Merge pull request #232 from xgp01/customize-namespace-install

Support customize namespace install

Author: k8s-ci-robot

cmd/manager/main.go

@@ -74,6 +74,7 @@ var (
 	includedNamespacesRegex string
 	webhooksOnly            bool
 	enableHRQ               bool
+	hncNamespace            string
 )
 
 // init preloads some global vars before main() starts. Since this is the top-level module, I'm not
@@ -151,6 +152,7 @@ func parseFlags() {
 	flag.Var(&managedNamespaceAnnots, "managed-namespace-annotation", "A regex indicating the annotations on namespaces that are managed by HNC. These annotations may only be set via the HierarchyConfiguration object. All regexes are implictly wrapped by \"^...$\". This argument can be specified multiple times. See the user guide for more information.")
 	flag.BoolVar(&webhooksOnly, "webhooks-only", false, "Disables the controllers so HNC can be run in HA webhook mode")
 	flag.BoolVar(&enableHRQ, "enable-hrq", false, "Enables hierarchical resource quotas")
+	flag.StringVar(&hncNamespace, "namespace", "hnc-system", "Namespace where hnc-manager and hnc resources deployed")
 	flag.Parse()
 
 	// Assign the array args to the configuration variables after the args are parsed.
@@ -166,6 +168,9 @@ func parseFlags() {
 		setupLog.Info("Cannot set both --webhooks-only and --no-webhooks")
 		os.Exit(1)
 	}
+
+	// Set hnc namespace
+	config.SetHNCNamespace(hncNamespace)
 }
 
 // enableMetrics returns a function to call from main() to export any remaining metrics when main()

internal/config/namespace.go

@@ -31,8 +31,16 @@ var (
 	// this list is removed from all managed namespaces unless specifically specified by the HC of the
 	// namespace or one of its ancestors.
 	managedAnnotations []*regexp.Regexp
+
+	// hncNamespace is the namespace where hnc-manager and hnc resources deployed. It set by commandline argument,
+	// default to hnc-system.
+	hncNamespace string
 )
 
+func SetHNCNamespace(ns string) {
+	hncNamespace = ns
+}
+
 func SetNamespaces(regex string, excluded ...string) {
 	if regex == "" {
 		regex = ".*"
@@ -125,3 +133,8 @@ func IsManagedAnnotation(k string) bool {
 	}
 	return false
 }
+
+// GetHNCNamespace return the namespace where hnc-manager and hnc resources deployed
+func GetHNCNamespace() string {
+	return hncNamespace
+}

internal/hierarchyconfig/validator.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/go-logr/logr"
@@ -117,7 +116,7 @@ func (v *Validator) handle(ctx context.Context, log logr.Logger, req *request) a
 	// exists on the K8s server, we need to be able to update its status even though the rest of the
 	// object wouldn't pass legality. We should probably only give the HNC SA the ability to modify
 	// the _status_, though. TODO: https://github.com/kubernetes-sigs/hierarchical-namespaces/issues/80.
-	if isHNCServiceAccount(req.ui) {
+	if webhooks.IsHNCServiceAccount(req.ui) {
 		return allow("HNC SA")
 	}
 
@@ -447,26 +446,6 @@ func (v *Validator) decodeRequest(in admission.Request) (*request, error) {
 	}, nil
 }
 
-// isHNCServiceAccount is inspired by isGKServiceAccount from open-policy-agent/gatekeeper.
-func isHNCServiceAccount(user *authnv1.UserInfo) bool {
-	if user == nil {
-		// useful for unit tests
-		return false
-	}
-
-	ns, found := os.LookupEnv("POD_NAMESPACE")
-	if !found {
-		ns = "hnc-system"
-	}
-	saGroup := fmt.Sprintf("system:serviceaccounts:%s", ns)
-	for _, g := range user.Groups {
-		if g == saGroup {
-			return true
-		}
-	}
-	return false
-}
-
 func (v *Validator) InjectClient(c client.Client) error {
 	v.server = &realClient{client: c}
 	return nil

internal/setup/webhooks.go

@@ -9,6 +9,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	"sigs.k8s.io/hierarchical-namespaces/internal/anchor"
+	"sigs.k8s.io/hierarchical-namespaces/internal/config"
 	"sigs.k8s.io/hierarchical-namespaces/internal/forest"
 	"sigs.k8s.io/hierarchical-namespaces/internal/hierarchyconfig"
 	"sigs.k8s.io/hierarchical-namespaces/internal/hncconfig"
@@ -18,24 +19,24 @@ import (
 )
 
 const (
-	serviceName     = "hnc-webhook-service"
-	vwhName         = "hnc-validating-webhook-configuration"
-	mwhName         = "hnc-mutating-webhook-configuration"
-	caName          = "hnc-ca"
-	caOrganization  = "hnc"
-	secretNamespace = "hnc-system"
-	secretName      = "hnc-webhook-server-cert"
-	certDir         = "/tmp/k8s-webhook-server/serving-certs"
+	serviceName    = "hnc-webhook-service"
+	vwhName        = "hnc-validating-webhook-configuration"
+	mwhName        = "hnc-mutating-webhook-configuration"
+	caName         = "hnc-ca"
+	caOrganization = "hnc"
+	secretName     = "hnc-webhook-server-cert"
+	certDir        = "/tmp/k8s-webhook-server/serving-certs"
 )
 
-// DNSName is <service name>.<namespace>.svc
-var dnsName = fmt.Sprintf("%s.%s.svc", serviceName, secretNamespace)
-
 // ManageCerts creates all certs for webhooks. This function is called from main.go.
 func ManageCerts(mgr ctrl.Manager, setupFinished chan struct{}, restartOnSecretRefresh bool) error {
+	hncNamespace := config.GetHNCNamespace()
+	// DNSName is <service name>.<hncNamespace>.svc
+	dnsName := fmt.Sprintf("%s.%s.svc", serviceName, hncNamespace)
+
 	return cert.AddRotator(mgr, &cert.CertRotator{
 		SecretKey: types.NamespacedName{
-			Namespace: secretNamespace,
+			Namespace: hncNamespace,
 			Name:      secretName,
 		},
 		CertDir:        certDir,

internal/webhooks/webhooks.go

@@ -2,7 +2,6 @@ package webhooks
 
 import (
 	"fmt"
-	"os"
 
 	k8sadm "k8s.io/api/admission/v1"
 	authnv1 "k8s.io/api/authentication/v1"
@@ -11,6 +10,8 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"sigs.k8s.io/hierarchical-namespaces/internal/config"
 )
 
 // IsHNCServiceAccount is inspired by isGKServiceAccount from open-policy-agent/gatekeeper.
@@ -20,11 +21,7 @@ func IsHNCServiceAccount(user *authnv1.UserInfo) bool {
 		return false
 	}
 
-	ns, found := os.LookupEnv("POD_NAMESPACE")
-	if !found {
-		ns = "hnc-system"
-	}
-	saGroup := fmt.Sprintf("system:serviceaccounts:%s", ns)
+	saGroup := fmt.Sprintf("system:serviceaccounts:%s", config.GetHNCNamespace())
 	for _, g := range user.Groups {
 		if g == saGroup {
 			return true