Introduce servicelb-namespace parameter

This parameter controls which namespace the klipper-lb pods will be create. It defaults to kube-system so that k3s does not by default create a new namespace. It can be changed if users wish to isolate the pods and apply some policy to them. Signed-off-by: Darren Shepherd <darren@acorn.io>
2024-06-07 19:41:36 +00:00 · 2022-06-09 09:29:51 -07:00 · 2022-06-09 09:29:51 -07:00 · e6009b1edf
commit e6009b1edf
parent f4cc1b8788
5 changed files with 59 additions and 50 deletions
--- a/pkg/cli/cmds/server.go
+++ b/pkg/cli/cmds/server.go
@ -101,6 +101,7 @@ type Server struct {
 	EtcdS3Folder             string
 	EtcdS3Timeout            time.Duration
 	EtcdS3Insecure           bool
+	ServiceLBNamespace       string
 }

 var (
@ -221,6 +222,12 @@ var ServerFlags = []cli.Flag{
 		Destination: &ServerConfig.EgressSelectorMode,
 		Value:       "agent",
 	},
+	cli.StringFlag{
+		Name:        "servicelb-namespace",
+		Usage:       "(networking) Namespace of the pods for the servicelb component",
+		Destination: &ServerConfig.ServiceLBNamespace,
+		Value:       "kube-system",
+	},
 	ServerToken,
 	cli.StringFlag{
 		Name:        "token-file",
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@ -115,6 +115,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	serverConfig.ControlConfig.KubeConfigOutput = cfg.KubeConfigOutput
 	serverConfig.ControlConfig.KubeConfigMode = cfg.KubeConfigMode
 	serverConfig.Rootless = cfg.Rootless
+	serverConfig.ServiceLBNamespace = cfg.ServiceLBNamespace
 	serverConfig.ControlConfig.SANs = cfg.TLSSan
 	serverConfig.ControlConfig.BindAddress = cfg.BindAddress
 	serverConfig.ControlConfig.SupervisorPort = cfg.SupervisorPort
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@ -212,6 +212,7 @@ func coreControllers(ctx context.Context, sc *Context, config *Config) error {
 		sc.Core.Core().V1().Pod(),
 		sc.Core.Core().V1().Service(),
 		sc.Core.Core().V1().Endpoints(),
+		config.ServiceLBNamespace,
 		!config.DisableServiceLB,
 		config.Rootless); err != nil {
 		return err
--- a/pkg/server/types.go
+++ b/pkg/server/types.go
@ -12,6 +12,7 @@ type Config struct {
 	DisableServiceLB   bool
 	ControlConfig      config.Control
 	Rootless           bool
+	ServiceLBNamespace string
 	SupervisorPort     int
 	StartupHooks       []cmds.StartupHook
 	LeaderControllers  CustomControllers
--- a/pkg/servicelb/controller.go
+++ b/pkg/servicelb/controller.go
@ -44,11 +44,6 @@ var (
 const (
 	Ready          = condition.Cond("Ready")
 	ControllerName = "svccontroller"
-	KlipperNamespace = "klipper-lb-system"
-)
-
-var (
-	trueVal = true
 )

 func Register(ctx context.Context,
@ -60,10 +55,12 @@ func Register(ctx context.Context,
 	pods coreclient.PodController,
 	services coreclient.ServiceController,
 	endpoints coreclient.EndpointsController,
+	klipperLBNamespace string,
 	enabled, rootless bool) error {
 	h := &handler{
 		rootless:           rootless,
 		enabled:            enabled,
+		klipperLBNamespace: klipperLBNamespace,
 		nodeCache:          nodes.Cache(),
 		podCache:           pods.Cache(),
 		deploymentCache:    deployments.Cache(),
@ -83,11 +80,18 @@ func Register(ctx context.Context,
 		pods,
 		endpoints)

-	return createOrDeleteKlipperNamespace(ctx, enabled, kubernetes)
+	if enabled {
+		if err := createServiceLBNamespace(ctx, h.klipperLBNamespace, kubernetes); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }

 type handler struct {
 	rootless           bool
+	klipperLBNamespace string
 	enabled            bool
 	nodeCache          coreclient.NodeCache
 	podCache           coreclient.PodCache
@ -100,22 +104,17 @@ type handler struct {
 	recorder           record.EventRecorder
 }

-func createOrDeleteKlipperNamespace(ctx context.Context, enabled bool, k8s kubernetes.Interface) error {
-	_, err := k8s.CoreV1().Namespaces().Get(ctx, KlipperNamespace, meta.GetOptions{})
-	if !apierrors.IsNotFound(err) {
-		return err
-	}
-
-	if enabled {
+func createServiceLBNamespace(ctx context.Context, ns string, k8s kubernetes.Interface) error {
+	_, err := k8s.CoreV1().Namespaces().Get(ctx, ns, meta.GetOptions{})
+	if apierrors.IsNotFound(err) {
 		_, err := k8s.CoreV1().Namespaces().Create(ctx, &core.Namespace{
 			ObjectMeta: meta.ObjectMeta{
-				Name: KlipperNamespace,
+				Name: ns,
 			},
 		}, meta.CreateOptions{})
 		return err
 	}
-
-	return k8s.CoreV1().Namespaces().Delete(ctx, KlipperNamespace, meta.DeleteOptions{})
+	return err
 }

 func (h *handler) onResourceChange(name, namespace string, obj runtime.Object) ([]relatedresource.Key, error) {
@ -194,7 +193,7 @@ func (h *handler) updateService(svc *core.Service) (runtime.Object, error) {
 		return svc, nil
 	}

-	pods, err := h.podCache.List(KlipperNamespace, labels.SelectorFromSet(map[string]string{
+	pods, err := h.podCache.List(h.klipperLBNamespace, labels.SelectorFromSet(map[string]string{
 		svcNameLabel:      svc.Name,
 		svcNamespaceLabel: svc.Namespace,
 	}))
@ -388,7 +387,7 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 	ds := &apps.DaemonSet{
 		ObjectMeta: meta.ObjectMeta{
 			Name:      name,
-			Namespace: KlipperNamespace,
+			Namespace: h.klipperLBNamespace,
 			Labels: map[string]string{
 				nodeSelectorLabel: "false",
 			},