nfd-master: drop the -nrt-namespace cmdline flag

Always create the CR in the namespace we're running in. NFD owns the CR so it should create it in its own namespace rather than messing around in other namespaces. Also makes cleanup less error-prone. Deleting the nfd namespace removes the CRs too, not leaving them abandoned in some random corner of the cluster. Update RBAC rules accordingly as nfd-master doesn't require cluster-wide privileges to NodeResourceTopology objects, anymore.
kubernetes-sigs · Oct 4, 2021 · 54e850f · 54e850f
1 parent d76af7d
commit 54e850f
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 20 deletions.
diff --git a/cmd/nfd-master/main.go b/cmd/nfd-master/main.go
@@ -105,9 +105,6 @@ func initFlags(flagset *flag.FlagSet) *master.Args {
 	flagset.BoolVar(&args.VerifyNodeName, "verify-node-name", false,
 		"Verify worker node name against the worker's TLS certificate. "+
 			"Only takes effect when TLS authentication has been enabled.")
-	flagset.StringVar(&args.NRTNamespace, "nrt-namespace", "default",
-		"Namespace in which Node Resource Topology CR are created"+
-			"Ensure that the namespace specified is already exists.")
 
 	return args
 }
diff --git a/deployment/base/rbac/kustomization.yaml b/deployment/base/rbac/kustomization.yaml
@@ -7,3 +7,5 @@ resources:
 - master-serviceaccount.yaml
 - master-clusterrole.yaml
 - master-clusterrolebinding.yaml
+- master-role.yaml
+- master-rolebinding.yaml
diff --git a/deployment/base/rbac/master-clusterrole.yaml b/deployment/base/rbac/master-clusterrole.yaml
@@ -12,11 +12,3 @@ rules:
   - patch
   - update
   - list
-- apiGroups:
-  - topology.node.k8s.io
-  resources:
-  - noderesourcetopologies
-  verbs:
-  - create
-  - get
-  - update
diff --git a/deployment/base/rbac/master-role.yaml b/deployment/base/rbac/master-role.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: nfd-master
+rules:
+- apiGroups:
+  - topology.node.k8s.io
+  resources:
+  - noderesourcetopologies
+  verbs:
+  - create
+  - get
+  - update
+
diff --git a/deployment/base/rbac/master-rolebinding.yaml b/deployment/base/rbac/master-rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: nfd-master
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nfd-master
+subjects:
+- kind: ServiceAccount
+  name: nfd-master
+
diff --git a/deployment/components/common/env.yaml b/deployment/components/common/env.yaml
@@ -5,3 +5,7 @@
       valueFrom:
         fieldRef:
           fieldPath: spec.nodeName
+    - name: KUBERNETES_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
diff --git a/pkg/nfd-master/nfd-master.go b/pkg/nfd-master/nfd-master.go
@@ -94,7 +94,6 @@ type Args struct {
 	Prune          bool
 	VerifyNodeName bool
 	ResourceLabels utils.StringSetVal
-	NRTNamespace   string
 }
 
 type NfdMaster interface {
@@ -106,6 +105,7 @@ type NfdMaster interface {
 type nfdMaster struct {
 	args         Args
 	nodeName     string
+	namespace    string
 	annotationNs string
 	server       *grpc.Server
 	stop         chan struct{}
@@ -116,9 +116,10 @@ type nfdMaster struct {
 // Create new NfdMaster server instance.
 func NewNfdMaster(args *Args) (NfdMaster, error) {
 	nfd := &nfdMaster{args: *args,
-		nodeName: os.Getenv("NODE_NAME"),
-		ready:    make(chan bool, 1),
-		stop:     make(chan struct{}, 1),
+		nodeName:  os.Getenv("NODE_NAME"),
+		namespace: os.Getenv("KUBERNETES_NAMESPACE"),
+		ready:     make(chan bool, 1),
+		stop:      make(chan struct{}, 1),
 	}
 
 	if args.Instance == "" {
@@ -447,7 +448,7 @@ func (m *nfdMaster) UpdateNodeTopology(c context.Context, r *topologypb.NodeTopo
 		klog.Infof("received CR updation request for node %q", r.NodeName)
 	}
 	if !m.args.NoPublish {
-		err := m.updateCR(r.NodeName, r.TopologyPolicies, r.Zones, m.args.NRTNamespace)
+		err := m.updateCR(r.NodeName, r.TopologyPolicies, r.Zones)
 		if err != nil {
 			klog.Errorf("failed to advertise NodeResourceTopology: %w", err)
 			return &topologypb.NodeTopologyResponse{}, err
@@ -642,15 +643,15 @@ func modifyCR(topoUpdaterZones []*v1alpha1.Zone) []v1alpha1.Zone {
 	return zones
 }
 
-func (m *nfdMaster) updateCR(hostname string, tmpolicy []string, topoUpdaterZones []*v1alpha1.Zone, namespace string) error {
+func (m *nfdMaster) updateCR(hostname string, tmpolicy []string, topoUpdaterZones []*v1alpha1.Zone) error {
 	cli, err := m.apihelper.GetTopologyClient()
 	if err != nil {
 		return err
 	}
 
 	zones := modifyCR(topoUpdaterZones)
 
-	nrt, err := cli.TopologyV1alpha1().NodeResourceTopologies(namespace).Get(context.TODO(), hostname, metav1.GetOptions{})
+	nrt, err := cli.TopologyV1alpha1().NodeResourceTopologies(m.namespace).Get(context.TODO(), hostname, metav1.GetOptions{})
 	if errors.IsNotFound(err) {
 		nrtNew := v1alpha1.NodeResourceTopology{
 			ObjectMeta: metav1.ObjectMeta{
@@ -660,7 +661,7 @@ func (m *nfdMaster) updateCR(hostname string, tmpolicy []string, topoUpdaterZone
 			TopologyPolicies: tmpolicy,
 		}
 
-		_, err := cli.TopologyV1alpha1().NodeResourceTopologies(namespace).Create(context.TODO(), &nrtNew, metav1.CreateOptions{})
+		_, err := cli.TopologyV1alpha1().NodeResourceTopologies(m.namespace).Create(context.TODO(), &nrtNew, metav1.CreateOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to create v1alpha1.NodeResourceTopology!:%w", err)
 		}
@@ -672,7 +673,7 @@ func (m *nfdMaster) updateCR(hostname string, tmpolicy []string, topoUpdaterZone
 	nrtMutated := nrt.DeepCopy()
 	nrtMutated.Zones = zones
 
-	nrtUpdated, err := cli.TopologyV1alpha1().NodeResourceTopologies(namespace).Update(context.TODO(), nrtMutated, metav1.UpdateOptions{})
+	nrtUpdated, err := cli.TopologyV1alpha1().NodeResourceTopologies(m.namespace).Update(context.TODO(), nrtMutated, metav1.UpdateOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to update v1alpha1.NodeResourceTopology!:%w", err)
 	}