Modify allowedNamespaces logic

kubernetes-sigs · Mar 19, 2021 · 4489ea6 · 4489ea6
1 parent f548885
commit 4489ea6
Showing 1 changed file with 17 additions and 6 deletions.
diff --git a/docs/proposal/20210311-single-controller-multitenancy.md b/docs/proposal/20210311-single-controller-multitenancy.md
@@ -160,14 +160,25 @@ type VSphereAccountSpec struct {
 
     Password string `json:"password,omitempty"`
 
-    // AllowedNamespaces is an array of namespaces that VSphereClusters can
-    // use this account from.
+    // AllowedNamespaces is used to identify which namespaces are allowed to use this account.
+    // Namespaces can be selected either by using an array of namespaces or with a label selector.
+    // If this object is nil, no namespaces will be allowed
     //
-    // An empty list (default) indicates that VSphereClusters can use this
-    // account from any namespace. This field is intentionally not a
-    // pointer because the nil behavior (no namespaces) is undesirable here.
     // +optional
-    AllowedNamespaces []string `json:"allowedNamespaces"`
+    AllowedNamespaces *AllowedNamespaces `json:"allowedNamespaces"`
+}
+
+type AllowedNamespaces struct {
+    // If both NamespaceList and Selector are nil/empty, no namespaces will be allowed to use the account (default behaviour)
+    //
+    // Allowed namespaces listed out by name
+    // +optional
+    // +nullable
+    NamespaceList []string `json:"list"`
+
+    // Selector is a standard Kubernetes LabelSelector. A label query over a set of resources.
+    // +optional
+    Selector metav1.LabelSelector `json:"selector"`
 }
 
 type VSphereClusterSpec struct {