feat(admission): improve performance for namespaced admissions

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

Author: oliverbaehler

.gitignore

@@ -8,6 +8,7 @@
 bin
 dist/
 config/
+builds/
 
 # Test binary, build with `go test -c`
 *.test

Makefile

@@ -100,6 +100,7 @@ helm-test-exec: ct helm-controller-version ko-build-all
 	$(MAKE) e2e-load-image CLUSTER_NAME=capsule-charts IMAGE=$(CAPSULE_IMG) VERSION=v0.0.0
 	@$(KUBECTL) create ns capsule-system || true
 	$(MAKE) dev-install-deps
+	$(MAKE) dev-install-grafana-operator-crds
 	@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
 
 # Setup development env
@@ -111,7 +112,7 @@ dev-build: kind
 dev-destroy: kind
 	$(KIND) delete cluster --name capsule
 
-dev-install-deps: dev-setup-fluxcd dev-setup-cert-manager dev-install-gw-api-crds dev-install-grafana-operator-crds dev-install-prometheus-crds wait-for-helmreleases
+dev-install-deps: dev-setup-fluxcd dev-setup-cert-manager dev-install-gw-api-crds  wait-for-helmreleases
 
 API_GW         := none
 API_GW_VERSION := v1.3.0
@@ -171,6 +172,7 @@ dev-setup:
 	export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \
 	$(HELM) upgrade \
 	    --dependency-update \
+		--force-conflicts \
 		--debug \
 		--install \
 		--namespace capsule-system \
@@ -226,6 +228,8 @@ dev-setup-capsule-example: dev-setup-fluxcd
 	@$(KUBECTL) create ns green-prod --as bob --as-group projectcapsule.dev || true
 	@$(KUBECTL) create ns solar-test --as alice --as-group projectcapsule.dev || true
 	@$(KUBECTL) create ns solar-prod --as alice --as-group projectcapsule.dev || true
+	@$(KUBECTL) apply -f hack/distro/capsule/example-setup/claims.yaml
+
 
 wait-for-helmreleases:
 	@ echo "Waiting for all HelmReleases to have observedGeneration >= 0..."
@@ -234,6 +238,42 @@ wait-for-helmreleases:
 	done
 
 
+ENTERPRISE_VERSION  ?= "0.13.0-rc.2"
+ENTERPRISE_REGISTRY ?= "oci.peakscale.ch"
+
+enterprise-prerelease:
+	mkdir -p ./builds
+	$(MAKE) CAPSULE_IMG=$(ENTERPRISE_REGISTRY)/prereleases/images/capsule VERSION=$(ENTERPRISE_VERSION) ko-publish-capsule
+	$(HELM) package ./charts/capsule --app-version=$(ENTERPRISE_VERSION) --version=$(ENTERPRISE_VERSION) --destination ./builds/
+	$(HELM) push ./builds/capsule-$(ENTERPRISE_VERSION).tgz oci://$(ENTERPRISE_REGISTRY)/prereleases/charts/
+	$(MAKE) deploy-enterprise
+	rm -rf ./builds
+
+deploy-enterprise:
+	@echo ""
+	@echo "Deploying Capsule Prerelease (Enterprise) $(ENTERPRISE_VERSION)"
+	@echo ""
+	@echo "1) Create image pull secret (Change the credentials with the ones provided to you):"
+	@echo ""
+	@echo "kubectl create secret docker-registry capsule-enterprise -n capsule-system \\"
+	@echo "  --docker-username='robot\$$name' \\"
+	@echo "  --docker-password='serviceaccount-password' \\"
+	@echo "  --docker-server='$(ENTERPRISE_REGISTRY)'"
+	@echo ""
+	@echo "2) Deploy Capsule:"
+	@echo ""
+	@echo "helm upgrade --install capsule \\"
+	@echo "  oci://$(ENTERPRISE_REGISTRY)/prereleases/charts/capsule \\"
+	@echo "  --namespace capsule-system \\"
+	@echo "  --version $(ENTERPRISE_VERSION) \\"
+	@echo "  --reuse-values \\"
+	@echo "  --set manager.image.registry=$(ENTERPRISE_REGISTRY) \\"
+	@echo "  --set manager.image.repository=prereleases/images/capsule \\"
+	@echo "  --set manager.image.tag=$(ENTERPRISE_VERSION) \\"
+	@echo "  --set manager.image.pullPolicy=Always \\"
+	@echo "  --set 'serviceAccount.imagePullSecrets={capsule-enterprise}'"
+	@echo ""
+
 ####################
 # -- Docker
 ####################

api/v1beta2/capsuleconfiguration_types.go

@@ -8,6 +8,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )
 
