Ensuring EndpointSlice controller does not start when feature gate or API are disabled

cmd/kube-apiserver/app/options/options.go

@@ -142,7 +142,7 @@ func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
 	s.Authentication.AddFlags(fss.FlagSet("authentication"))
 	s.Authorization.AddFlags(fss.FlagSet("authorization"))
 	s.CloudProvider.AddFlags(fss.FlagSet("cloud provider"))
-	s.APIEnablement.AddFlags(fss.FlagSet("api enablement"))
+	s.APIEnablement.AddFlags(fss.FlagSet("API enablement"))
 	s.EgressSelector.AddFlags(fss.FlagSet("egress selector"))
 	s.Admission.AddFlags(fss.FlagSet("admission"))
 

cmd/kube-controller-manager/app/BUILD

@@ -109,6 +109,7 @@ go_library(
         "//pkg/volume/util:go_default_library",
         "//pkg/volume/vsphere_volume:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/api/discovery/v1beta1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",

cmd/kube-controller-manager/app/discovery.go

@@ -23,10 +23,24 @@ package app
 import (
 	"net/http"
 
+	discoveryv1beta1 "k8s.io/api/discovery/v1beta1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/klog"
 	endpointslicecontroller "k8s.io/kubernetes/pkg/controller/endpointslice"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 func startEndpointSliceController(ctx ControllerContext) (http.Handler, bool, error) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.EndpointSlice) {
+		klog.V(4).Infof("Not starting endpointslice-controller since EndpointSlice feature gate is disabled")
+		return nil, false, nil
+	}
+
+	if !ctx.AvailableResources[discoveryv1beta1.SchemeGroupVersion.WithResource("endpointslices")] {
+		klog.Warningf("Not starting endpointslice-controller since discovery.k8s.io/v1beta1 resources are not available")
+		return nil, false, nil
+	}
+
 	go endpointslicecontroller.NewController(
 		ctx.InformerFactory.Core().V1().Pods(),
 		ctx.InformerFactory.Core().V1().Services(),

go.mod

@@ -54,6 +54,7 @@ require (
 	github.com/evanphx/json-patch v4.2.0+incompatible
 	github.com/fsnotify/fsnotify v1.4.7
 	github.com/go-bindata/go-bindata v3.1.1+incompatible
+	github.com/go-openapi/analysis v0.19.2
 	github.com/go-openapi/loads v0.19.2
 	github.com/go-openapi/spec v0.19.2
 	github.com/go-openapi/strfmt v0.19.0
@@ -488,10 +489,10 @@ replace (
 	golang.org/x/oauth2 => golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 	golang.org/x/perf => golang.org/x/perf v0.0.0-20180704124530-6e6d33e29852
 	golang.org/x/sync => golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
-	golang.org/x/sys => golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a
+	golang.org/x/sys => golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a // pinned to release-branch.go1.13
 	golang.org/x/text => golang.org/x/text v0.3.2
 	golang.org/x/time => golang.org/x/time v0.0.0-20190308202827-9d24e82272b4
-	golang.org/x/tools => golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7
+	golang.org/x/tools => golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7 // pinned to release-branch.go1.13
 	golang.org/x/xerrors => golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
 	gonum.org/v1/gonum => gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485
 	gonum.org/v1/netlib => gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e

hack/.staticcheck_failures

@@ -3,7 +3,6 @@ cluster/images/etcd/migrate
 cmd/kube-controller-manager/app
 cmd/kube-proxy/app
 cmd/linkcheck
-pkg/client/tests
 pkg/controller/daemon
 pkg/controller/deployment
 pkg/controller/disruption
@@ -15,7 +14,6 @@ pkg/controller/podgc
 pkg/controller/replicaset
 pkg/controller/resourcequota
 pkg/controller/statefulset
-pkg/kubeapiserver/admission
 pkg/kubelet/apis/podresources
 pkg/kubelet/cm/devicemanager
 pkg/kubelet/pluginmanager/operationexecutor

pkg/apis/flowcontrol/types.go

@@ -26,8 +26,9 @@ const (
 	ResourceAll    = "*"
 	VerbAll        = "*"
 	NonResourceAll = "*"
+	NameAll        = "*"
 
-	NameAll = "*"
+	NamespaceEvery = "*" // matches every particular namespace
 )
 
