// NewNamespaceController creates a new NamespaceController func NewNamespaceController(kubeClient client.Interface, experimentalMode bool, resyncPeriod time.Duration) *NamespaceController { var controller *framework.Controller _, controller = framework.NewInformer( &cache.ListWatch{ ListFunc: func() (runtime.Object, error) { return kubeClient.Namespaces().List(labels.Everything(), fields.Everything()) }, WatchFunc: func(resourceVersion string) (watch.Interface, error) { return kubeClient.Namespaces().Watch(labels.Everything(), fields.Everything(), resourceVersion) }, }, &api.Namespace{}, resyncPeriod, framework.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { namespace := obj.(*api.Namespace) if err := syncNamespace(kubeClient, experimentalMode, *namespace); err != nil { if estimate, ok := err.(*contentRemainingError); ok { go func() { // Estimate is the aggregate total of TerminationGracePeriodSeconds, which defaults to 30s // for pods. However, most processes will terminate faster - within a few seconds, probably // with a peak within 5-10s. So this division is a heuristic that avoids waiting the full // duration when in many cases things complete more quickly. The extra second added is to // ensure we never wait 0 seconds. t := estimate.Estimate/2 + 1 glog.V(4).Infof("Content remaining in namespace %s, waiting %d seconds", namespace.Name, t) time.Sleep(time.Duration(t) * time.Second) if err := controller.Requeue(namespace); err != nil { util.HandleError(err) } }() return } util.HandleError(err) } }, UpdateFunc: func(oldObj, newObj interface{}) { namespace := newObj.(*api.Namespace) if err := syncNamespace(kubeClient, experimentalMode, *namespace); err != nil { if estimate, ok := err.(*contentRemainingError); ok { go func() { t := estimate.Estimate/2 + 1 glog.V(4).Infof("Content remaining in namespace %s, waiting %d seconds", namespace.Name, t) time.Sleep(time.Duration(t) * time.Second) if err := controller.Requeue(namespace); err != nil { util.HandleError(err) } }() return } util.HandleError(err) } }, }, ) return &NamespaceController{ controller: controller, } }
func RunProjectCache(c client.Interface, defaultNodeSelector string) { if pcache != nil { return } store := cache.NewStore(cache.MetaNamespaceKeyFunc) reflector := cache.NewReflector( &cache.ListWatch{ ListFunc: func() (runtime.Object, error) { return c.Namespaces().List(labels.Everything(), fields.Everything()) }, WatchFunc: func(resourceVersion string) (watch.Interface, error) { return c.Namespaces().Watch(labels.Everything(), fields.Everything(), resourceVersion) }, }, &kapi.Namespace{}, store, 0, ) reflector.Run() pcache = &ProjectCache{ Client: c, Store: store, DefaultNodeSelector: defaultNodeSelector, } }
// updateNamespaceStatusFunc will verify that the status of the namespace is correct func updateNamespaceStatusFunc(kubeClient client.Interface, namespace *api.Namespace) (*api.Namespace, error) { if namespace.DeletionTimestamp.IsZero() || namespace.Status.Phase == api.NamespaceTerminating { return namespace, nil } newNamespace := api.Namespace{} newNamespace.ObjectMeta = namespace.ObjectMeta newNamespace.Status = namespace.Status newNamespace.Status.Phase = api.NamespaceTerminating return kubeClient.Namespaces().Status(&newNamespace) }
// syncNamespace orchestrates deletion of a Namespace and its associated content. func syncNamespace(kubeClient client.Interface, versions *unversioned.APIVersions, namespace *api.Namespace) (err error) { if namespace.DeletionTimestamp == nil { return nil } glog.V(4).Infof("Syncing namespace %s", namespace.Name) // ensure that the status is up to date on the namespace // if we get a not found error, we assume the namespace is truly gone namespace, err = retryOnConflictError(kubeClient, namespace, updateNamespaceStatusFunc) if err != nil { if errors.IsNotFound(err) { return nil } return err } // if the namespace is already finalized, delete it if finalized(namespace) { err = kubeClient.Namespaces().Delete(namespace.Name) if err != nil && !errors.IsNotFound(err) { return err } return nil } // there may still be content for us to remove estimate, err := deleteAllContent(kubeClient, versions, namespace.Name, *namespace.DeletionTimestamp) if err != nil { return err } if estimate > 0 { return &contentRemainingError{estimate} } // we have removed content, so mark it finalized by us result, err := retryOnConflictError(kubeClient, namespace, finalizeNamespaceFunc) if err != nil { return err } // now check if all finalizers have reported that we delete now if finalized(result) { err = kubeClient.Namespaces().Delete(namespace.Name) if err != nil && !errors.IsNotFound(err) { return err } } return nil }