 // CapsuleConfigurationSpec defines the Capsule configuration.
@@ -89,7 +90,7 @@ type DynamicAdmission struct {
 
 type DynamicAdmissionConfig struct {
 	// Name the Admission Webhook
-	Name api.Name `json:"name,omitempty"`
+	Name meta.RFC1123Name `json:"name,omitempty"`
 	// Labels added to the Admission Webhook
 	// +optional
 	Labels map[string]string `json:"labels,omitempty"`

api/v1beta2/namespace_options.go

@@ -17,6 +17,9 @@ type NamespaceOptions struct {
 	AdditionalMetadata *api.AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
 	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant via a list. Optional.
 	AdditionalMetadataList []api.AdditionalMetadataSelectorSpec `json:"additionalMetadataList,omitempty"`
+	// Required Metadata for namespace within this tenant
+	// +optional
+	RequiredMetadata *RequiredMetadata `json:"requiredMetadata,omitzero"`
 	// Define the labels that a Tenant Owner cannot set for their Namespace resources.
 	// +optional
 	ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels,omitzero"`
@@ -27,3 +30,13 @@ type NamespaceOptions struct {
 	//+kubebuilder:default:=false
 	ManagedMetadataOnly bool `json:"managedMetadataOnly,omitempty"`
 }
+
+type RequiredMetadata struct {
+	// Labels that must be defined for each namespace
+	// +optional
+	Labels map[string]string `json:"labels,omitzero"`
+
+	// Annotations that must be defined for each namespace
+	// +optional
+	Annotations map[string]string `json:"annotations,omitzero"`
+}

api/v1beta2/resourcepool_func.go

@@ -11,7 +11,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 
-	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )
 
 func (r *ResourcePool) GetQuotaName() string {
@@ -79,9 +79,10 @@ func (r *ResourcePool) AddClaimToStatus(claim *ResourcePoolClaim) {
 	}
 
 	scl := &ResourcePoolClaimsItem{
-		StatusNameUID: api.StatusNameUID{
-			UID:  claim.UID,
-			Name: api.Name(claim.Name),
+		NamespacedRFC1123ObjectReferenceWithNamespaceWithUID: meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID{
+			UID:       claim.UID,
+			Name:      meta.RFC1123Name(claim.Name),
+			Namespace: meta.RFC1123SubdomainName(claim.Namespace),
 		},
 		Claims: claim.Spec.ResourceClaims,
 	}

api/v1beta2/resourcepool_func_test.go

@@ -11,7 +11,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
-	"github.com/projectcapsule/capsule/pkg/api"
 	"github.com/projectcapsule/capsule/pkg/api/meta"
 	"github.com/stretchr/testify/assert"
 )
@@ -34,7 +33,7 @@ func TestGetClaimFromStatus(t *testing.T) {
 			Claims: ResourcePoolNamespaceClaimsStatus{
 				ns: {
 					&ResourcePoolClaimsItem{
-						StatusNameUID: api.StatusNameUID{
+						NamespacedRFC1123ObjectReferenceWithNamespaceWithUID: meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID{
 							UID: testUID,
 						},
 						Claims: corev1.ResourceList{
@@ -127,8 +126,9 @@ func TestAddRemoveClaimToStatus(t *testing.T) {
 	pool.AddClaimToStatus(claim)
 
 	stored := pool.GetClaimFromStatus(claim)
+
 	assert.NotNil(t, stored)
-	assert.Equal(t, api.Name("claim-1"), stored.Name)
+	assert.Equal(t, meta.RFC1123Name("claim-1"), stored.Name)
 
