kubernetes-sigs · ozhuraki · Aug 5, 2025
diff --git a/cmd/nfd-master/main.go b/cmd/nfd-master/main.go
@@ -65,6 +65,10 @@ func main() {
 			args.Overrides.DenyLabelNs = overrides.DenyLabelNs
 		case "label-whitelist":
 			args.Overrides.LabelWhiteList = overrides.LabelWhiteList
+		case "feature-allowlist":
+			args.Overrides.FeatureAllowList = overrides.FeatureAllowList
+		case "feature-denylist":
+			args.Overrides.FeatureDenyList = overrides.FeatureDenyList
 		case "enable-taints":
 			args.Overrides.EnableTaints = overrides.EnableTaints
 		case "no-publish":
@@ -121,16 +125,22 @@ func initFlags(flagset *flag.FlagSet) (*master.Args, *master.ConfigOverrideArgs)
 	args.Klog = klogutils.InitKlogFlags(flagset)
 
 	overrides := &master.ConfigOverrideArgs{
-		LabelWhiteList: &utils.RegexpVal{},
-		DenyLabelNs:    &utils.StringSetVal{},
-		ExtraLabelNs:   &utils.StringSetVal{},
-		ResyncPeriod:   &utils.DurationVal{Duration: time.Duration(1) * time.Hour},
+		LabelWhiteList:  &utils.RegexpVal{},
+		FeatureAlowList: &utils.RegexpVal{},
+		FeatureDenyList: &utils.RegexpVal{},
+		DenyLabelNs:     &utils.StringSetVal{},
+		ExtraLabelNs:    &utils.StringSetVal{},
+		ResyncPeriod:    &utils.DurationVal{Duration: time.Duration(1) * time.Hour},
 	}
 	flagset.Var(overrides.ExtraLabelNs, "extra-label-ns",
 		"Comma separated list of allowed extra label namespaces")
 	flagset.Var(overrides.LabelWhiteList, "label-whitelist",
 		"Regular expression to filter label names to publish to the Kubernetes API server. "+
 			"NB: the label namespace is omitted i.e. the filter is only applied to the name part after '/'.")
+	flagset.Var(overrides.FeatureAllowList, "feature-allowlist",
+		"Regular expression to filter feature names to publish to the Kubernetes API server")
+	flagset.Var(overrides.FeatureDenyList, "feature-denylist",
+		"Regular expression to filter out feature names")
 	overrides.EnableTaints = flagset.Bool("enable-taints", false,
 		"Enable node tainting feature")
 	overrides.NoPublish = flagset.Bool("no-publish", false,

diff --git a/pkg/nfd-worker/nfd-worker.go b/pkg/nfd-worker/nfd-worker.go
@@ -77,14 +77,16 @@ type NFDConfig struct {
 }
 
 type coreConfig struct {
-	Klog           klogutils.KlogConfigOpts
-	LabelWhiteList utils.RegexpVal
-	NoPublish      bool
-	NoOwnerRefs    bool
-	FeatureSources []string
-	Sources        *[]string
-	LabelSources   []string
-	SleepInterval  utils.DurationVal
+	Klog             klogutils.KlogConfigOpts
+	LabelWhiteList   utils.RegexpVal
+	FeatureAllowList utils.RegexpVal
+	FeatureDenyList  utils.RegexpVal
+	NoPublish        bool
+	NoOwnerRefs      bool
+	FeatureSources   []string
+	Sources          *[]string
+	LabelSources     []string
+	SleepInterval    utils.DurationVal
 }
 
 type sourcesConfig map[string]source.Config
@@ -196,11 +198,13 @@ func NewNfdWorker(opts ...NfdWorkerOption) (NfdWorker, error) {
 func newDefaultConfig() *NFDConfig {
 	return &NFDConfig{
 		Core: coreConfig{
-			LabelWhiteList: utils.RegexpVal{Regexp: *regexp.MustCompile("")},
-			SleepInterval:  utils.DurationVal{Duration: 60 * time.Second},
-			FeatureSources: []string{"all"},
-			LabelSources:   []string{"all"},
-			Klog:           make(map[string]string),
+			LabelWhiteList:   utils.RegexpVal{Regexp: *regexp.MustCompile("")},
+			FeatureAllowList: utils.RegexpVal{Regexp: *regexp.MustCompile("")},
+			FeatureDenyList:  utils.RegexpVal{Regexp: *regexp.MustCompile("")},
+			SleepInterval:    utils.DurationVal{Duration: 60 * time.Second},
+			FeatureSources:   []string{"all"},
+			LabelSources:     []string{"all"},
+			Klog:             make(map[string]string),
 		},
 	}
 }
@@ -238,7 +242,7 @@ func (w *nfdWorker) runFeatureDiscovery() error {
 		klog.InfoS("feature discovery sources took over half of sleep interval ", "duration", discoveryDuration, "sleepInterval", w.config.Core.SleepInterval.Duration)
 	}
 	// Get the set of feature labels.
-	labels := createFeatureLabels(w.labelSources, w.config.Core.LabelWhiteList.Regexp)
+	labels := createFeatureLabels(w.labelSources, w.config.Core.LabelWhiteList.Regexp, w.config.Core.FeatureAllowList.Regexp, w.config.Core.FeatureDenyList.Regexp)
 
 	// Update the node with the feature labels.
 	if !w.config.Core.NoPublish {
@@ -531,13 +535,13 @@ func (w *nfdWorker) configure(filepath string, overrides string) error {
 
 // createFeatureLabels returns the set of feature labels from the enabled
 // sources and the whitelist argument.
-func createFeatureLabels(sources []source.LabelSource, labelWhiteList regexp.Regexp) (labels Labels) {
+func createFeatureLabels(sources []source.LabelSource, labelWhiteList regexp.Regexp, featureAllowList regexp.Regexp, featureDenyList regexp.Regexp) (labels Labels) {
 	labels = Labels{}
 
 	// Get labels from all enabled label sources
 	klog.InfoS("starting feature discovery...")
 	for _, source := range sources {
-		labelsFromSource, err := getFeatureLabels(source, labelWhiteList)
+		labelsFromSource, err := getFeatureLabels(source, labelWhiteList, featureAllowList, featureDenyList)
 		if err != nil {
 			klog.ErrorS(err, "discovery failed", "source", source.Name())
 			continue
@@ -555,7 +559,7 @@ func createFeatureLabels(sources []source.LabelSource, labelWhiteList regexp.Reg
 
 // getFeatureLabels returns node labels for features discovered by the
 // supplied source.
-func getFeatureLabels(source source.LabelSource, labelWhiteList regexp.Regexp) (labels Labels, err error) {
+func getFeatureLabels(source source.LabelSource, labelWhiteList regexp.Regexp, featureAllowList regexp.Regexp, featureDenyList regexp.Regexp) (labels Labels, err error) {
 	labels = Labels{}
 	features, err := source.GetLabels()
 	if err != nil {
@@ -564,6 +568,15 @@ func getFeatureLabels(source source.LabelSource, labelWhiteList regexp.Regexp) (
 
 	for k, v := range features {
 		name := k
+		if !featureAllowList.MatchString(name) {
+			klog.InfoS("feature does not match the allowlist", "feature", name, "regexp", featureAllowList.String())
+			continue
+		}
+		if featureDenyList.MatchString(name) {
+			klog.InfoS("feature matchs the denylist", "feature", name, "regexp", featureDenyList.String())
+			continue
+		}
+
 		switch sourceName := source.Name(); sourceName {
 		case "local", "custom":
 			// No mangling of labels from the custom rules or feature files