Introduce servicelb-namespace parameter

This parameter controls which namespace the klipper-lb pods will be create. It defaults to kube-system so that k3s does not by default create a new namespace. It can be changed if users wish to isolate the pods and apply some policy to them. Signed-off-by: Darren Shepherd <darren@acorn.io>
2024-06-07 19:41:36 +00:00 · 2022-06-09 09:29:51 -07:00 · 2022-06-09 09:29:51 -07:00 · e6009b1edf
commit e6009b1edf
parent f4cc1b8788
5 changed files with 59 additions and 50 deletions
--- a/pkg/cli/cmds/server.go
+++ b/pkg/cli/cmds/server.go
@ -101,6 +101,7 @@ type Server struct {
 	EtcdS3Folder             string
 	EtcdS3Timeout            time.Duration
 	EtcdS3Insecure           bool
+	ServiceLBNamespace       string
 }

 var (
@ -221,6 +222,12 @@ var ServerFlags = []cli.Flag{
 		Destination: &ServerConfig.EgressSelectorMode,
 		Value:       "agent",
 	},
+	cli.StringFlag{
+		Name:        "servicelb-namespace",
+		Usage:       "(networking) Namespace of the pods for the servicelb component",
+		Destination: &ServerConfig.ServiceLBNamespace,
+		Value:       "kube-system",
+	},
 	ServerToken,
 	cli.StringFlag{
 		Name:        "token-file",
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@ -115,6 +115,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	serverConfig.ControlConfig.KubeConfigOutput = cfg.KubeConfigOutput
 	serverConfig.ControlConfig.KubeConfigMode = cfg.KubeConfigMode
 	serverConfig.Rootless = cfg.Rootless
+	serverConfig.ServiceLBNamespace = cfg.ServiceLBNamespace
 	serverConfig.ControlConfig.SANs = cfg.TLSSan
 	serverConfig.ControlConfig.BindAddress = cfg.BindAddress
 	serverConfig.ControlConfig.SupervisorPort = cfg.SupervisorPort
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@ -212,6 +212,7 @@ func coreControllers(ctx context.Context, sc *Context, config *Config) error {
 		sc.Core.Core().V1().Pod(),
 		sc.Core.Core().V1().Service(),
 		sc.Core.Core().V1().Endpoints(),
+		config.ServiceLBNamespace,
 		!config.DisableServiceLB,
 		config.Rootless); err != nil {
 		return err
--- a/pkg/server/types.go
+++ b/pkg/server/types.go
@ -8,14 +8,15 @@ import (
 )

 type Config struct {
-	DisableAgent      bool
-	DisableServiceLB  bool
-	ControlConfig     config.Control
-	Rootless          bool
-	SupervisorPort    int
-	StartupHooks      []cmds.StartupHook
-	LeaderControllers CustomControllers
-	Controllers       CustomControllers
+	DisableAgent       bool
+	DisableServiceLB   bool
+	ControlConfig      config.Control
+	Rootless           bool
+	ServiceLBNamespace string
+	SupervisorPort     int
+	StartupHooks       []cmds.StartupHook
+	LeaderControllers  CustomControllers
+	Controllers        CustomControllers
 }

 type CustomControllers []func(ctx context.Context, sc *Context) error
--- a/pkg/servicelb/controller.go
+++ b/pkg/servicelb/controller.go
@ -42,13 +42,8 @@ var (
 )

 const (
-	Ready            = condition.Cond("Ready")
-	ControllerName   = "svccontroller"
-	KlipperNamespace = "klipper-lb-system"
-)
-
-var (
-	trueVal = true
+	Ready          = condition.Cond("Ready")
+	ControllerName = "svccontroller"
 )