 	pool.RemoveClaimFromStatus(claim)
 	assert.Nil(t, pool.GetClaimFromStatus(claim))
@@ -219,7 +219,7 @@ func TestGetNamespaceClaims(t *testing.T) {
 			Claims: ResourcePoolNamespaceClaimsStatus{
 				"ns": {
 					&ResourcePoolClaimsItem{
-						StatusNameUID: api.StatusNameUID{UID: "uid1"},
+						NamespacedRFC1123ObjectReferenceWithNamespaceWithUID: meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID{UID: "uid1"},
 						Claims: corev1.ResourceList{
 							corev1.ResourceLimitsCPU: resource.MustParse("1"),
 						},
@@ -260,36 +260,59 @@ func TestIsBoundToResourcePool_2(t *testing.T) {
 	t.Run("bound to resource pool (Assigned=True)", func(t *testing.T) {
 		claim := &ResourcePoolClaim{
 			Status: ResourcePoolClaimStatus{
-				Condition: metav1.Condition{
-					Type:   meta.BoundCondition,
-					Status: metav1.ConditionTrue,
-				},
+				Conditions: meta.ConditionList{},
 			},
 		}
-		assert.Equal(t, true, claim.IsBoundToResourcePool())
+
+		assert.Equal(t, false, claim.IsBoundInResourcePool())
 	})
 
 	t.Run("not bound - wrong condition type", func(t *testing.T) {
 		claim := &ResourcePoolClaim{
 			Status: ResourcePoolClaimStatus{
-				Condition: metav1.Condition{
-					Type:   "Other",
-					Status: metav1.ConditionTrue,
+				Conditions: meta.ConditionList{
+					meta.Condition{},
+				},
+			},
+		}
+
+		cond := meta.NewAssignedCondition(claim)
+		cond.Status = metav1.ConditionFalse
+		claim.Status.Conditions.UpdateConditionByType(cond)
+
+		assert.Equal(t, false, claim.IsBoundInResourcePool())
+	})
+
+	t.Run("not bound - condition not true", func(t *testing.T) {
+		claim := &ResourcePoolClaim{
+			Status: ResourcePoolClaimStatus{
+				Conditions: meta.ConditionList{
+					meta.Condition{},
 				},
 			},
 		}
-		assert.Equal(t, false, claim.IsBoundToResourcePool())
+
+		cond := meta.NewBoundCondition(claim)
+		cond.Status = metav1.ConditionFalse
+		claim.Status.Conditions.UpdateConditionByType(cond)
+
+		assert.Equal(t, false, claim.IsBoundInResourcePool())
 	})
 
 	t.Run("not bound - condition not true", func(t *testing.T) {
 		claim := &ResourcePoolClaim{
 			Status: ResourcePoolClaimStatus{
-				Condition: metav1.Condition{
-					Type:   meta.BoundCondition,
-					Status: metav1.ConditionFalse,
+				Conditions: meta.ConditionList{
+					meta.Condition{},
 				},
 			},
 		}
-		assert.Equal(t, false, claim.IsBoundToResourcePool())
+
+		cond := meta.NewBoundCondition(claim)
+		cond.Status = metav1.ConditionTrue
+		claim.Status.Conditions.UpdateConditionByType(cond)
+
+		assert.Equal(t, true, claim.IsBoundInResourcePool())
 	})
+
 }

api/v1beta2/resourcepool_status.go

@@ -8,6 +8,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/projectcapsule/capsule/pkg/api"
+	"github.com/projectcapsule/capsule/pkg/api/meta"
 )
 
 // GlobalResourceQuotaStatus defines the observed state of GlobalResourceQuota.
@@ -28,6 +29,8 @@ type ResourcePoolStatus struct {
 	Allocation ResourcePoolQuotaStatus `json:"allocation,omitzero"`
 	// Exhaustions from claims associated with the pool
 	Exhaustions map[string]api.PoolExhaustionResource `json:"exhaustions,omitempty"`
+	// Conditions for the resource claim
+	Conditions meta.ConditionList `json:"conditions,omitzero"`
 }
 
 type ResourcePoolNamespaceClaimsStatus map[string]ResourcePoolClaimsList
@@ -60,7 +63,7 @@ func (r *ResourcePoolClaimsList) GetClaimByUID(uid types.UID) *ResourcePoolClaim
 // ResourceQuotaClaimStatus defines the observed state of ResourceQuotaClaim.
 type ResourcePoolClaimsItem struct {
 	// Reference to the GlobalQuota being claimed from
-	api.StatusNameUID `json:",inline"`
+	meta.NamespacedRFC1123ObjectReferenceWithNamespaceWithUID `json:",inline"`
 