 // System preset priority level names
@@ -210,28 +211,53 @@ type ServiceAccountSubject struct {
 	Name string
 }
 
-// ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target
-// resource. A ResourcePolicyRule matches a request if and only if: (a) at least one member
-// of verbs matches the request, (b) at least one member of apiGroups matches the request, and (c) at least one member
-// of resources matches the request.
+// ResourcePolicyRule is a predicate that matches some resource
+// requests, testing the request's verb and the target resource. A
+// ResourcePolicyRule matches a resource request if and only if: (a)
+// at least one member of verbs matches the request, (b) at least one
+// member of apiGroups matches the request, (c) at least one member of
+// resources matches the request, and (d) least one member of
+// namespaces matches the request.
 type ResourcePolicyRule struct {
 	// `verbs` is a list of matching verbs and may not be empty.
-	// "*" matches all verbs. if it is present, it must be the only entry.
+	// "*" matches all verbs and, if present, must be the only entry.
 	// +listType=set
 	// Required.
 	Verbs []string
+
 	// `apiGroups` is a list of matching API groups and may not be empty.
-	// "*" matches all api-groups. if it is present, it must be the only entry.
+	// "*" matches all API groups and, if present, must be the only entry.
 	// +listType=set
 	// Required.
 	APIGroups []string
-	// `resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource.
-	// For example, [ "services", "nodes/status" ].
-	// This list may not be empty.
-	// "*" matches all resources. if it is present, it must be the only entry.
-	// +listType=set
+
+	// `resources` is a list of matching resources (i.e., lowercase
+	// and plural) with, if desired, subresource.  For example, [
+	// "services", "nodes/status" ].  This list may not be empty.
+	// "*" matches all resources and, if present, must be the only entry.
 	// Required.
+	// +listType=set
 	Resources []string
+
+	// `clusterScope` indicates whether to match requests that do not
+	// specify a namespace (which happens either because the resource
+	// is not namespaced or the request targets all namespaces).
+	// If this field is omitted or false then the `namespaces` field
+	// must contain a non-empty list.
+	// +optional
+	ClusterScope bool
+
+	// `namespaces` is a list of target namespaces that restricts
+	// matches.  A request that specifies a target namespace matches
+	// only if either (a) this list contains that target namespace or
+	// (b) this list contains "*".  Note that "*" matches any
+	// specified namespace but does not match a request that _does
+	// not specify_ a namespace (see the `clusterScope` field for
+	// that).
+	// This list may be empty, but only if `clusterScope` is true.
+	// +optional
+	// +listType=set
+	Namespaces []string
 }
 
 // NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the

pkg/apis/flowcontrol/validation/validation.go

@@ -245,9 +245,25 @@ func ValidateFlowSchemaResourcePolicyRule(rule *flowcontrol.ResourcePolicyRule,
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("resources"), rule.Resources, "if '*' is present, must not specify other resources"))
 	}
 
+	if len(rule.Namespaces) == 0 && !rule.ClusterScope {
+		allErrs = append(allErrs, field.Required(fldPath.Child("namespaces"), "resource rules that are not cluster scoped must supply at least one namespace"))
+	} else if hasWildcard(rule.Namespaces) {
+		if len(rule.Namespaces) > 1 {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("namespaces"), rule.Namespaces, "if '*' is present, must not specify other namespaces"))
+		}
+	} else {
+		for idx, tgtNS := range rule.Namespaces {
+			for _, msg := range apimachineryvalidation.ValidateNamespaceName(tgtNS, false) {
+				allErrs = append(allErrs, field.Invalid(fldPath.Child("namespaces").Index(idx), tgtNS, nsErrIntro+msg))
+			}
+		}
+	}
+
 	return allErrs
 }
 
+const nsErrIntro = "each member of this list must be '*' or a DNS-1123 label; "
+
 // ValidateFlowSchemaStatus validates status for the flow-schema.
 func ValidateFlowSchemaStatus(status *flowcontrol.FlowSchemaStatus, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
@@ -424,8 +440,12 @@ func ValidateNonResourceURLPath(path string, fldPath *field.Path) *field.Error {
 }
 
 func hasWildcard(operations []string) bool {
-	for _, o := range operations {
-		if o == "*" {
+	return memberInList("*", operations...)
+}
+
+func memberInList(seek string, a ...string) bool {
+	for _, ai := range a {
+		if ai == seek {
 			return true
 		}
 	}