Override propagation annotations in children namespaces

[testinfected]

Hi,

What would be a way for a child namespace to override the propagation annotations inherited from a parent namespace?

My use case is the following: an organization has departments and each department has teams. I'd like to define resources on the root namespace (organization), and make them available to departments (depth 1 subnamespaces) by allowing propagation to the direct descendants of the root namespace. Each direct descendant would then decide to which of its own descendants the resource is furter propagated.

Currently, it seems I cannot override the propagation annotation on the depth 1 subnamespace:

Error from server (Forbidden): admission webhook "objects.hnc.x-k8s.io" denied the request: componentdefinitions.core.oam.dev "dept-a/config-file" is forbidden: cannot modify object propagated from namespace "acme"

Is there any plan to support such a use case?

Thanks

[gbmeuk]

Have a look at AllowPropage mode for the resource you're concerned about and use a label selector on the root resource. If you want to automatically inherit the label used by the selector, check out inherited labels feature.

[testinfected]

Let me check if I understand correctly:

Are you suggesting that I use propagate.hnc.x-k8s.io/select on the root with a label selector, then assign that said label to whaetever sub-namespace descendant (child, grand-child, grand-grand-child, etc) I want to propagate the resource to?

What are you referring to by inherited labels feature? Are you talking about Managed Labels?

Thanks

[gbmeuk]

Sorry, yes, managed labels; and yes, apply an appropriate propagate.* label onto the source object that matches your requirements.

[testinfected]

Makes sense, thanks

[adrianludwin]

@gbmeuk Thanks for answering that! @testinfected A possible alternative is to use the the built-in tree labels: org-namespace-name.tree.hnc.x-k8s.io/depth: 1 would propagate the object only to the direct children. But then there's no easy way for the owner of that child namespace to further propagate it, so that may not work for you. But managed labels would work, yes.