 	// Claimed resources
 	Claims corev1.ResourceList `json:"claims,omitempty"`

api/v1beta2/resourcepool_types.go

@@ -7,13 +7,13 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/projectcapsule/capsule/pkg/api/misc"
+	"github.com/projectcapsule/capsule/pkg/runtime/selectors"
 )
 
 // ResourcePoolSpec.
 type ResourcePoolSpec struct {
 	// Selector to match the namespaces that should be managed by the GlobalResourceQuota
-	Selectors []misc.NamespaceSelector `json:"selectors,omitempty"`
+	Selectors []selectors.NamespaceSelector `json:"selectors,omitempty"`
 	// Define the resourcequota served by this resourcepool.
 	Quota corev1.ResourceQuotaSpec `json:"quota"`
 	// The Defaults given for each namespace, the default is not counted towards the total allocation
@@ -27,19 +27,19 @@ type ResourcePoolSpec struct {
 }
 
 type ResourcePoolSpecConfiguration struct {
-	// With this option all resources which can be allocated are set to 0 for the resourcequota defaults.
+	// With this option all resources which can be allocated are set to 0 for the resourcequota defaults. (Default false)
 	// +kubebuilder:default=false
 	DefaultsAssignZero *bool `json:"defaultsZero,omitempty"`
 	// Claims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their
 	// creation date. But no matter their creation time, if a claim is requesting too much resources it's put into the queue
 	// but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
 	// it's priority was lower
 	// Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
-	// other claim can claim the same resources with lower priority.
+	// other claim can claim the same resources with lower priority. (Default false)
 	// +kubebuilder:default=false
 	OrderedQueue *bool `json:"orderedQueue,omitempty"`
 	// When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
-	// By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.
+	// By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state. (Default false)
 	// +kubebuilder:default=false
 	DeleteBoundResources *bool `json:"deleteBoundResources,omitempty"`
 }
@@ -49,6 +49,8 @@ type ResourcePoolSpecConfiguration struct {
 // +kubebuilder:resource:scope=Cluster,shortName=quotapool
 // +kubebuilder:printcolumn:name="Claims",type="integer",JSONPath=".status.claimCount",description="The total amount of Claims bound"
 // +kubebuilder:printcolumn:name="Namespaces",type="integer",JSONPath=".status.namespaceCount",description="The total amount of Namespaces considered"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Reconcile Status"
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description="Reconcile Message"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
 
 // Resourcepools allows you to define a set of resources as known from ResoureQuotas. The Resourcepools are defined at cluster-scope an should

api/v1beta2/resourcepoolclaim_func.go

@@ -10,11 +10,52 @@ import (
 )
 
 // Indicate the claim is bound to a resource pool.
-func (r *ResourcePoolClaim) IsBoundToResourcePool() bool {
-	if r.Status.Condition.Type == meta.BoundCondition &&
-		r.Status.Condition.Status == metav1.ConditionTrue {
+func (r *ResourcePoolClaim) IsExhaustedInResourcePool() bool {
+	condition := r.Status.Conditions.GetConditionByType(meta.ExhaustedCondition)
+
+	if condition == nil {
+		return false
+	}
+
+	if condition.Status == metav1.ConditionTrue {
 		return true
 	}
 
 	return false
 }
+
+func (r *ResourcePoolClaim) IsAssignedInResourcePool() bool {
+	condition := r.Status.Conditions.GetConditionByType(meta.AssignedCondition)
+
+	if condition == nil {
+		return false
+	}
+
+	if condition.Status == metav1.ConditionTrue {
+		return true
+	}
+
+	return false
+}
+
+func (r *ResourcePoolClaim) IsBoundInResourcePool() bool {
+	condition := r.Status.Conditions.GetConditionByType(meta.BoundCondition)
+
+	if condition == nil {
+		return false
+	}
+
+	if condition.Status == metav1.ConditionTrue {
+		return true
+	}
+
+	return false
+}
+
+func (r *ResourcePoolClaim) GetPool() string {
+	if name := string(r.Status.Pool.Name); name != "" {
+		return name
+	}
+
+	return r.Spec.Pool
+}