func confirmProjectAccess(currentProject string, oClient *client.Client, kClient kclient.Interface) error { _, projectErr := oClient.Projects().Get(currentProject) if !kapierrors.IsNotFound(projectErr) { return projectErr } // at this point we know the error is a not found, but we'll test namespaces just in case we're running on kube if _, err := kClient.Namespaces().Get(currentProject); err == nil { return nil } // otherwise return the openshift error default return projectErr }
// deleteAllContent will delete all content known to the system in a tenant. It returns an estimate // of the time remaining before the remaining resources are deleted. If estimate > 0 not all resources // are guaranteed to be gone. func deleteAllContent(kubeClient client.Interface, versions *unversioned.APIVersions, tenant string, before unversioned.Time) (estimate int64, err error) { items, err := kubeClient.Namespaces().List(labels.Everything(), fields.Everything()) if err != nil { return estimate, err } for _, namespace := range items.Items { if namespace.Tenant != tenant { continue } if err = kubeClient.Namespaces().Delete(namespace.Name); err != nil { return estimate, err } } return estimate, nil }
// retryOnConflictError retries the specified fn if there was a conflict error func retryOnConflictError(kubeClient client.Interface, namespace *api.Namespace, fn updateNamespaceFunc) (result *api.Namespace, err error) { result = namespace err = client.RetryOnConflict(wait.Backoff{Steps: maxRetriesOnConflict}, func() error { if result == nil { if result, err = kubeClient.Namespaces().Get(namespace.Name); err != nil { return err } } if result, err = fn(kubeClient, result); err != nil { result = nil } return err }) return }
func getProjects(oClient *client.Client, kClient kclient.Interface) ([]api.Project, error) { projects, err := oClient.Projects().List(kapi.ListOptions{}) if err == nil { return projects.Items, nil } if err != nil && !kapierrors.IsNotFound(err) { return nil, err } namespaces, err := kClient.Namespaces().List(kapi.ListOptions{}) if err != nil { return nil, err } projects = projectutil.ConvertNamespaceList(namespaces) return projects.Items, nil }
// finalize will finalize the namespace for kubernetes func finalizeNamespaceFunc(kubeClient client.Interface, namespace *api.Namespace) (*api.Namespace, error) { namespaceFinalize := api.Namespace{} namespaceFinalize.ObjectMeta = namespace.ObjectMeta namespaceFinalize.Spec = namespace.Spec finalizerSet := sets.NewString() for i := range namespace.Spec.Finalizers { if namespace.Spec.Finalizers[i] != api.FinalizerKubernetes { finalizerSet.Insert(string(namespace.Spec.Finalizers[i])) } } namespaceFinalize.Spec.Finalizers = make([]api.FinalizerName, 0, len(finalizerSet)) for _, value := range finalizerSet.List() { namespaceFinalize.Spec.Finalizers = append(namespaceFinalize.Spec.Finalizers, api.FinalizerName(value)) } return kubeClient.Namespaces().Finalize(&namespaceFinalize) }
// retryOnConflictError retries the specified fn if there was a conflict error // TODO RetryOnConflict should be a generic concept in client code func retryOnConflictError(kubeClient client.Interface, namespace *api.Namespace, fn updateNamespaceFunc) (result *api.Namespace, err error) { latestNamespace := namespace for { result, err = fn(kubeClient, latestNamespace) if err == nil { return result, nil } if !errors.IsConflict(err) { return nil, err } latestNamespace, err = kubeClient.Namespaces().Get(latestNamespace.Name) if err != nil { return nil, err } } return }
// NewProvision creates a new namespace provision admission control handler func NewProvision(c client.Interface) admission.Interface { store := cache.NewStore(cache.MetaNamespaceKeyFunc) reflector := cache.NewReflector( &cache.ListWatch{ ListFunc: func() (runtime.Object, error) { return c.Namespaces().List(labels.Everything(), fields.Everything(), unversioned.ListOptions{}) }, WatchFunc: func(options unversioned.ListOptions) (watch.Interface, error) { return c.Namespaces().Watch(options) }, }, &api.Namespace{}, store, 0, ) reflector.Run() return createProvision(c, store) }
