determine k8s namespace scope (#568)

yuwenma · web-flow · commit 5e888beae1d2 · 2022-05-03T11:11:10.000-07:00
diff --git a/go/fn/internal/const/namespace.go b/go/fn/internal/const/namespace.go
@@ -0,0 +1,91 @@
+package _const
+
+import (
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// precomputedIsNamespaceScoped copies the sigs.k8s.io/kustomize/kyaml/openapi precomputedIsNamespaceScoped
+var PrecomputedIsNamespaceScoped = map[yaml.TypeMeta]bool{
+	{APIVersion: "admissionregistration.k8s.io/v1", Kind: "MutatingWebhookConfiguration"}:        false,
+	{APIVersion: "admissionregistration.k8s.io/v1", Kind: "ValidatingWebhookConfiguration"}:      false,
+	{APIVersion: "admissionregistration.k8s.io/v1beta1", Kind: "MutatingWebhookConfiguration"}:   false,
+	{APIVersion: "admissionregistration.k8s.io/v1beta1", Kind: "ValidatingWebhookConfiguration"}: false,
+	{APIVersion: "apiextensions.k8s.io/v1", Kind: "CustomResourceDefinition"}:                    false,
+	{APIVersion: "apiextensions.k8s.io/v1beta1", Kind: "CustomResourceDefinition"}:               false,
+	{APIVersion: "apiregistration.k8s.io/v1", Kind: "APIService"}:                                false,
+	{APIVersion: "apiregistration.k8s.io/v1beta1", Kind: "APIService"}:                           false,
+	{APIVersion: "apps/v1", Kind: "ControllerRevision"}:                                          true,
+	{APIVersion: "apps/v1", Kind: "DaemonSet"}:                                                   true,
+	{APIVersion: "apps/v1", Kind: "Deployment"}:                                                  true,
+	{APIVersion: "apps/v1", Kind: "ReplicaSet"}:                                                  true,
+	{APIVersion: "apps/v1", Kind: "StatefulSet"}:                                                 true,
+	{APIVersion: "autoscaling/v1", Kind: "HorizontalPodAutoscaler"}:                              true,
+	{APIVersion: "autoscaling/v1", Kind: "Scale"}:                                                true,
+	{APIVersion: "autoscaling/v2beta1", Kind: "HorizontalPodAutoscaler"}:                         true,
+	{APIVersion: "autoscaling/v2beta2", Kind: "HorizontalPodAutoscaler"}:                         true,
+	{APIVersion: "batch/v1", Kind: "CronJob"}:                                                    true,
+	{APIVersion: "batch/v1", Kind: "Job"}:                                                        true,
+	{APIVersion: "batch/v1beta1", Kind: "CronJob"}:                                               true,
+	{APIVersion: "certificates.k8s.io/v1", Kind: "CertificateSigningRequest"}:                    false,
+	{APIVersion: "certificates.k8s.io/v1beta1", Kind: "CertificateSigningRequest"}:               false,
+	{APIVersion: "coordination.k8s.io/v1", Kind: "Lease"}:                                        true,
+	{APIVersion: "coordination.k8s.io/v1beta1", Kind: "Lease"}:                                   true,
+	{APIVersion: "discovery.k8s.io/v1", Kind: "EndpointSlice"}:                                   true,
+	{APIVersion: "discovery.k8s.io/v1beta1", Kind: "EndpointSlice"}:                              true,
+	{APIVersion: "events.k8s.io/v1", Kind: "Event"}:                                              true,
+	{APIVersion: "events.k8s.io/v1beta1", Kind: "Event"}:                                         true,
+	{APIVersion: "extensions/v1beta1", Kind: "Ingress"}:                                          true,
+	{APIVersion: "flowcontrol.apiserver.k8s.io/v1beta1", Kind: "FlowSchema"}:                     false,
+	{APIVersion: "flowcontrol.apiserver.k8s.io/v1beta1", Kind: "PriorityLevelConfiguration"}:     false,
+	{APIVersion: "networking.k8s.io/v1", Kind: "Ingress"}:                                        true,
+	{APIVersion: "networking.k8s.io/v1", Kind: "IngressClass"}:                                   false,
+	{APIVersion: "networking.k8s.io/v1", Kind: "NetworkPolicy"}:                                  true,
+	{APIVersion: "networking.k8s.io/v1beta1", Kind: "Ingress"}:                                   true,
+	{APIVersion: "networking.k8s.io/v1beta1", Kind: "IngressClass"}:                              false,
+	{APIVersion: "node.k8s.io/v1", Kind: "RuntimeClass"}:                                         false,
+	{APIVersion: "node.k8s.io/v1beta1", Kind: "RuntimeClass"}:                                    false,
+	{APIVersion: "policy/v1", Kind: "PodDisruptionBudget"}:                                       true,
+	{APIVersion: "policy/v1beta1", Kind: "PodDisruptionBudget"}:                                  true,
+	{APIVersion: "policy/v1beta1", Kind: "PodSecurityPolicy"}:                                    false,
+	{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRole"}:                            false,
+	{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRoleBinding"}:                     false,
+	{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "Role"}:                                   true,
+	{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "RoleBinding"}:                            true,
+	{APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "ClusterRole"}:                       false,
+	{APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "ClusterRoleBinding"}:                false,
+	{APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "Role"}:                              true,
+	{APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "RoleBinding"}:                       true,
+	{APIVersion: "scheduling.k8s.io/v1", Kind: "PriorityClass"}:                                  false,
+	{APIVersion: "scheduling.k8s.io/v1beta1", Kind: "PriorityClass"}:                             false,
+	{APIVersion: "storage.k8s.io/v1", Kind: "CSIDriver"}:                                         false,
+	{APIVersion: "storage.k8s.io/v1", Kind: "CSINode"}:                                           false,
+	{APIVersion: "storage.k8s.io/v1", Kind: "StorageClass"}:                                      false,
+	{APIVersion: "storage.k8s.io/v1", Kind: "VolumeAttachment"}:                                  false,
+	{APIVersion: "storage.k8s.io/v1beta1", Kind: "CSIDriver"}:                                    false,
+	{APIVersion: "storage.k8s.io/v1beta1", Kind: "CSINode"}:                                      false,
+	{APIVersion: "storage.k8s.io/v1beta1", Kind: "CSIStorageCapacity"}:                           true,
+	{APIVersion: "storage.k8s.io/v1beta1", Kind: "StorageClass"}:                                 false,
+	{APIVersion: "storage.k8s.io/v1beta1", Kind: "VolumeAttachment"}:                             false,
+	{APIVersion: "v1", Kind: "ComponentStatus"}:                                                  false,
+	{APIVersion: "v1", Kind: "ConfigMap"}:                                                        true,
+	{APIVersion: "v1", Kind: "Endpoints"}:                                                        true,
+	{APIVersion: "v1", Kind: "Event"}:                                                            true,
+	{APIVersion: "v1", Kind: "LimitRange"}:                                                       true,
+	{APIVersion: "v1", Kind: "Namespace"}:                                                        false,
+	{APIVersion: "v1", Kind: "Node"}:                                                             false,
+	{APIVersion: "v1", Kind: "NodeProxyOptions"}:                                                 false,
+	{APIVersion: "v1", Kind: "PersistentVolume"}:                                                 false,
+	{APIVersion: "v1", Kind: "PersistentVolumeClaim"}:                                            true,
+	{APIVersion: "v1", Kind: "Pod"}:                                                              true,
+	{APIVersion: "v1", Kind: "PodAttachOptions"}:                                                 true,
+	{APIVersion: "v1", Kind: "PodExecOptions"}:                                                   true,
+	{APIVersion: "v1", Kind: "PodPortForwardOptions"}:                                            true,
+	{APIVersion: "v1", Kind: "PodProxyOptions"}:                                                  true,
+	{APIVersion: "v1", Kind: "PodTemplate"}:                                                      true,
+	{APIVersion: "v1", Kind: "ReplicationController"}:                                            true,
+	{APIVersion: "v1", Kind: "ResourceQuota"}:                                                    true,
+	{APIVersion: "v1", Kind: "Secret"}:                                                           true,
+	{APIVersion: "v1", Kind: "Service"}:                                                          true,
+	{APIVersion: "v1", Kind: "ServiceAccount"}:                                                   true,
+	{APIVersion: "v1", Kind: "ServiceProxyOptions"}:                                              true,
+}
diff --git a/go/fn/object.go b/go/fn/object.go
@@ -20,6 +20,7 @@ import (
 	"strconv"
 