 func Register(ctx context.Context,
@ -60,19 +55,21 @@ func Register(ctx context.Context,
 	pods coreclient.PodController,
 	services coreclient.ServiceController,
 	endpoints coreclient.EndpointsController,
+	klipperLBNamespace string,
 	enabled, rootless bool) error {
 	h := &handler{
-		rootless:        rootless,
-		enabled:         enabled,
-		nodeCache:       nodes.Cache(),
-		podCache:        pods.Cache(),
-		deploymentCache: deployments.Cache(),
-		processor:       apply.WithSetID(ControllerName).WithCacheTypes(daemonSetController),
-		serviceCache:    services.Cache(),
-		services:        kubernetes.CoreV1(),
-		daemonsets:      kubernetes.AppsV1(),
-		deployments:     kubernetes.AppsV1(),
-		recorder:        util.BuildControllerEventRecorder(kubernetes, ControllerName, meta.NamespaceAll),
+		rootless:           rootless,
+		enabled:            enabled,
+		klipperLBNamespace: klipperLBNamespace,
+		nodeCache:          nodes.Cache(),
+		podCache:           pods.Cache(),
+		deploymentCache:    deployments.Cache(),
+		processor:          apply.WithSetID(ControllerName).WithCacheTypes(daemonSetController),
+		serviceCache:       services.Cache(),
+		services:           kubernetes.CoreV1(),
+		daemonsets:         kubernetes.AppsV1(),
+		deployments:        kubernetes.AppsV1(),
+		recorder:           util.BuildControllerEventRecorder(kubernetes, ControllerName, meta.NamespaceAll),
 	}

 	services.OnChange(ctx, ControllerName, h.onChangeService)
@ -83,39 +80,41 @@ func Register(ctx context.Context,
 		pods,
 		endpoints)

-	return createOrDeleteKlipperNamespace(ctx, enabled, kubernetes)
+	if enabled {
+		if err := createServiceLBNamespace(ctx, h.klipperLBNamespace, kubernetes); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }

 type handler struct {
-	rootless        bool
-	enabled         bool
-	nodeCache       coreclient.NodeCache
-	podCache        coreclient.PodCache
-	deploymentCache appclient.DeploymentCache
-	processor       apply.Apply
-	serviceCache    coreclient.ServiceCache
-	services        coregetter.ServicesGetter
-	daemonsets      v1getter.DaemonSetsGetter
-	deployments     v1getter.DeploymentsGetter
-	recorder        record.EventRecorder
+	rootless           bool
+	klipperLBNamespace string
+	enabled            bool
+	nodeCache          coreclient.NodeCache
+	podCache           coreclient.PodCache
+	deploymentCache    appclient.DeploymentCache
+	processor          apply.Apply
+	serviceCache       coreclient.ServiceCache
+	services           coregetter.ServicesGetter
+	daemonsets         v1getter.DaemonSetsGetter
+	deployments        v1getter.DeploymentsGetter
+	recorder           record.EventRecorder
 }

-func createOrDeleteKlipperNamespace(ctx context.Context, enabled bool, k8s kubernetes.Interface) error {
-	_, err := k8s.CoreV1().Namespaces().Get(ctx, KlipperNamespace, meta.GetOptions{})
-	if !apierrors.IsNotFound(err) {
-		return err
-	}
-
-	if enabled {
+func createServiceLBNamespace(ctx context.Context, ns string, k8s kubernetes.Interface) error {
+	_, err := k8s.CoreV1().Namespaces().Get(ctx, ns, meta.GetOptions{})
+	if apierrors.IsNotFound(err) {
 		_, err := k8s.CoreV1().Namespaces().Create(ctx, &core.Namespace{
 			ObjectMeta: meta.ObjectMeta{
-				Name: KlipperNamespace,
+				Name: ns,
 			},
 		}, meta.CreateOptions{})
 		return err
 	}
-
-	return k8s.CoreV1().Namespaces().Delete(ctx, KlipperNamespace, meta.DeleteOptions{})
+	return err
 }

 func (h *handler) onResourceChange(name, namespace string, obj runtime.Object) ([]relatedresource.Key, error) {
@ -194,7 +193,7 @@ func (h *handler) updateService(svc *core.Service) (runtime.Object, error) {
 		return svc, nil
 	}

-	pods, err := h.podCache.List(KlipperNamespace, labels.SelectorFromSet(map[string]string{
+	pods, err := h.podCache.List(h.klipperLBNamespace, labels.SelectorFromSet(map[string]string{
 		svcNameLabel:      svc.Name,
 		svcNamespaceLabel: svc.Namespace,
 	}))
@ -388,7 +387,7 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 	ds := &apps.DaemonSet{
 		ObjectMeta: meta.ObjectMeta{
 			Name:      name,
-			Namespace: KlipperNamespace,
+			Namespace: h.klipperLBNamespace,
 			Labels: map[string]string{
 				nodeSelectorLabel: "false",
 			},