diff --git a/controllers/namespace_controller_test.go b/controllers/namespace_controller_test.go index 0ab2865..23ff744 100644 --- a/controllers/namespace_controller_test.go +++ b/controllers/namespace_controller_test.go @@ -376,6 +376,7 @@ var _ = Describe("Namespace controller", func() { root.Annotations = map[string]string{ "foo": "bar", "bar.glob/b": "glob", + "baz.glob/c": "delete-me", "do.not.match/glob.patten": "glob", } err := k8sClient.Create(ctx, root) @@ -422,6 +423,7 @@ var _ = Describe("Namespace controller", func() { Expect(sub1.Labels).NotTo(HaveKey(constants.LabelType)) Expect(sub1.Labels).NotTo(HaveKey("do.not.match/glob/patten")) Expect(sub1.Annotations).Should(HaveKeyWithValue("bar.glob/b", "glob")) + Expect(sub1.Annotations).Should(HaveKeyWithValue("baz.glob/c", "delete-me")) Expect(sub1.Annotations).NotTo(HaveKey("foo")) Expect(sub1.Annotations).NotTo(HaveKey("do.not.match/glob/patten")) @@ -477,6 +479,19 @@ var _ = Describe("Namespace controller", func() { return sub2.Labels["team"] }).Should(Equal("nuco")) + By("deleting an annotation in root namespace") + delete(root.Labels, "baz.glob/c") + Eventually(func() error { + sub1 = &corev1.Namespace{} + if err := k8sClient.Get(ctx, client.ObjectKey{Name: "sub1"}, sub1); err != nil { + return err + } + if _, ok := sub1.Annotations["baz.glob/c"]; !ok { + return errors.New("annotation has been deleted") + } + return nil + }).Should(Succeed()) + By("changing the parent of sub2") root2 := &corev1.Namespace{} root2.Name = "root2" diff --git a/docs/design.md b/docs/design.md index c266807..2bf69f6 100644 --- a/docs/design.md +++ b/docs/design.md @@ -42,6 +42,7 @@ Since these are fundamentally different requirements, we decided to develop our - Propagate labels and annotations of parent or template namespaces - The label/annotation keys are given through the configuration file of Accurate. - Only labels/annotations specified in the configuration file of Accurate will be propagated. + - Label/annotation deletions from parent or template namespaces will not be propagated. - Opt-in root namespaces - Only namespaces labeled with `accurate.cybozu.com/type: root` can be the root of a namespace tree. - Tenant users can create and delete sub-namespaces by creating and deleting a custom resource in a root or a sub-namespace. diff --git a/docs/overview.md b/docs/overview.md index e6f4c89..8078e4c 100644 --- a/docs/overview.md +++ b/docs/overview.md @@ -53,7 +53,7 @@ Without propagating Role/RoleBinding, the tenant user would be able to do nothin Accurate can propagate any namespace-scope resource including custom resources between Namespaces. Moreover, Accurate can detect generated resources owned by another resource and propagate them. -- Inheriting labels and annotations from parent namespaces +- Inheriting labels and annotations creation/update from parent namespaces Namespace labels often play important roles. For example, [Pod Security Admission](https://github.com/kubernetes/website/blob/dev-1.22/content/en/docs/concepts/security/pod-security-admission.md#pod-security-admission-labels-for-namespaces), a new feature planned for Kubernetes 1.22, uses Namespace labels to control security policies. diff --git a/docs/subnamespaces.md b/docs/subnamespaces.md index 642b2eb..949e34f 100644 --- a/docs/subnamespaces.md +++ b/docs/subnamespaces.md @@ -30,7 +30,7 @@ metadata: team: foo ``` -Accurate only propagates labels/annotations that have been configured in that respect via the `labelKeys` and `annotationKeys` parameters in `config.yaml`. This prevents the propagation of labels/annotations that were not meant to do so. +Accurate only propagates labels/annotations that have been configured in that respect via the `labelKeys` and `annotationKeys` parameters in `config.yaml`. This prevents the propagation of labels/annotations that were not meant to do so. Accurate currently does not delete previously propagated labels when deleted from the parent namespace to prevent unintended deletions. Users are expected to manually delete labels/annotations that are no longer needed. ### Preparing resources for tenant users @@ -87,7 +87,7 @@ metadata: name: ``` -### Creating a sub-namespace with addition labels/annotations +### Creating a sub-namespace with additional labels/annotations Using `kubectl accurate`: