Merge pull request #51 from cybozu-go/clarify-meta-deletion

clarify label/annotation deletion behavior in docs and add test case

controllers/namespace_controller_test.go

@@ -376,6 +376,7 @@ var _ = Describe("Namespace controller", func() {
 		root.Annotations = map[string]string{
 			"foo":                      "bar",
 			"bar.glob/b":               "glob",
+			"baz.glob/c":               "delete-me",
 			"do.not.match/glob.patten": "glob",
 		}
 		err := k8sClient.Create(ctx, root)
@@ -422,6 +423,7 @@ var _ = Describe("Namespace controller", func() {
 		Expect(sub1.Labels).NotTo(HaveKey(constants.LabelType))
 		Expect(sub1.Labels).NotTo(HaveKey("do.not.match/glob/patten"))
 		Expect(sub1.Annotations).Should(HaveKeyWithValue("bar.glob/b", "glob"))
+		Expect(sub1.Annotations).Should(HaveKeyWithValue("baz.glob/c", "delete-me"))
 		Expect(sub1.Annotations).NotTo(HaveKey("foo"))
 		Expect(sub1.Annotations).NotTo(HaveKey("do.not.match/glob/patten"))
 
@@ -477,6 +479,19 @@ var _ = Describe("Namespace controller", func() {
 			return sub2.Labels["team"]
 		}).Should(Equal("nuco"))
 
+		By("deleting an annotation in root namespace")
+		delete(root.Labels, "baz.glob/c")
+		Eventually(func() error {
+			sub1 = &corev1.Namespace{}
+			if err := k8sClient.Get(ctx, client.ObjectKey{Name: "sub1"}, sub1); err != nil {
+				return err
+			}
+			if _, ok := sub1.Annotations["baz.glob/c"]; !ok {
+				return errors.New("annotation has been deleted")
+			}
+			return nil
+		}).Should(Succeed())
+
 		By("changing the parent of sub2")
 		root2 := &corev1.Namespace{}
 		root2.Name = "root2"

docs/design.md

@@ -42,6 +42,7 @@ Since these are fundamentally different requirements, we decided to develop our
 - Propagate labels and annotations of parent or template namespaces
     - The label/annotation keys are given through the configuration file of Accurate.
     - Only labels/annotations specified in the configuration file of Accurate will be propagated.
+    - Label/annotation deletions from parent or template namespaces will not be propagated.
 - Opt-in root namespaces
     - Only namespaces labeled with `accurate.cybozu.com/type: root` can be the root of a namespace tree.
 - Tenant users can create and delete sub-namespaces by creating and deleting a custom resource in a root or a sub-namespace.

docs/overview.md

@@ -53,7 +53,7 @@ Without propagating Role/RoleBinding, the tenant user would be able to do nothin
     Accurate can propagate any namespace-scope resource including custom resources between Namespaces.
     Moreover, Accurate can detect generated resources owned by another resource and propagate them.
 
-- Inheriting labels and annotations from parent namespaces
+- Inheriting labels and annotations creation/update from parent namespaces
 
     Namespace labels often play important roles.
     For example, [Pod Security Admission](https://github.com/kubernetes/website/blob/dev-1.22/content/en/docs/concepts/security/pod-security-admission.md#pod-security-admission-labels-for-namespaces), a new feature planned for Kubernetes 1.22, uses Namespace labels to control security policies.

docs/subnamespaces.md

@@ -30,7 +30,7 @@ metadata:
     team: foo
 ```
 
-Accurate only propagates labels/annotations that have been configured in that respect via the `labelKeys` and `annotationKeys` parameters in `config.yaml`. This prevents the propagation of labels/annotations that were not meant to do so.
+Accurate only propagates labels/annotations that have been configured in that respect via the `labelKeys` and `annotationKeys` parameters in `config.yaml`. This prevents the propagation of labels/annotations that were not meant to do so. Accurate currently does not delete previously propagated labels when deleted from the parent namespace to prevent unintended deletions. Users are expected to manually delete labels/annotations that are no longer needed.
 
 ### Preparing resources for tenant users
 
@@ -87,7 +87,7 @@ metadata:
   name: <name>
 ```
 
-### Creating a sub-namespace with addition labels/annotations
+### Creating a sub-namespace with additional labels/annotations
 
 Using `kubectl accurate`: