Add ocm-polices namespace

Deploy policies to the same namespace on every managed cluster rather than dynamically determine the managed cluster namespace name for each cluster.(example: argoCD) Ref: https://issues.redhat.com/browse/ACM-13609 Signed-off-by: yiraeChristineKim <[email protected]>
open-cluster-management-io · Sep 19, 2024 · c090fe8 · c090fe8
1 parent b2935ed
commit c090fe8
Show file tree

Hide file tree

Showing 2 changed files with 109 additions and 24 deletions.
diff --git a/main.go b/main.go
@@ -66,6 +66,10 @@ var (
 	log    = ctrl.Log.WithName("setup")
 )
 
+// Namespace for standalone policy users.
+// Policies applied by users are deployed here. Used only in non-hosted mode.
+const ocmPolicyNs = "open-cluster-management-policies"
+
 func printVersion() {
 	log.Info("Using", "OperatorVersion", version.Version, "GoVersion", runtime.Version(),
 		"GOOS", runtime.GOOS, "GOARCH", runtime.GOARCH)
@@ -83,22 +87,23 @@ func init() {
 }
 
 type ctrlOpts struct {
-	clusterName           string
-	hubConfigPath         string
-	targetKubeConfig      string
-	metricsAddr           string
-	secureMetrics         bool
-	probeAddr             string
-	operatorPolDefaultNS  string
-	clientQPS             float32
-	clientBurst           uint
-	evalBackoffSeconds    uint
-	decryptionConcurrency uint8
-	evaluationConcurrency uint8
-	enableLease           bool
-	enableLeaderElection  bool
-	enableMetrics         bool
-	enableOperatorPolicy  bool
+	clusterName              string
+	hubConfigPath            string
+	targetKubeConfig         string
+	metricsAddr              string
+	secureMetrics            bool
+	probeAddr                string
+	operatorPolDefaultNS     string
+	clientQPS                float32
+	clientBurst              uint
+	evalBackoffSeconds       uint
+	decryptionConcurrency    uint8
+	evaluationConcurrency    uint8
+	enableLease              bool
+	enableLeaderElection     bool
+	enableMetrics            bool
+	enableOperatorPolicy     bool
+	enableOcmPolicyNamespace bool
 }
 
 func main() {
@@ -227,11 +232,14 @@ func main() {
 
 	log.V(2).Info("Configured the watch namespace", "watchNamespace", watchNamespace)
 
+	configPolicy := &policyv1.ConfigurationPolicy{}
+	operatorPolicy := &policyv1beta1.OperatorPolicy{}
+
 	if watchNamespace != "" {
-		cacheByObject[&policyv1.ConfigurationPolicy{}] = cache.ByObject{
-			Field: fields.SelectorFromSet(fields.Set{
-				"metadata.namespace": watchNamespace,
-			}),
+		cacheByObject[configPolicy] = cache.ByObject{
+			Namespaces: map[string]cache.Config{
+				watchNamespace: {},
+			},
 		}
 
 		cacheByObject[&corev1.Secret{}] = cache.ByObject{
@@ -242,10 +250,21 @@ func main() {
 		}
 
 		if opts.enableOperatorPolicy {
-			cacheByObject[&policyv1beta1.OperatorPolicy{}] = cache.ByObject{
-				Field: fields.SelectorFromSet(fields.Set{
-					"metadata.namespace": watchNamespace,
-				}),
+			cacheByObject[operatorPolicy] = cache.ByObject{
+				Namespaces: map[string]cache.Config{
+					watchNamespace: {},
+				},
+			}
+		}
+
+		// ocmPolicyNs is cached only in non-hosted=mode
+		if opts.targetKubeConfig == "" && opts.enableOcmPolicyNamespace {
+			cacheByObject[configPolicy].
+				Namespaces[ocmPolicyNs] = cache.Config{}
+
+			if opts.enableOperatorPolicy {
+				cacheByObject[operatorPolicy].
+					Namespaces[ocmPolicyNs] = cache.Config{}
 			}
 		}
 	} else {
@@ -825,6 +844,13 @@ func parseOpts(flags *pflag.FlagSet, args []string) *ctrlOpts {
 		"The default namespace to be used by an OperatorPolicy if not specified in the policy.",
 	)
 