 	"github.com/GoogleContainerTools/kpt-functions-sdk/go/fn/internal"
+	_const "github.com/GoogleContainerTools/kpt-functions-sdk/go/fn/internal/const"
 	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
@@ -551,6 +552,22 @@ func (o *KubeObject) GetNamespace() string {
 	return s
 }
 
+// IsNamespaceScoped tells whether a k8s resource is namespace scoped. If the KubeObject resource is a customized, it
+// determines the namespace scope by checking whether `metadata.namespace` is set.
+func (o *KubeObject) IsNamespaceScoped() bool {
+	tm := yaml.TypeMeta{Kind: o.GetKind(), APIVersion: o.GetAPIVersion()}
+	if nsScoped, ok := _const.PrecomputedIsNamespaceScoped[tm]; ok {
+		return nsScoped
+	}
+	// TODO(yuwenma): parse the resource openapi schema to know its scope status.
+	return o.HasNamespace()
+}
+
+// IsClusterScoped tells whether a resource is cluster scoped.
+func (o *KubeObject) IsClusterScoped() bool {
+	return !o.IsNamespaceScoped()
+}
+
 func (o *KubeObject) HasNamespace() bool {
 	_, found, _ := o.obj.GetNestedString("metadata", "namespace")
 	return found
diff --git a/go/fn/object_test.go b/go/fn/object_test.go
@@ -0,0 +1,61 @@
+package fn
+
+import "testing"
+
+func TestIsNamespaceScoped(t *testing.T) {
+	testdata := map[string]struct{
+		input []byte
+		expected bool
+ 	}{
+		"k8s resource, namespace scoped but unset": {
+			input: []byte(`
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: example
+spec:
+  hard:
+    limits.cpu: '10'
+`),
+			expected: true,
+		},
+		"k8s resource, cluster scoped": {
+			input: []byte(`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata: 
+  name: example
+subjects:
+- kind: ServiceAccount
+  name: example
+  apiGroup: rbac.authorization.k8s.io
+`),
+			expected: false,
+		},
+		"custom resource, namespace set": {
+			input: []byte(`
+apiVersion: kpt-test
+kind: KptTestResource
+metadata: 
+  name: example
+  namespace: example
+`),
+			expected: true,
+		},
+		"custom resource, namespace unset": {
+			input: []byte(`
+apiVersion: kpt-test
+kind: KptTestResource
+metadata: 
+  name: example
+`),
+			expected: false,
+		},
+	}
+	for description, data := range testdata {
+		o, _ := ParseKubeObject(data.input)
+		if o.IsNamespaceScoped() != data.expected {
+			t.Errorf("%v failed, resource namespace scope: got %v, want  %v", description, o.IsNamespaceScoped(), data.expected)
+		}
+	}
+}