// NewFactory initializes a factory that will watch the requested routes func (o *RouterSelection) NewFactory(oc oclient.Interface, kc kclient.Interface) *controllerfactory.RouterControllerFactory { factory := controllerfactory.NewDefaultRouterControllerFactory(oc, kc) factory.Labels = o.Labels factory.Fields = o.Fields factory.Namespace = o.Namespace factory.ResyncInterval = o.ResyncInterval switch { case o.NamespaceLabels != nil: glog.Infof("Router is only using routes in namespaces matching %s", o.NamespaceLabels) factory.Namespaces = namespaceNames{kc.Namespaces(), o.NamespaceLabels} case o.ProjectLabels != nil: glog.Infof("Router is only using routes in projects matching %s", o.ProjectLabels) factory.Namespaces = projectNames{oc.Projects(), o.ProjectLabels} case len(factory.Namespace) > 0: glog.Infof("Router is only using resources in namespace %s", factory.Namespace) default: glog.Infof("Router is including routes in all namespaces") } return factory }
// finalizeInternal will update the namespace finalizer list to either have or not have origin finalizer func finalizeInternal(kubeClient kclient.Interface, namespace *kapi.Namespace, withOrigin bool) (*kapi.Namespace, error) { namespaceFinalize := kapi.Namespace{} namespaceFinalize.ObjectMeta = namespace.ObjectMeta namespaceFinalize.Spec = namespace.Spec finalizerSet := sets.NewString() for i := range namespace.Spec.Finalizers { finalizerSet.Insert(string(namespace.Spec.Finalizers[i])) } if withOrigin { finalizerSet.Insert(string(api.FinalizerOrigin)) } else { finalizerSet.Delete(string(api.FinalizerOrigin)) } namespaceFinalize.Spec.Finalizers = make([]kapi.FinalizerName, 0, len(finalizerSet)) for _, value := range finalizerSet.List() { namespaceFinalize.Spec.Finalizers = append(namespaceFinalize.Spec.Finalizers, kapi.FinalizerName(value)) } return kubeClient.Namespaces().Finalize(&namespaceFinalize) }
func setupProjectRequestLimitNamespaces(t *testing.T, kclient kclient.Interface, namespacesByRequester map[string]int) { for requester, nsCount := range namespacesByRequester { for i := 0; i < nsCount; i++ { ns := &kapi.Namespace{} ns.GenerateName = "testns" ns.Annotations = map[string]string{projectapi.ProjectRequester: requester} _, err := kclient.Namespaces().Create(ns) if err != nil { t.Fatalf("Could not create namespace for requester %s: %v", requester, err) } } } }
// NewExists creates a new namespace exists admission control handler func NewExists(c client.Interface) admission.Interface { store := cache.NewStore(cache.MetaNamespaceKeyFunc) reflector := cache.NewReflector( &cache.ListWatch{ ListFunc: func() (runtime.Object, error) { return c.Namespaces().List(labels.Everything(), fields.Everything()) }, WatchFunc: func(resourceVersion string) (watch.Interface, error) { return c.Namespaces().Watch(labels.Everything(), fields.Everything(), resourceVersion) }, }, &api.Namespace{}, store, 5*time.Minute, ) reflector.Run() return &exists{ client: c, store: store, Handler: admission.NewHandler(admission.Create, admission.Update, admission.Delete), } }
// NewExists creates a new namespace exists admission control handler func NewExists(c client.Interface) admission.Interface { store := cache.NewStore(cache.MetaNamespaceKeyFunc) reflector := cache.NewReflector( &cache.ListWatch{ ListFunc: func(options api.ListOptions) (runtime.Object, error) { return c.Namespaces().List(options) }, WatchFunc: func(options api.ListOptions) (watch.Interface, error) { return c.Namespaces().Watch(options) }, }, &api.Namespace{}, store, 5*time.Minute, ) reflector.Run() return &exists{ client: c, store: store, Handler: admission.NewHandler(admission.Create, admission.Update, admission.Delete), } }
func GetAllocatedID(kClient client.Interface, pod *api.Pod, annotation string) (*int64, error) { if len(pod.Spec.ServiceAccountName) > 0 { sa, err := kClient.ServiceAccounts(pod.Namespace).Get(pod.Spec.ServiceAccountName) if err != nil { return nil, err } sUID, ok := sa.Annotations[annotation] if !ok { return nil, fmt.Errorf("Unable to find annotation %s on service account %s", annotation, pod.Spec.ServiceAccountName) } return AnnotationToIntPtr(sUID) } else { ns, err := kClient.Namespaces().Get(pod.Namespace) if err != nil { return nil, err } sUID, ok := ns.Annotations[annotation] if !ok { return nil, fmt.Errorf("Unable to find annotation %s on namespace %s", annotation, pod.Namespace) } return AnnotationToIntPtr(sUID) } }