+	flags.BoolVar(
+		&opts.enableOcmPolicyNamespace,
+		"enable-ocm-policy-namespace",
+		true,
+		"Enable to use open-cluster-management-policies namespace",
+	)
+
 	_ = flags.Parse(args)
 
 	// Scale QPS and Burst with concurrency, when they aren't explicitly set.

diff --git a/test/e2e/case1_pod_handling_test.go b/test/e2e/case1_pod_handling_test.go
@@ -12,6 +12,8 @@ import (
 	"open-cluster-management.io/config-policy-controller/test/utils"
 )
 
+const ocmNs = "open-cluster-management-policies"
+
 var _ = Describe("Test pod obj template handling", Ordered, func() {
 	Describe("Test pod obj handling on managed cluster in ns:"+testNamespace, Ordered, func() {
 		const (
@@ -293,4 +295,61 @@ var _ = Describe("Test pod obj template handling", Ordered, func() {
 			utils.KubectlDelete("event", "--field-selector=involvedObject.name="+configPolicyName, "-n", "managed")
 		})
 	})
+
+	Describe("Test pod obj in "+ocmNs+" namespace", Ordered, func() {
+		const (
+			configPolicyNameInform  string = "policy-pod-create-inform"
+			configPolicyNameEnforce string = "policy-pod-create"
+			podName                 string = "nginx-pod-e2e"
+			policyYamlInform        string = "../resources/case1_pod_handling/case1_pod_create_inform.yaml"
+			policyYamlEnforce       string = "../resources/case1_pod_handling/case1_pod_create_enforce.yaml"
+		)
+
+		BeforeAll(func() {
+			utils.Kubectl("create", "ns", ocmNs)
+		})
+		It("should be created properly on the managed cluster", func() {
+			By("Creating " + policyYamlInform + " on managed")
+			utils.Kubectl("apply", "-f", policyYamlInform, "-n", ocmNs)
+			plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy,
+				configPolicyNameInform, ocmNs, true, defaultTimeoutSeconds)
+			Expect(plc).NotTo(BeNil())
+			Eventually(func(g Gomega) {
+				managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy,
+					configPolicyNameInform, ocmNs, true, defaultTimeoutSeconds)
+
+				utils.CheckComplianceStatus(g, managedPlc, "NonCompliant")
+			}, defaultTimeoutSeconds, 1).Should(Succeed())
+		})
+		It("should create pod on managed cluster", func() {
+			By("creating " + policyYamlEnforce + " on hub with spec.remediationAction = enforce")
+			utils.Kubectl("apply", "-f", policyYamlEnforce, "-n", ocmNs)
+			plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy,
+				configPolicyNameEnforce, ocmNs, true, defaultTimeoutSeconds)
+			Expect(plc).NotTo(BeNil())
+			Eventually(func(g Gomega) {
+				managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy,
+					configPolicyNameEnforce, ocmNs, true, defaultTimeoutSeconds)
+
+				utils.CheckComplianceStatus(g, managedPlc, "Compliant")
+			}, defaultTimeoutSeconds, 1).Should(Succeed())
+			Eventually(func(g Gomega) {
+				informPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy,
+					configPolicyNameInform, ocmNs, true, defaultTimeoutSeconds)
+
+				utils.CheckComplianceStatus(g, informPlc, "Compliant")
+			}, defaultTimeoutSeconds, 1).Should(Succeed())
+			pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod,
+				podName, "default", true, defaultTimeoutSeconds)
+			Expect(pod).NotTo(BeNil())
+		})
+		AfterAll(func() {
+			utils.KubectlDelete("ns", ocmNs)
+
+			By("Delete pods")
+			pods := []string{podName}
+			namespaces := []string{"default"}
+			deletePods(pods, namespaces)
+		})
+	})
 })