Azure · polasekr · Dec 23, 2020
diff --git a/helm/ingress-azure/templates/deployment.yaml b/helm/ingress-azure/templates/deployment.yaml
@@ -51,6 +51,8 @@ spec:
           initialDelaySeconds: 15
           periodSeconds: 20
         env:
+        - name: allowSystemNamespaces
+          value: {{ default .Values.appgw.allowSystemNamespaces "false" }}
         - name: AZURE_CLOUD_PROVIDER_LOCATION
           value: /etc/appgw/azure.json
         - name: AGIC_POD_NAME

diff --git a/pkg/k8scontext/context.go b/pkg/k8scontext/context.go
@@ -8,19 +8,21 @@ package k8scontext
 import (
 	"context"
 	"fmt"
+	"os"
 	"sort"
+	"strconv"
 	"strings"
 	"time"
 
 	mapset "github.com/deckarep/golang-set"
-	"k8s.io/klog/v2"
 	"github.com/knative/pkg/apis/istio/v1alpha3"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/api/extensions/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
 
 	"github.com/Azure/application-gateway-kubernetes-ingress/pkg/annotations"
 	agpoolv1beta1 "github.com/Azure/application-gateway-kubernetes-ingress/pkg/apis/azureapplicationgatewaybackendpool/v1beta1"
@@ -42,9 +44,31 @@ import (
 const providerPrefix = "azure://"
 const workBuffer = 1024
 
-var namespacesToIgnore = map[string]interface{}{
-	"kube-system": nil,
-	"kube-public": nil,
+var namespacesToIgnore map[string]interface{}
+
+// SetNamespacesToIgnore sets system namespaces to be ignored unless allowSystemNamespaces environment variable is set to "true"
+func SetNamespacesToIgnore() {
+	var allowSystemNamespaces bool
+	allowSystemNamespacesFlag, exists := os.LookupEnv("allowSystemNamespaces")
+	if exists {
+		val, err := strconv.ParseBool(allowSystemNamespacesFlag)
+		allowSystemNamespaces = val
+		if err != nil {
+			allowSystemNamespaces = false
+		}
+	} else {
+		allowSystemNamespaces = false
+	}
+	if allowSystemNamespaces {
+		klog.V(1).Infoln("All namespaces will be monitored for secrets and ingress")
+		namespacesToIgnore = map[string]interface{}{}
+	} else {
+		klog.V(1).Infoln("Namespaces kube-system, kube-public will be ignored")
+		namespacesToIgnore = map[string]interface{}{
+			"kube-system": nil,
+			"kube-public": nil,
+		}
+	}
 }
 
 // NewContext creates a context based on a Kubernetes client instance.
@@ -53,6 +77,8 @@ func NewContext(kubeClient kubernetes.Interface, crdClient versioned.Interface,
 	crdInformerFactory := externalversions.NewSharedInformerFactory(crdClient, resyncPeriod)
 	istioCrdInformerFactory := istio_externalversions.NewSharedInformerFactoryWithOptions(istioCrdClient, resyncPeriod)
 
+	SetNamespacesToIgnore()
+
 	informerCollection := InformerCollection{
 		Endpoints: informerFactory.Core().V1().Endpoints().Informer(),
 		Ingress:   informerFactory.Extensions().V1beta1().Ingresses().Informer(),

diff --git a/pkg/k8scontext/k8scontext_test.go b/pkg/k8scontext/k8scontext_test.go
@@ -7,6 +7,7 @@ package k8scontext
 
 import (
 	"context"
+	"os"
 	"reflect"
 	"time"
 
@@ -437,4 +438,19 @@ var _ = ginkgo.Describe("K8scontext", func() {
 			Expect(finalList).To(ContainElement(ingr))
 		})
 	})
+
+	ginkgo.Context("System namespaces consideration", func() {
+		ginkgo.It("system namespaces should be ignored by default", func() {
+			Expect(namespacesToIgnore).To(HaveLen(2))
+		})
+
+		ginkgo.It("system namespaces should be considered when env var allowSystemNamespaces is set to true", func() {
+			k8sClient = testclient.NewSimpleClientset()
+			crdClient := fake.NewSimpleClientset()
+			istioCrdClient := istioFake.NewSimpleClientset()
+			os.Setenv("allowSystemNamespaces", "true")
+			NewContext(k8sClient, crdClient, istioCrdClient, []string{ingressNS}, 1000*time.Second, metricstore.NewFakeMetricStore())
+			Expect(namespacesToIgnore).To(HaveLen(0))
+		})
+	})
 })