// finalize will finalize the namespace for kubernetes func finalizeNamespaceFunc(kubeClient client.Interface, namespace *api.Namespace) (*api.Namespace, error) { namespaceFinalize := api.Namespace{} namespaceFinalize.ObjectMeta = namespace.ObjectMeta namespaceFinalize.Spec = namespace.Spec finalizerSet := sets.NewString() for i := range namespace.Spec.Finalizers { if namespace.Spec.Finalizers[i] != api.FinalizerKubernetes { finalizerSet.Insert(string(namespace.Spec.Finalizers[i])) } } namespaceFinalize.Spec.Finalizers = make([]api.FinalizerName, 0, len(finalizerSet)) for _, value := range finalizerSet.List() { namespaceFinalize.Spec.Finalizers = append(namespaceFinalize.Spec.Finalizers, api.FinalizerName(value)) } namespace, err := kubeClient.Namespaces().Finalize(&namespaceFinalize) if err != nil { // it was removed already, so life is good if errors.IsNotFound(err) { return namespace, nil } } return namespace, err }
// NewLifecycle creates a new namespace lifecycle admission control handler func NewLifecycle(c client.Interface) admission.Interface { store := cache.NewStore(cache.MetaNamespaceKeyFunc) reflector := cache.NewReflector( &cache.ListWatch{ ListFunc: func() (runtime.Object, error) { return c.Namespaces().List(labels.Everything(), fields.Everything(), unversioned.ListOptions{}) }, WatchFunc: func(options unversioned.ListOptions) (watch.Interface, error) { return c.Namespaces().Watch(options) }, }, &api.Namespace{}, store, 5*time.Minute, ) reflector.Run() return &lifecycle{ Handler: admission.NewHandler(admission.Create, admission.Update, admission.Delete), client: c, store: store, immortalNamespaces: sets.NewString(api.NamespaceDefault), } }
// Finalize will remove the origin finalizer from the namespace func Finalize(kubeClient kclient.Interface, namespace *kapi.Namespace) (result *kapi.Namespace, err error) { if Finalized(namespace) { return namespace, nil } // there is a potential for a resource conflict with base kubernetes finalizer // as a result, we handle resource conflicts in case multiple finalizers try // to finalize at same time for { result, err = finalizeInternal(kubeClient, namespace, false) if err == nil { return result, nil } if !kerrors.IsConflict(err) { return nil, err } namespace, err = kubeClient.Namespaces().Get(namespace.Name) if err != nil { return nil, err } } }
func syncTenantAndNamespace(kubeClient client.Interface, namespace *api.Namespace) error { if namespace.Tenant == "" { namespace.Tenant = api.TenantDefault } te, err := kubeClient.Tenants().Get(namespace.Tenant) if err != nil { return err } for i, n := range te.Spec.Namespaces { if n.Name == namespace.Name { te.Spec.Namespaces = append(te.Spec.Namespaces[:i], te.Spec.Namespaces[i+1:]...) break } } te.Spec.Namespaces = append(te.Spec.Namespaces, *namespace) if _, err = kubeClient.Namespaces().Update(namespace); err != nil { return err } if _, err = kubeClient.Tenants().Update(te); err != nil { return err } return nil }
// syncNamespace makes namespace life-cycle decisions func syncNamespace(kubeClient client.Interface, experimentalMode bool, namespace api.Namespace) (err error) { if namespace.DeletionTimestamp == nil { return nil } glog.V(4).Infof("Syncing namespace %s", namespace.Name) // if there is a deletion timestamp, and the status is not terminating, then update status if !namespace.DeletionTimestamp.IsZero() && namespace.Status.Phase != api.NamespaceTerminating { newNamespace := api.Namespace{} newNamespace.ObjectMeta = namespace.ObjectMeta newNamespace.Status = namespace.Status newNamespace.Status.Phase = api.NamespaceTerminating result, err := kubeClient.Namespaces().Status(&newNamespace) if err != nil { return err } // work with the latest copy so we can proceed to clean up right away without another interval namespace = *result } // if the namespace is already finalized, delete it if finalized(namespace) { err = kubeClient.Namespaces().Delete(namespace.Name) if err != nil && !errors.IsNotFound(err) { return err } return nil } // there may still be content for us to remove estimate, err := deleteAllContent(kubeClient, experimentalMode, namespace.Name, *namespace.DeletionTimestamp) if err != nil { return err } if estimate > 0 { return &contentRemainingError{estimate} } // we have removed content, so mark it finalized by us result, err := finalize(kubeClient, namespace) if err != nil { return err } // now check if all finalizers have reported that we delete now if finalized(*result) { err = kubeClient.Namespaces().Delete(namespace.Name) if err != nil && !errors.IsNotFound(err) { return err } } return nil }
