Merge pull request #1191 from dixudx/add_namespaceSelector_for_initia…

…lizer Automatic merge from submit-queue. add NamespaceSelector to select namespaces for Initializers issue kubernetes/kubernetes#51290, kubernetes/kubernetes#53859 xref PR kubernetes/kubernetes#53879 /cc @ahmetb @gyliu513 @liggitt @smarterclayton @caesarxuchao
kubernetes · Dec 1, 2021 · 988431a · 988431a
2 parents 4a77a5d + 5481ee1
commit 988431a
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/api-machinery/dynamic-admission-control-configuration.md b/api-machinery/dynamic-admission-control-configuration.md
@@ -24,6 +24,8 @@ default admission controls. This document hashes out the implementation details.
 * Do not block the entire cluster if the initializers/webhooks are not ready
   after registration.
 
+* Admin can enforce initializers to specific namespaces.
+
 ## Specification
 
 We assume initializers could be "fail open". We need to update the extensible
@@ -73,6 +75,13 @@ type Initializer struct {
     // if the timeout is reached. The default timeout for each initializer is
     // 5s.
     FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty"`
+
+    // Selects Namespaces using cluster scoped-labels. This
+    // matches all pods in all namespaces selected by this label selector.
+    // This field follows standard label selector semantics.
+    // If present but empty, this selector selects all namespaces.
+    // +optional
+    NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
 }
 
 // Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended 
@@ -273,6 +282,23 @@ crashes, so it is rare.
 
 See [Considered but REJECTED alternatives](#considered-but-rejected-alternatives) for considered alternatives.
 
+## Enforce initializers to specific namespaces
+
+Current `InitializerConfiguration` is at the cluster level and all of the to-be-created resources (such as rc and deployments) defined in `Rules`
+will be appended with the pending initializers automatically during creation, regardless of the namespace.
+There is no way to only apply the initializers to specific namespaces.
+
+For example, when running a multi-tenant cluster, it'd be quite useful to only apply the rules in just certain namespaces. Sometimes we
+don't want to enforce in "kube-*" related namespaces as well.
+
+With the help of `NamespaceSelector`, we can
+
+* Apply initializer to ALL namespaces (by default);
+* Apply initializer to limited namespaces using label selector;
+
+Since most users won't add extra labels for namespaces explicitly when creating new resources, the selector matching should only be applied to
+`labels.Set(map[string]string{"namespace": namespace})` instead of widely-used `metadata.Labels`.
+
 ## Future work
 
 1. Figuring out a better schema to represent the order among