diff --git a/cmd/nfd-master/main.go b/cmd/nfd-master/main.go index e55211bba5..c78f60837c 100644 --- a/cmd/nfd-master/main.go +++ b/cmd/nfd-master/main.go @@ -65,6 +65,10 @@ func main() { args.Overrides.DenyLabelNs = overrides.DenyLabelNs case "label-whitelist": args.Overrides.LabelWhiteList = overrides.LabelWhiteList + case "feature-allowlist": + args.Overrides.FeatureAllowList = overrides.FeatureAllowList + case "feature-denylist": + args.Overrides.FeatureDenyList = overrides.FeatureDenyList case "enable-taints": args.Overrides.EnableTaints = overrides.EnableTaints case "no-publish": @@ -121,16 +125,22 @@ func initFlags(flagset *flag.FlagSet) (*master.Args, *master.ConfigOverrideArgs) args.Klog = klogutils.InitKlogFlags(flagset) overrides := &master.ConfigOverrideArgs{ - LabelWhiteList: &utils.RegexpVal{}, - DenyLabelNs: &utils.StringSetVal{}, - ExtraLabelNs: &utils.StringSetVal{}, - ResyncPeriod: &utils.DurationVal{Duration: time.Duration(1) * time.Hour}, + LabelWhiteList: &utils.RegexpVal{}, + FeatureAlowList: &utils.RegexpVal{}, + FeatureDenyList: &utils.RegexpVal{}, + DenyLabelNs: &utils.StringSetVal{}, + ExtraLabelNs: &utils.StringSetVal{}, + ResyncPeriod: &utils.DurationVal{Duration: time.Duration(1) * time.Hour}, } flagset.Var(overrides.ExtraLabelNs, "extra-label-ns", "Comma separated list of allowed extra label namespaces") flagset.Var(overrides.LabelWhiteList, "label-whitelist", "Regular expression to filter label names to publish to the Kubernetes API server. "+ "NB: the label namespace is omitted i.e. the filter is only applied to the name part after '/'.") + flagset.Var(overrides.FeatureAllowList, "feature-allowlist", + "Regular expression to filter feature names to publish to the Kubernetes API server") + flagset.Var(overrides.FeatureDenyList, "feature-denylist", + "Regular expression to filter out feature names") overrides.EnableTaints = flagset.Bool("enable-taints", false, "Enable node tainting feature") overrides.NoPublish = flagset.Bool("no-publish", false, diff --git a/pkg/nfd-worker/nfd-worker.go b/pkg/nfd-worker/nfd-worker.go index f54a901ec5..b83610693a 100644 --- a/pkg/nfd-worker/nfd-worker.go +++ b/pkg/nfd-worker/nfd-worker.go @@ -77,14 +77,16 @@ type NFDConfig struct { } type coreConfig struct { - Klog klogutils.KlogConfigOpts - LabelWhiteList utils.RegexpVal - NoPublish bool - NoOwnerRefs bool - FeatureSources []string - Sources *[]string - LabelSources []string - SleepInterval utils.DurationVal + Klog klogutils.KlogConfigOpts + LabelWhiteList utils.RegexpVal + FeatureAllowList utils.RegexpVal + FeatureDenyList utils.RegexpVal + NoPublish bool + NoOwnerRefs bool + FeatureSources []string + Sources *[]string + LabelSources []string + SleepInterval utils.DurationVal } type sourcesConfig map[string]source.Config @@ -196,11 +198,13 @@ func NewNfdWorker(opts ...NfdWorkerOption) (NfdWorker, error) { func newDefaultConfig() *NFDConfig { return &NFDConfig{ Core: coreConfig{ - LabelWhiteList: utils.RegexpVal{Regexp: *regexp.MustCompile("")}, - SleepInterval: utils.DurationVal{Duration: 60 * time.Second}, - FeatureSources: []string{"all"}, - LabelSources: []string{"all"}, - Klog: make(map[string]string), + LabelWhiteList: utils.RegexpVal{Regexp: *regexp.MustCompile("")}, + FeatureAllowList: utils.RegexpVal{Regexp: *regexp.MustCompile("")}, + FeatureDenyList: utils.RegexpVal{Regexp: *regexp.MustCompile("")}, + SleepInterval: utils.DurationVal{Duration: 60 * time.Second}, + FeatureSources: []string{"all"}, + LabelSources: []string{"all"}, + Klog: make(map[string]string), }, } } @@ -238,7 +242,7 @@ func (w *nfdWorker) runFeatureDiscovery() error { klog.InfoS("feature discovery sources took over half of sleep interval ", "duration", discoveryDuration, "sleepInterval", w.config.Core.SleepInterval.Duration) } // Get the set of feature labels. - labels := createFeatureLabels(w.labelSources, w.config.Core.LabelWhiteList.Regexp) + labels := createFeatureLabels(w.labelSources, w.config.Core.LabelWhiteList.Regexp, w.config.Core.FeatureAllowList.Regexp, w.config.Core.FeatureDenyList.Regexp) // Update the node with the feature labels. if !w.config.Core.NoPublish { @@ -531,13 +535,13 @@ func (w *nfdWorker) configure(filepath string, overrides string) error { // createFeatureLabels returns the set of feature labels from the enabled // sources and the whitelist argument. -func createFeatureLabels(sources []source.LabelSource, labelWhiteList regexp.Regexp) (labels Labels) { +func createFeatureLabels(sources []source.LabelSource, labelWhiteList regexp.Regexp, featureAllowList regexp.Regexp, featureDenyList regexp.Regexp) (labels Labels) { labels = Labels{} // Get labels from all enabled label sources klog.InfoS("starting feature discovery...") for _, source := range sources { - labelsFromSource, err := getFeatureLabels(source, labelWhiteList) + labelsFromSource, err := getFeatureLabels(source, labelWhiteList, featureAllowList, featureDenyList) if err != nil { klog.ErrorS(err, "discovery failed", "source", source.Name()) continue @@ -555,7 +559,7 @@ func createFeatureLabels(sources []source.LabelSource, labelWhiteList regexp.Reg // getFeatureLabels returns node labels for features discovered by the // supplied source. -func getFeatureLabels(source source.LabelSource, labelWhiteList regexp.Regexp) (labels Labels, err error) { +func getFeatureLabels(source source.LabelSource, labelWhiteList regexp.Regexp, featureAllowList regexp.Regexp, featureDenyList regexp.Regexp) (labels Labels, err error) { labels = Labels{} features, err := source.GetLabels() if err != nil { @@ -564,6 +568,15 @@ func getFeatureLabels(source source.LabelSource, labelWhiteList regexp.Regexp) ( for k, v := range features { name := k + if !featureAllowList.MatchString(name) { + klog.InfoS("feature does not match the allowlist", "feature", name, "regexp", featureAllowList.String()) + continue + } + if featureDenyList.MatchString(name) { + klog.InfoS("feature matchs the denylist", "feature", name, "regexp", featureDenyList.String()) + continue + } + switch sourceName := source.Name(); sourceName { case "local", "custom": // No mangling of labels from the custom rules or feature files