diff --git a/helm/ingress-azure/templates/deployment.yaml b/helm/ingress-azure/templates/deployment.yaml index e80be608b..11166f703 100644 --- a/helm/ingress-azure/templates/deployment.yaml +++ b/helm/ingress-azure/templates/deployment.yaml @@ -51,6 +51,8 @@ spec: initialDelaySeconds: 15 periodSeconds: 20 env: + - name: allowSystemNamespaces + value: {{ default .Values.appgw.allowSystemNamespaces "false" }} - name: AZURE_CLOUD_PROVIDER_LOCATION value: /etc/appgw/azure.json - name: AGIC_POD_NAME diff --git a/pkg/k8scontext/context.go b/pkg/k8scontext/context.go index 56e9df434..98cedf6d2 100644 --- a/pkg/k8scontext/context.go +++ b/pkg/k8scontext/context.go @@ -8,12 +8,13 @@ package k8scontext import ( "context" "fmt" + "os" "sort" + "strconv" "strings" "time" mapset "github.com/deckarep/golang-set" - "k8s.io/klog/v2" "github.com/knative/pkg/apis/istio/v1alpha3" v1 "k8s.io/api/core/v1" "k8s.io/api/extensions/v1beta1" @@ -21,6 +22,7 @@ import ( "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/cache" + "k8s.io/klog/v2" "github.com/Azure/application-gateway-kubernetes-ingress/pkg/annotations" agpoolv1beta1 "github.com/Azure/application-gateway-kubernetes-ingress/pkg/apis/azureapplicationgatewaybackendpool/v1beta1" @@ -42,9 +44,31 @@ import ( const providerPrefix = "azure://" const workBuffer = 1024 -var namespacesToIgnore = map[string]interface{}{ - "kube-system": nil, - "kube-public": nil, +var namespacesToIgnore map[string]interface{} + +// SetNamespacesToIgnore sets system namespaces to be ignored unless allowSystemNamespaces environment variable is set to "true" +func SetNamespacesToIgnore() { + var allowSystemNamespaces bool + allowSystemNamespacesFlag, exists := os.LookupEnv("allowSystemNamespaces") + if exists { + val, err := strconv.ParseBool(allowSystemNamespacesFlag) + allowSystemNamespaces = val + if err != nil { + allowSystemNamespaces = false + } + } else { + allowSystemNamespaces = false + } + if allowSystemNamespaces { + klog.V(1).Infoln("All namespaces will be monitored for secrets and ingress") + namespacesToIgnore = map[string]interface{}{} + } else { + klog.V(1).Infoln("Namespaces kube-system, kube-public will be ignored") + namespacesToIgnore = map[string]interface{}{ + "kube-system": nil, + "kube-public": nil, + } + } } // NewContext creates a context based on a Kubernetes client instance. @@ -53,6 +77,8 @@ func NewContext(kubeClient kubernetes.Interface, crdClient versioned.Interface, crdInformerFactory := externalversions.NewSharedInformerFactory(crdClient, resyncPeriod) istioCrdInformerFactory := istio_externalversions.NewSharedInformerFactoryWithOptions(istioCrdClient, resyncPeriod) + SetNamespacesToIgnore() + informerCollection := InformerCollection{ Endpoints: informerFactory.Core().V1().Endpoints().Informer(), Ingress: informerFactory.Extensions().V1beta1().Ingresses().Informer(), diff --git a/pkg/k8scontext/k8scontext_test.go b/pkg/k8scontext/k8scontext_test.go index 8cb39756e..e11d3a79c 100644 --- a/pkg/k8scontext/k8scontext_test.go +++ b/pkg/k8scontext/k8scontext_test.go @@ -7,6 +7,7 @@ package k8scontext import ( "context" + "os" "reflect" "time" @@ -437,4 +438,19 @@ var _ = ginkgo.Describe("K8scontext", func() { Expect(finalList).To(ContainElement(ingr)) }) }) + + ginkgo.Context("System namespaces consideration", func() { + ginkgo.It("system namespaces should be ignored by default", func() { + Expect(namespacesToIgnore).To(HaveLen(2)) + }) + + ginkgo.It("system namespaces should be considered when env var allowSystemNamespaces is set to true", func() { + k8sClient = testclient.NewSimpleClientset() + crdClient := fake.NewSimpleClientset() + istioCrdClient := istioFake.NewSimpleClientset() + os.Setenv("allowSystemNamespaces", "true") + NewContext(k8sClient, crdClient, istioCrdClient, []string{ingressNS}, 1000*time.Second, metricstore.NewFakeMetricStore()) + Expect(namespacesToIgnore).To(HaveLen(0)) + }) + }) })