Azure · ryanzhang-oss · Sep 16, 2025 · Sep 9, 2025 · Sep 9, 2025 · Sep 12, 2025
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 

diff --git a/cmd/memberagent/main.go b/cmd/memberagent/main.go
@@ -102,6 +102,9 @@ var (
 	workApplierRequeueRateLimiterExponentialBaseForFastBackoff                       = flag.Float64("work-applier-requeue-rate-limiter-exponential-base-for-fast-backoff", 1.5, "If set, the work applier will start to back off fast at this factor after it completes the slow backoff stage, until it reaches the fast backoff delay cap. Its value should be larger than the base value for the slow backoff stage.")
 	workApplierRequeueRateLimiterMaxFastBackoffDelaySeconds                          = flag.Float64("work-applier-requeue-rate-limiter-max-fast-backoff-delay-seconds", 900, "If set, the work applier will not back off longer than this value in seconds when it is in the fast backoff stage.")
 	workApplierRequeueRateLimiterSkipToFastBackoffForAvailableOrDiffReportedWorkObjs = flag.Bool("work-applier-requeue-rate-limiter-skip-to-fast-backoff-for-available-or-diff-reported-work-objs", true, "If set, the rate limiter will skip the slow backoff stage and start fast backoff immediately for work objects that are available or have diff reported.")
+	// Azure property provider feature gates.
+	isAzProviderCostPropertiesEnabled         = flag.Bool("use-cost-properties-in-azure-provider", true, "If set, the Azure property provider will expose cost properties in the member cluster.")
+	isAzProviderAvailableResPropertiesEnabled = flag.Bool("use-available-res-properties-in-azure-provider", true, "If set, the Azure property provider will expose available resources properties in the member cluster.")
 )
 
 func init() {
@@ -461,7 +464,7 @@ func Start(ctx context.Context, hubCfg, memberConfig *rest.Config, hubOpts, memb
 			// the specific instance wins the leader election.
 			klog.V(1).InfoS("Property Provider is azure, loading cloud config", "cloudConfigFile", *cloudConfigFile)
 			// TODO (britaniar): load cloud config for Azure property provider.
-			pp = azure.New(region)
+			pp = azure.New(region, *isAzProviderCostPropertiesEnabled, *isAzProviderAvailableResPropertiesEnabled)
 		default:
 			// Fall back to not using any property provider if the provided type is none or
 			// not recognizable.

diff --git a/pkg/controllers/placement/resource_selector.go b/pkg/controllers/placement/resource_selector.go
@@ -41,44 +41,52 @@ import (
 )
 
 var (
-	// ApplyOrder is the order in which resources should be applied.
-	// Those occurring earlier in the list get applied before those occurring later in the list.
-	// Source: https://github.com/helm/helm/blob/31e22b9866af91e1a0ea2ad381798f6c5eec7f4f/pkg/release/util/kind_sorter.go#L31.
-	applyOrder = []string{
-		"PriorityClass",
-		"Namespace",
-		"NetworkPolicy",
-		"ResourceQuota",
-		"LimitRange",
-		"PodDisruptionBudget",
-		"ServiceAccount",
-		"Secret",
-		"ConfigMap",
-		"StorageClass",
-		"PersistentVolume",
-		"PersistentVolumeClaim",
-		"CustomResourceDefinition",
-		"ClusterRole",
-		"ClusterRoleBinding",
-		"Role",
-		"RoleBinding",
-		"Service",
-		"DaemonSet",
-		"Pod",
-		"ReplicationController",
-		"ReplicaSet",
-		"Deployment",
-		"HorizontalPodAutoscaler",
-		"StatefulSet",
-		"Job",
-		"CronJob",
-		"IngressClass",
-		"Ingress",
-		"APIService",
-		"MutatingWebhookConfiguration",
-		"ValidatingWebhookConfiguration",
-	}
-	applyOrderMap = buildApplyOrderMap()
+	// resourceSortOrder is the order in which resources are sorted when KubeFleet
+	// organizes the resources in a resource snapshot.
+	//
+	// Note (chenyu1): the sort order here does not affect the order in which resources
+	// are applied on a selected member cluster (the work applier will handle the resources
+	// in batch with its own grouping logic). KubeFleet sorts resources here solely
+	// for consistency (deterministic processing) reasons (i.e., if the set of the
+	// resources remain the same, no new snapshots are generated).
+	//
+	// Important (chenyu1): changing the sort order here may induce side effects in
+	// existing KubeFleet deployments, as a new snapshot might be prepared and rolled out.
+	// Do not update the sort order unless absolutely necessary.
+	resourceSortOrder = map[string]int{
+		"PriorityClass":                  0,
+		"Namespace":                      1,
+		"NetworkPolicy":                  2,
+		"ResourceQuota":                  3,
+		"LimitRange":                     4,
+		"PodDisruptionBudget":            5,
+		"ServiceAccount":                 6,
+		"Secret":                         7,
+		"ConfigMap":                      8,
+		"StorageClass":                   9,
+		"PersistentVolume":               10,
+		"PersistentVolumeClaim":          11,
+		"CustomResourceDefinition":       12,
+		"ClusterRole":                    13,
+		"ClusterRoleBinding":             14,
+		"Role":                           15,
+		"RoleBinding":                    16,
+		"Service":                        17,
+		"DaemonSet":                      18,
+		"Pod":                            19,
+		"ReplicationController":          20,
+		"ReplicaSet":                     21,
+		"Deployment":                     22,
+		"HorizontalPodAutoscaler":        23,
+		"StatefulSet":                    24,
+		"Job":                            25,
+		"CronJob":                        26,
+		"IngressClass":                   27,
+		"Ingress":                        28,
+		"APIService":                     29,
+		"MutatingWebhookConfiguration":   30,
+		"ValidatingWebhookConfiguration": 31,
+	}
 )
 
