is there an example on how to add managed labels?

kubernetes-sigs / hierarchical-namespaces

Home of the Hierarchical Namespace Controller (HNC). Adds hierarchical policies and delegated creation to Kubernetes namespaces for improved in-cluster multitenancy.

Apache License 2.0

607 stars 105 forks source link

is there an example on how to add managed labels? #342

Closed wibed closed 10 months ago

wibed commented 10 months ago

i cant seem to get it right, i tried:

kubectl hns set parent --managed-namespace-label pod-security.kubernetes.io/enforce
kubectl hns create child -n parent --managed-namespace-label pod-security.kubernetes.io/enforce

adrianludwin commented 10 months ago

There's no command-line tool to set managed labels. You need to modify the HierarchyConfiguration object directly. The easiest way to do this from the command line is kubectl edit -n namespace hierarchyconfiguration hierarchy, and then edit the labels as shown here.

Generally speaking, almost any kubectl command can be replaced by hand-editing a YAML file and then saying kubectl apply -f foo.yaml. As a result, we only tend to add the more common commands to the kubectl plugin. I'd be happy if you or someone else wanted to contribute a patch but I don't have any time for active development myself these days.

Hope this helps!

wibed commented 10 months ago

i tried this aswell.

given i edit the hierarchyconfiguration of a subnamespace it does result in a message not unlike: label is not managed, unable to configure.

heres an example:

# kubectl hns tree staging
staging
├── [s] cert-manager
├── [s] csi-driver-nfs
├── [s] docker-registry
├── [s] gitsrv
├── [s] kubernetes-replicator
├── [s] metallb-system
└── [s] traefik

apiVersion: hnc.x-k8s.io/v1alpha2
kind: HierarchyConfiguration
metadata:
  name: hierarchy
  namespace: staging
spec:
  labels:
  - key: pod-security.kubernetes.io/enforce
    value: privileged

just like it does when i append it on the subnamespaceanchor or add a custom hierarchyconfiguration similar to the one above for a subnamespace

i came to the conclusion it had to be a argument for the container within the deployment configuration, but couldnt find any documentation nor had any success on configuring it persistently.

so i came here

adrianludwin commented 10 months ago

Oh, I see the confusion - you were looking at these admin commands, right?

The --managed-namespace-label command-line flag isn't for the kubectl client; it's for the HNC workload that actually runs on the server. You need to first modify the HNC deployment like this to tell HNC which labels/annotations are managed, and only then will you be able to modify the HierarchyConfiguration objects.

Does that make sense? I think you got close, you were just missing the last steps.

wibed commented 10 months ago

you were right. thank you!

for future generations:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - https://github.com/kubernetes-sigs/hierarchical-namespaces/releases/download/v1.1.0-rc2/default.yaml
  - ./resources

patches:
- patch: |-
    - op: add
      path: /spec/template/spec/containers/0/args/-
      value: --managed-namespace-label=pod-security.kubernetes.io/enforce
  target:
    kind: Deployment
    name: hnc-controller-manager
    namespace: hnc-system

apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
  labels:
    kubernetes.io/metadata.name: metallb-system
  namespace: staging
  name: metallb-system
spec:
  labels:
  - key: pod-security.kubernetes.io/enforce
    value: privileged

adrianludwin commented 10 months ago

Great! Glad it worked for you :)