feat: enable controlled CR reconciliation#6243
Conversation
I'm not sure about this. If both ConfigConnector and ConfigConnectorContext support resourceSettings, then I would expect that both would be honored, rather than ignoring one or the other. My assumption would be that we would look first at the CCC (when in namespace mode), and then at the CC. Am I missing a reason to ignore the CC in namespace mode? |
Yes, that is the intended behavior I want to implement |
a0e8c37 to
122eb05
Compare
| } | ||
|
|
||
| func getResourceSetting(settings []operatorv1beta1.ResourceSetting, gvk schema.GroupVersionKind) (found bool, enabled bool) { | ||
| for _, s := range settings { |
There was a problem hiding this comment.
As per @acpana 's suggestion, we could make resourceSetting a map of [schema.gk]properties, and we could keep adding more resource specific configuration values to the properties struct, just make sure that they are mutually exclusive with enabled:false. This also helps with efficiency as we do not need to iterate through the list here.
fef42a4 to
12a9112
Compare
No I agree, I have updated the implementation to honor both CC and CCC. with CCC taking precedence in namespace mode. |
9d26e5b to
586dd3f
Compare
|
/assign @cheftako |
| type ResourceFilter struct { | ||
| // Group is the API group of the resource. | ||
| // +required | ||
| Group string `json:"group"` |
There was a problem hiding this comment.
Should be a pointer in case we ever want to make it optional. I believe we have been making the use of pointer to native the standard in our types.go files recently.
|
|
||
| // Kind is the Kind of the resource. | ||
| // +optional | ||
| Kind string `json:"kind,omitempty"` |
…ts, allow transition states with warnings
|
|
||
| type ResourceSettings struct { | ||
| // Mode controls whether the resources are included or excluded. | ||
| // Defaults to "exclude" (Exclusion mode). |
There was a problem hiding this comment.
Should indicate all allowed values as well as the default.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cheftako The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
6b3ff9b
This PR fixes a bug in the ResourceSettings mode conflict logic introduced in #6243. The previous logic would log a warning and skip the conflict check if both ConfigConnector and ConfigConnectorContext were present but had different modes. This caused TestResourceExclusion/ConflictMode to fail as it expected an error. This PR ensures that the conflict check is performed first if both settings are present. Fixes #7325 Generated by Overseer (powered by the gemini-3-flash-preview model).
BRIEF Change description
Implement Resource Config to allow unmanaging specific resources by the Config Connector controller.
WHY do we need this change?
This feature allows users and platform administrators to selectively disable the reconciliation of specific resources (Group/Kind).
ConfigConnectorobject.ConfigConnectorContextobject. This takes precedence over globalConfigConnectorsettings.This is useful for:
Special notes for your reviewer:
pkg/controller/registration/registration_controller.goto checkisResourceDisabledbefore starting a controller.ScopedNamespacewas added tokccmanagerconfiguration to allow namespace-scoped managers to identify and prioritize their relevantConfigConnectorContext. The controller evaluates bothConfigConnectorandConfigConnectorContextto determine if a resource should be excluded, prioritizingConfigConnectorContext.enabled: trueentries are ignored and logged as warnings.TestResourceExclusioninpkg/controller/kccmanager/kccmanager_exclusion_test.goverifies end-to-end behavior for both cluster and namespace modes.Since registration only happens at manager startup, when we update the CCC/CC, we need to restart the pod to pick up the change.
Does this PR add something which needs to be 'release noted'?
Additional documentation e.g., references, usage docs, etc.:
Intended Milestone
Please indicate the intended milestone.
Tests you have done
Testing Performed
Successfully built and deployed KCC to a GKE test cluster (
test-partial-crd) in Namespaced mode. Conducted manual verification of the new ResourceSettings conflict and inclusion/exclusion logic:1. Mixed Modes Conflict Rejection
Configured a global
ConfigConnectorin Exclusive Mode (enabled: false), against a localConfigConnectorContextin Inclusive Mode (enabled: true).Result: The Operator correctly flags the conflict as an error and aggressively blocks the StatefulSet creation for that namespace.
$ kubectl get configconnectorcontext -n test1 -o yaml ... status: errors: - 'error during reconciliation: conflict: ConfigConnector and ConfigConnectorContext cannot mix inclusive (enabled: true) and exclusive (enabled: false) modes' healthy: false $ kubectl get statefulset -n cnrm-system NAME READY AGE cnrm-deletiondefender 1/1 2m43s cnrm-unmanaged-detector 1/1 2m43s # (No cnrm-controller-manager deployed)2. Exclusion List Verification (Deny-list)
Resolved the conflict by setting both to Exclusive Mode (
enabled: false).Result: The Operator clears the error and deploys the manager. Verified the
StorageBucketandPubSubTopiccontrollers are aggressively excluded from memory logs:3. Inclusion List Verification (Allow-list)
Inverted configurations to an Inclusive Mode (
enabled: true) across both theConfigConnectorandConfigConnectorContext.Result: Forced a pod restart to evaluate the new environment. The Pod cleanly abandons the other 170+ parent controllers, radically pruning the controller process loop to explicitly map only the whitelist elements into memory.
make ready-prto ensure this PR is ready for review.