Some comments are added.

cmd/advertisement-operator/main.go

@@ -69,10 +69,8 @@ func init() {
 	_ = netv1alpha1.AddToScheme(scheme)
 	_ = discoveryv1alpha1.AddToScheme(scheme)
 
-
 	_ = capsulev1alpha1.AddToScheme(scheme)
 
-
 	_ = offloadingv1alpha1.AddToScheme(scheme)
 
 	_ = virtualkubeletv1alpha1.AddToScheme(scheme)

deployments/liqo/files/liqo-virtual-node-controller-ClusterRole.yaml

@@ -7,14 +7,6 @@ rules:
   - get
   - patch
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - nodes/status
-  verbs:
-  - get
-  - patch
-  - update
 - apiGroups:
   - discovery.liqo.io
   resources:

pkg/liqo-controller-manager/namespaceMap-controller/create_remote_clients.go

@@ -59,7 +59,7 @@ func (r *NamespaceMapReconciler) checkRemoteClientPresence(ctx context.Context,
 		// Only remote namespace needed to be cached.
 		scheme := runtime.NewScheme()
 		_ = corev1.AddToScheme(scheme)
-		if r.RemoteClients[remoteClusterID], err = cachedclient.GetCachedClient(ctx, restConfig, scheme); err != nil {
+		if r.RemoteClients[remoteClusterID], err = cachedclient.GetCachedClient(ctx, scheme, restConfig); err != nil {
 			klog.Errorf("unable to create client for cluster '%s'", remoteClusterID)
 			return err
 		}

pkg/liqo-controller-manager/namespaceMap-controller/namespacemap_controller.go

@@ -89,7 +89,7 @@ func (r *NamespaceMapReconciler) Reconcile(ctx context.Context, req ctrl.Request
 func manageDesiredMappings() predicate.Predicate {
 	return predicate.Funcs{
 		UpdateFunc: func(e event.UpdateEvent) bool {
-			// If the NamespaceMap is deleted and has my finalizer.
+			// If the NamespaceMap is deleted and has the NamespaceMapControllerFinalizer.
 			if !e.ObjectNew.GetDeletionTimestamp().IsZero() &&
 				ctrlutils.ContainsFinalizer(e.ObjectNew, namespaceMapControllerFinalizer) {
 				return true

pkg/liqo-controller-manager/namespaceOffloading-controller/namespaceoffloading_lifecycle.go

@@ -27,9 +27,9 @@ func (r *NamespaceOffloadingReconciler) deletionLogic(ctx context.Context,
 	}
 	// 3 - check if all remote namespaces associated with this NamespaceOffloading resource are really deleted.
 	if len(noff.Status.RemoteNamespacesConditions) != 0 {
-		log := fmt.Errorf("waiting for remote namespaces deletion")
-		klog.Info(log)
-		return log
+		err := fmt.Errorf("waiting for remote namespaces deletion")
+		klog.Info(err)
+		return err
 	}
 	// 4 - remove NamespaceOffloading controller finalizer; all remote namespaces associated with this resource
 	// have been deleted.
@@ -48,7 +48,10 @@ func (r *NamespaceOffloadingReconciler) initialConfiguration(ctx context.Context
 	patch := noff.DeepCopy()
 	// 1 - Add NamespaceOffloadingController Finalizer.
 	ctrlutils.AddFinalizer(noff, namespaceOffloadingControllerFinalizer)
-	// 2 - Add empty cluster selector if not specified by the user.
+	// 2 - Add the default ClusterSelector if not specified by the user. The default cluster selector allows creating
+	// remote namespaces on all remote clusters.
+	// The Namespace Offloading resource must always have the ClusterSelector field to correctly enforce
+	// the security policies in the liqo webhook.
 	if noff.Spec.ClusterSelector.Size() == 0 {
 		noff.Spec.ClusterSelector = corev1.NodeSelector{NodeSelectorTerms: []corev1.NodeSelectorTerm{
 			{

pkg/liqo-controller-manager/virtualNode-controller/namespaceMap_creation.go

@@ -19,10 +19,10 @@ import (
 func (r *VirtualNodeReconciler) createNamespaceMap(ctx context.Context, n *corev1.Node) error {
 	nm := &mapsv1alpha1.NamespaceMap{
 		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: fmt.Sprintf("%s-", n.GetAnnotations()[liqoconst.RemoteClusterID]),
-			Namespace:    r.TechnicalNamespacesNames[n.GetAnnotations()[liqoconst.RemoteClusterID]],
+			GenerateName: fmt.Sprintf("%s-", n.Annotations[liqoconst.RemoteClusterID]),
+			Namespace:    r.getLocalTechnicalNamespaceName(n.Annotations[liqoconst.RemoteClusterID]),
 			Labels: map[string]string{
-				liqoconst.RemoteClusterID: n.GetAnnotations()[liqoconst.RemoteClusterID],
+				liqoconst.RemoteClusterID: n.Annotations[liqoconst.RemoteClusterID],
 			},
 		},
 	}
@@ -41,14 +41,14 @@ func (r *VirtualNodeReconciler) createNamespaceMap(ctx context.Context, n *corev
 
 // ensureNamespaceMapPresence creates a new NamespaceMap associated with that virtual-node if it is not already present.
 func (r *VirtualNodeReconciler) ensureNamespaceMapPresence(ctx context.Context, n *corev1.Node) error {
-	// Only when the NamespaceMap is created for the first time it is necessary to check the presence of the
-	// Technical namespace name.
-	if err := r.checkTechnicalNamespaceNamePresence(ctx, n.GetAnnotations()[liqoconst.RemoteClusterID]); err != nil {
+	// Only when the NamespaceMap is created for the first time it is necessary to check the presence of the local
+	// Technical namespace's name.
+	if err := r.checkLocalTechnicalNamespaceNamePresence(ctx, n.Annotations[liqoconst.RemoteClusterID]); err != nil {
 		return err
 	}
 	nms := &mapsv1alpha1.NamespaceMapList{}
-	if err := r.List(ctx, nms, client.InNamespace(r.TechnicalNamespacesNames[n.GetAnnotations()[liqoconst.RemoteClusterID]]),
-		client.MatchingLabels{liqoconst.RemoteClusterID: n.GetAnnotations()[liqoconst.RemoteClusterID]}); err != nil {
+	if err := r.List(ctx, nms, client.InNamespace(r.getLocalTechnicalNamespaceName(n.Annotations[liqoconst.RemoteClusterID])),
+		client.MatchingLabels{liqoconst.RemoteClusterID: n.Annotations[liqoconst.RemoteClusterID]}); err != nil {
 		klog.Errorf("%s --> Unable to List NamespaceMaps of the virtual-node '%s'", err, n.GetName())
 		return err
 	}
@@ -60,14 +60,14 @@ func (r *VirtualNodeReconciler) ensureNamespaceMapPresence(ctx context.Context,
 	return nil
 }
 
-// checkTechnicalNamespaceNamePresence checks if the technical namespace name for that peering
-// is already present in the map r.TechnicalNamespacesNames.
-func (r *VirtualNodeReconciler) checkTechnicalNamespaceNamePresence(ctx context.Context, remoteClusterID string) error {
-	if r.TechnicalNamespacesNames == nil {
-		r.TechnicalNamespacesNames = map[string]string{}
+// checkLocalTechnicalNamespaceNamePresence checks if the local technical namespace's name for the cluster with
+// `remoteClusterID` clusterID is already present in the map r.LocalTechnicalNamespacesNames.
+func (r *VirtualNodeReconciler) checkLocalTechnicalNamespaceNamePresence(ctx context.Context, remoteClusterID string) error {
+	if r.LocalTechnicalNamespacesNames == nil {
+		r.LocalTechnicalNamespacesNames = map[string]string{}
 	}
 
-	if _, ok := r.TechnicalNamespacesNames[remoteClusterID]; !ok {
+	if _, ok := r.LocalTechnicalNamespacesNames[remoteClusterID]; !ok {
 		fc, err := foreignclusterutils.GetForeignClusterByID(ctx, r.Client, remoteClusterID)
 		if err != nil {
 			return err
@@ -80,9 +80,15 @@ func (r *VirtualNodeReconciler) checkTechnicalNamespaceNamePresence(ctx context.
 			return err
 		}
 
-		r.TechnicalNamespacesNames[remoteClusterID] = fc.Status.TenantControlNamespace.Local
+		r.LocalTechnicalNamespacesNames[remoteClusterID] = fc.Status.TenantControlNamespace.Local
 		klog.Infof("The Technical namespace '%s' associated with the peering with the remote cluster '%s' is added to the Map",
 			fc.Status.TenantControlNamespace.Local, remoteClusterID)
 	}
 	return nil
 }
+
+// getLocalTechnicalNamespaceName provides the name of the local technical namespace, given the remoteClusterID
+// associated with a peering.
+func (r *VirtualNodeReconciler) getLocalTechnicalNamespaceName(remoteClusterID string) string {
+	return r.LocalTechnicalNamespacesNames[remoteClusterID]
+}

pkg/liqo-controller-manager/virtualNode-controller/virtualnode_controller.go

@@ -42,17 +42,14 @@ type VirtualNodeReconciler struct {
 	client.Client
 	Scheme *runtime.Scheme
 	// key = clusterID, value = technicalNamesapceName
-	TechnicalNamespacesNames map[string]string
+	LocalTechnicalNamespacesNames map[string]string
 }
 
 // cluster-role
 // +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;watch;patch
 // +kubebuilder:rbac:groups=virtualKubelet.liqo.io,resources=namespacemaps,verbs=list;watch;delete;create
 // +kubebuilder:rbac:groups=discovery.liqo.io,resources=foreignclusters,verbs=get;list;watch
 
-// todo: servono privilegi apposta per lo stato ?
-// +kubebuilder:rbac:groups=core,resources=nodes/status,verbs=get;update;patch
-
 // Reconcile manage NamespaceMaps associated with the virtual-node.
 func (r *VirtualNodeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	virtualNode := &corev1.Node{}
@@ -105,6 +102,10 @@ func filterVirtualNodes() predicate.Predicate {
 		DeleteFunc: func(e event.DeleteEvent) bool {
 			// It is necessary to monitor also the deletion of the NamespaceMap.
 			value, ok := (e.Object.GetLabels())[liqoconst.TypeLabel]
+			// This controller watches the deletion of two kind of resources: virtual-nodes and
+			// NamespaceMaps associated with corresponding virtual-nodes.
+			// If the object has the label 'liqoconst.TypeLabel' with value 'liqoconst.TypeNode' it is a virtual-node,
+			// while if the object has no namespace it is a NamespaceMap.
 			return (ok && value == liqoconst.TypeNode) || e.Object.GetNamespace() != ""
 		},
 	}

pkg/liqo-controller-manager/virtualNode-controller/virtualnode_deletion_logic.go

@@ -19,14 +19,15 @@ func (r *VirtualNodeReconciler) removeAssociatedNamespaceMaps(ctx context.Contex
 	// The deletion timestamp is automatically set on the NamespaceMaps associated with the virtual-node,
 	// it's only necessary to wait until the NamespaceMaps are deleted.
 	namespaceMapList := &mapsv1alpha1.NamespaceMapList{}
-	if err := r.List(context.TODO(), namespaceMapList, client.InNamespace(r.TechnicalNamespacesNames[n.GetAnnotations()[liqoconst.RemoteClusterID]]),
+	if err := r.List(context.TODO(), namespaceMapList,
+		client.InNamespace(r.LocalTechnicalNamespacesNames[n.GetAnnotations()[liqoconst.RemoteClusterID]]),
 		client.MatchingLabels{liqoconst.RemoteClusterID: n.GetAnnotations()[liqoconst.RemoteClusterID]}); err != nil {
 		klog.Errorf("%s --> Unable to List NamespaceMaps of virtual virtualNode '%s'", err, n.GetName())
 		return err
 	}
 
 	if len(namespaceMapList.Items) == 0 {
-		delete(r.TechnicalNamespacesNames, n.GetAnnotations()[liqoconst.RemoteClusterID])
+		delete(r.LocalTechnicalNamespacesNames, n.GetAnnotations()[liqoconst.RemoteClusterID])
 		return r.removeVirtualNodeFinalizer(ctx, n)
 	}
 

pkg/mapperUtils/mapper.go

@@ -72,7 +72,6 @@ func addDefaults(dClient *discovery.DiscoveryClient, mapper *meta.DefaultRESTMap
 		return err
 	}
 
-
 	// Capsule groups
 	if err = addGroup(dClient, capsulev1alpha1.GroupVersion, mapper); err != nil {
 		return err

pkg/mutate/server.go

@@ -39,7 +39,7 @@ func NewMutationServer(ctx context.Context, c *MutationConfig) (*MutationServer,
 	_ = offv1alpha1.AddToScheme(scheme)
 
 	var err error
-	if s.webhookClient, err = cachedclient.GetCachedClient(ctx, nil, scheme); err != nil {
+	if s.webhookClient, err = cachedclient.GetCachedClient(ctx, scheme, nil); err != nil {
 		return nil, err
 	}
 

pkg/utils/cachedClient/get_cached_client.go

@@ -18,7 +18,7 @@ import (
 
 // GetCachedClient returns a controller runtime client with the cache initialized only for the resources added to
 // the scheme.
-func GetCachedClient(ctx context.Context, conf *rest.Config, scheme *runtime.Scheme) (client.Client, error) {
+func GetCachedClient(ctx context.Context, scheme *runtime.Scheme, conf *rest.Config) (client.Client, error) {
 	if conf == nil {
 		conf = ctrl.GetConfigOrDie()
 		if conf == nil {