfoS("NodeFeature namespace is not selected, skipping", "nodefeature", klog.KObj(nfr))
 				}
 			},
 			DeleteFunc: func(obj interface{}) {
@@ -100,7 +108,7 @@ func newNfdController(config *restclient.Config, nfdApiControllerOptions nfdApiC
 				if c.isNamespaceSelected(nfr.Namespace) {
 					c.updateOneNode("NodeFeature", nfr)
 				} else {
-					klog.InfoS("NodeFeature not in selected namespace", "namespace", nfr.Namespace, "name", nfr.Name)
+					klog.InfoS("NodeFeature namespace is not selected, skipping", "nodefeature", klog.KObj(nfr))
 				}
 			},
 		}); err != nil {

pkg/nfd-master/nfd-api-controller_test.go

@@ -21,10 +21,10 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	nfdv1alpha1 "sigs.k8s.io/node-feature-discovery/api/nfd/v1alpha1"
 	fakeclient "k8s.io/client-go/kubernetes/fake"
-	corev1 "k8s.io/api/core/v1"
+	nfdv1alpha1 "sigs.k8s.io/node-feature-discovery/api/nfd/v1alpha1"
 )
 
 func TestGetNodeNameForObj(t *testing.T) {
@@ -45,7 +45,7 @@ func TestGetNodeNameForObj(t *testing.T) {
 	assert.Equal(t, n, "node-1")
 }
 
-func newTestNamespace(name string) *corev1.Namespace{
+func newTestNamespace(name string) *corev1.Namespace {
 	return &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
@@ -56,7 +56,7 @@ func newTestNamespace(name string) *corev1.Namespace{
 	}
 }
 
-func TestIsNamespaceAllowed(t *testing.T) {
+func TestIsNamespaceSelected(t *testing.T) {
 	fakeCli := fakeclient.NewSimpleClientset(newTestNamespace("fake"))
 	c := &nfdController{
 		k8sClient: fakeCli,
@@ -69,8 +69,8 @@ func TestIsNamespaceAllowed(t *testing.T) {
 		expectedResult               bool
 	}{
 		{
-			name:                         "namespace not allowed",
-			objectNamespace:              "random",
+			name:            "namespace not selected",
+			objectNamespace: "random",
 			nodeFeatureNamespaceSelector: &metav1.LabelSelector{
 				MatchExpressions: []metav1.LabelSelectorRequirement{
 					{
@@ -80,15 +80,15 @@ func TestIsNamespaceAllowed(t *testing.T) {
 					},
 				},
 			},
-			expectedResult:               false,
+			expectedResult: false,
 		},
 		{
-			name:                         "namespace is allowed",
-			objectNamespace:              "fake",
+			name:            "namespace is selected",
+			objectNamespace: "fake",
 			nodeFeatureNamespaceSelector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"name": "fake"},
 			},
-			expectedResult:               false,
+			expectedResult: false,
 		},
 	}