// GetNamespaceDetail gets namespace details. func GetNamespaceDetail(client k8sClient.Interface, heapsterClient client.HeapsterClient, name string) ( *NamespaceDetail, error) { log.Printf("Getting details of %s namespace", name) namespace, err := client.Namespaces().Get(name) if err != nil { return nil, err } events, err := event.GetNamespaceEvents(client, dataselect.DefaultDataSelect, namespace.Name) if err != nil { return nil, err } resourceQuotaList, err := getResourceQuotas(client, *namespace) if err != nil { return nil, err } namespaceDetails := toNamespaceDetail(*namespace, events, resourceQuotaList) return &namespaceDetails, nil }
// syncNamespace orchestrates deletion of a Namespace and its associated content. func syncNamespace(kubeClient client.Interface, experimentalMode bool, namespace *api.Namespace) error { if namespace.DeletionTimestamp == nil { return nil } // multiple controllers may edit a namespace during termination // first get the latest state of the namespace before proceeding // if the namespace was deleted already, don't do anything namespace, err := kubeClient.Namespaces().Get(namespace.Name) if err != nil { if errors.IsNotFound(err) { return nil } return err } glog.V(4).Infof("Syncing namespace %s", namespace.Name) // ensure that the status is up to date on the namespace // if we get a not found error, we assume the namespace is truly gone namespace, err = retryOnConflictError(kubeClient, namespace, updateNamespaceStatusFunc) if err != nil { if errors.IsNotFound(err) { return nil } return err } // if the namespace is already finalized, delete it if finalized(namespace) { err = kubeClient.Namespaces().Delete(namespace.Name) if err != nil && !errors.IsNotFound(err) { return err } return nil } // there may still be content for us to remove estimate, err := deleteAllContent(kubeClient, experimentalMode, namespace.Name, *namespace.DeletionTimestamp) if err != nil { return err } if estimate > 0 { return &contentRemainingError{estimate} } // we have removed content, so mark it finalized by us result, err := retryOnConflictError(kubeClient, namespace, finalizeNamespaceFunc) if err != nil { return err } // now check if all finalizers have reported that we delete now if finalized(result) { err = kubeClient.Namespaces().Delete(namespace.Name) if err != nil && !errors.IsNotFound(err) { return err } } return nil }
// syncNamespace orchestrates deletion of a Namespace and its associated content. func syncNamespace(kubeClient client.Interface, versions *unversioned.APIVersions, namespace *api.Namespace) error { if namespace.DeletionTimestamp == nil { if namespace.Spec.Network != "" { net, err := kubeClient.Networks().Get(namespace.Spec.Network) if err != nil || net == nil { glog.Warningf("Network %s cann't be found", namespace.Spec.Network) newNamespace := api.Namespace{} newNamespace.ObjectMeta = namespace.ObjectMeta newNamespace.Spec = namespace.Spec newNamespace.Status = namespace.Status newNamespace.Status.Phase = api.NamespaceFailed _, err := kubeClient.Namespaces().Status(&newNamespace) if err != nil { return err } } } return nil } // multiple controllers may edit a namespace during termination // first get the latest state of the namespace before proceeding // if the namespace was deleted already, don't do anything namespace, err := kubeClient.Namespaces().Get(namespace.Name) if err != nil { if errors.IsNotFound(err) { return nil } return err } glog.V(4).Infof("Syncing namespace %s", namespace.Name) // ensure that the status is up to date on the namespace // if we get a not found error, we assume the namespace is truly gone namespace, err = retryOnConflictError(kubeClient, namespace, updateNamespaceStatusFunc) if err != nil { if errors.IsNotFound(err) { return nil } return err } // if the namespace is already finalized, delete it if finalized(namespace) { err = kubeClient.Namespaces().Delete(namespace.Name) if err != nil && !errors.IsNotFound(err) { return err } return nil } // there may still be content for us to remove estimate, err := deleteAllContent(kubeClient, versions, namespace.Name, *namespace.DeletionTimestamp) if err != nil { return err } if estimate > 0 { return &contentRemainingError{estimate} } // we have removed content, so mark it finalized by us result, err := retryOnConflictError(kubeClient, namespace, finalizeNamespaceFunc) if err != nil { return err } // now check if all finalizers have reported that we delete now if finalized(result) { err = kubeClient.Namespaces().Delete(namespace.Name) if err != nil && !errors.IsNotFound(err) { return err } } return nil }