Merge pull request kubernetes#84900 from MikeSpreitzer/add-namespace-to-rule

Enable Priority and Fairness to discriminate on target namespace

Author: k8s-ci-robot

api/openapi-spec/swagger.json

@@ -26,8 +26,9 @@ const (
 	ResourceAll    = "*"
 	VerbAll        = "*"
 	NonResourceAll = "*"
+	NameAll        = "*"
 
-	NameAll = "*"
+	NamespaceEvery = "*" // matches every particular namespace
 )
 
 // System preset priority level names
@@ -210,28 +211,53 @@ type ServiceAccountSubject struct {
 	Name string
 }
 
-// ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target
-// resource. A ResourcePolicyRule matches a request if and only if: (a) at least one member
-// of verbs matches the request, (b) at least one member of apiGroups matches the request, and (c) at least one member
-// of resources matches the request.
+// ResourcePolicyRule is a predicate that matches some resource
+// requests, testing the request's verb and the target resource. A
+// ResourcePolicyRule matches a resource request if and only if: (a)
+// at least one member of verbs matches the request, (b) at least one
+// member of apiGroups matches the request, (c) at least one member of
+// resources matches the request, and (d) least one member of
+// namespaces matches the request.
 type ResourcePolicyRule struct {
 	// `verbs` is a list of matching verbs and may not be empty.
-	// "*" matches all verbs. if it is present, it must be the only entry.
+	// "*" matches all verbs and, if present, must be the only entry.
 	// +listType=set
 	// Required.
 	Verbs []string
+
 	// `apiGroups` is a list of matching API groups and may not be empty.
-	// "*" matches all api-groups. if it is present, it must be the only entry.
+	// "*" matches all API groups and, if present, must be the only entry.
 	// +listType=set
 	// Required.
 	APIGroups []string
-	// `resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource.
-	// For example, [ "services", "nodes/status" ].
-	// This list may not be empty.
-	// "*" matches all resources. if it is present, it must be the only entry.
-	// +listType=set
+
+	// `resources` is a list of matching resources (i.e., lowercase
+	// and plural) with, if desired, subresource.  For example, [
+	// "services", "nodes/status" ].  This list may not be empty.
+	// "*" matches all resources and, if present, must be the only entry.
 	// Required.
+	// +listType=set
 	Resources []string
+
+	// `clusterScope` indicates whether to match requests that do not
+	// specify a namespace (which happens either because the resource
+	// is not namespaced or the request targets all namespaces).
+	// If this field is omitted or false then the `namespaces` field
+	// must contain a non-empty list.
+	// +optional
+	ClusterScope bool
+
+	// `namespaces` is a list of target namespaces that restricts
+	// matches.  A request that specifies a target namespace matches
+	// only if either (a) this list contains that target namespace or
+	// (b) this list contains "*".  Note that "*" matches any
+	// specified namespace but does not match a request that _does
+	// not specify_ a namespace (see the `clusterScope` field for
+	// that).
+	// This list may be empty, but only if `clusterScope` is true.
+	// +optional
+	// +listType=set
+	Namespaces []string
 }
 
 // NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the

pkg/apis/flowcontrol/types.go

@@ -245,9 +245,25 @@ func ValidateFlowSchemaResourcePolicyRule(rule *flowcontrol.ResourcePolicyRule,
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("resources"), rule.Resources, "if '*' is present, must not specify other resources"))
 	}
 
+	if len(rule.Namespaces) == 0 && !rule.ClusterScope {
+		allErrs = append(allErrs, field.Required(fldPath.Child("namespaces"), "resource rules that are not cluster scoped must supply at least one namespace"))
+	} else if hasWildcard(rule.Namespaces) {
+		if len(rule.Namespaces) > 1 {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("namespaces"), rule.Namespaces, "if '*' is present, must not specify other namespaces"))
+		}
+	} else {
+		for idx, tgtNS := range rule.Namespaces {
+			for _, msg := range apimachineryvalidation.ValidateNamespaceName(tgtNS, false) {
+				allErrs = append(allErrs, field.Invalid(fldPath.Child("namespaces").Index(idx), tgtNS, nsErrIntro+msg))
+			}
+		}
+	}
+
 	return allErrs
 }
 
+const nsErrIntro = "each member of this list must be '*' or a DNS-1123 label; "
+
 // ValidateFlowSchemaStatus validates status for the flow-schema.
 func ValidateFlowSchemaStatus(status *flowcontrol.FlowSchemaStatus, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
@@ -424,8 +440,12 @@ func ValidateNonResourceURLPath(path string, fldPath *field.Path) *field.Error {
 }
 
 func hasWildcard(operations []string) bool {
-	for _, o := range operations {
-		if o == "*" {
+	return memberInList("*", operations...)
+}
+
+func memberInList(seek string, a ...string) bool {
+	for _, ai := range a {
+		if ai == seek {
 			return true
 		}
 	}