 // selectResources selects the resources according to the placement resourceSelectors.
@@ -185,8 +193,8 @@ func sortResources(resources []*unstructured.Unstructured) {
 		k1 := obj1.GetObjectKind().GroupVersionKind().Kind
 		k2 := obj2.GetObjectKind().GroupVersionKind().Kind
 
-		first, aok := applyOrderMap[k1]
-		second, bok := applyOrderMap[k2]
+		first, aok := resourceSortOrder[k1]
+		second, bok := resourceSortOrder[k2]
 		switch {
 		// if both kinds are unknown.
 		case !aok && !bok:
@@ -222,14 +230,6 @@ func lessByGVK(obj1, obj2 *unstructured.Unstructured, ignoreKind bool) bool {
 	return comp < 0
 }
 
-func buildApplyOrderMap() map[string]int {
-	ordering := make(map[string]int, len(applyOrder))
-	for v, k := range applyOrder {
-		ordering[k] = v
-	}
-	return ordering
-}
-
 // fetchResources retrieves the objects based on the selector.
 func (r *Reconciler) fetchResources(selector fleetv1beta1.ResourceSelectorTerm, placementKey types.NamespacedName) ([]runtime.Object, error) {
 	klog.V(2).InfoS("Start to fetch resources by the selector", "selector", selector, "placement", placementKey)

diff --git a/pkg/controllers/workgenerator/envelope.go b/pkg/controllers/workgenerator/envelope.go
@@ -147,6 +147,16 @@ func extractManifestsFromEnvelopeCR(envelopeReader fleetv1beta1.EnvelopeReader)
 	}
 
 	// Do a stable sort of the extracted manifests to ensure consistent, deterministic ordering.
+	//
+	// Note (chenyu1): the sort order here does not affect the order in which resources
+	// are applied on a selected member cluster (the work applier will handle the resources
+	// in batch with its own grouping logic). KubeFleet sorts resources here solely
+	// for consistency (deterministic processing) reasons (i.e., if the set of the
+	// resources remain the same, work objects will not be updated).
+	//
+	// Important (chenyu1): changing the sort order here may induce side effects in
+	// existing KubeFleet deployments, as it might trigger update ops on work objects.
+	// Do not update the sort order unless absolutely necessary.
 	sort.Slice(manifests, func(i, j int) bool {
 		obj1 := manifests[i].Raw
 		obj2 := manifests[j].Raw

diff --git a/pkg/propertyprovider/azure/controllers/node.go b/pkg/propertyprovider/azure/controllers/node.go
@@ -89,9 +89,10 @@ func (r *NodeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.
 	return ctrl.Result{}, nil
 }
 
-func (r *NodeReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (r *NodeReconciler) SetupWithManager(mgr ctrl.Manager, controllerName string) error {
 	// Reconcile any node changes (create, update, delete).
 	return ctrl.NewControllerManagedBy(mgr).
+		Named(controllerName).
 		For(&corev1.Node{}).
 		Complete(r)
 }
diff --git a/pkg/propertyprovider/azure/controllers/pod.go b/pkg/propertyprovider/azure/controllers/pod.go
@@ -108,9 +108,10 @@ func (p *PodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.R
 	return ctrl.Result{}, nil
 }
 
-func (p *PodReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (p *PodReconciler) SetupWithManager(mgr ctrl.Manager, controllerName string) error {
 	// Reconcile any pod changes (create, update, delete).
 	return ctrl.NewControllerManagedBy(mgr).
+		Named(controllerName).
 		For(&corev1.Pod{}).
 		Complete(p)
 }