Option to restrict informer cache to a namespace

[hasbro17]

Fixes #124

A namespace option can be passed from the manager to the cache which restricts the ListWatch for all informers to the desired namespace.
This way a manager can be run with a Role instead of a ClusterRole.

[hasbro17]

@DirectXMan12 PTAL
First time writing a test in Ginkgo so I'm not sure if the namespaced cache test case should be in it's own Describe block. Seemed more concise to add it as a sub-case to the Reader.

[interma]

When I need to watch all namespace events, set nil to options.Namespace or set other value?
Thanks.

[hasbro17]

To watch all namespaces you set options.Namespaces = "" or metav1.NamespaceAll which is the same thing.
But since the default string value is empty you can just not set the Namespace option in cache.Options and it should watch all namespaces by default.

[DirectXMan12]

does this need to be NamespaceIfScoped(ip.namespace, ip.namespace == "")?

[hasbro17]

You could do without NamespaceIfScoped since the URL constructed ignores namespaces if namespace == "".
https://github.com/kubernetes/client-go/blob/master/rest/request.go#L424
But that behavior is implicit so I've added NamespaceIfScoped(ip.namespace, ip.namespace != "") to make the distinction more clear.

[hasbro17]

@DirectXMan12 The request is explicitly namespace scoped now. PTAL.

[hasbro17]

@droot can you please review this in case @DirectXMan12 is busy.

[droot]

@hasbro17 change looks good to me. @DirectXMan12 , would you like to take a final look ?

[hasbro17]

@droot thanks. I think @DirectXMan12 should be back on Monday to take a look.
I'll rebase my changes in the meanwhile since #101 was merged.

[hasbro17]

Rebased and added another namespaced cache test for an unstructured object.

[droot]

+1 for covering this.

[droot]

May be make it more explicit:

watch objects in the desired namespace

Also one more q: if I specify the namespace here and later setup a watch for a cluster scoped resource (say Node), will I get error, what would be the UX ?
We should document that behavior here probably.

[hasbro17]

I tested it out by specifying the manager's namespace and added a controller to watch nodes:

$ ./main --namespace=default
{"level":"info","ts":1537598131.6718707,"logger":"kubebuilder.controller","caller":"controller/controller.go:120","msg":"Starting EventSource","Controller":"node-controller","Source":{"Type":{"metadata":{"creationTimestamp":null},"spec":{},"status":{"daemonEndpoints":{"kubeletEndpoint":{"Port":0}},"nodeInfo":{"machineID":"","systemUUID":"","bootID":"","kernelVersion":"","osImage":"","containerRuntimeVersion":"","kubeletVersion":"","kubeProxyVersion":"","operatingSystem":"","architecture":""}}}}}
E0921 23:35:31.674413   15574 reflector.go:205] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1.Node: the server could not find the requested resource
E0921 23:35:32.680154   15574 reflector.go:205] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1.Node: the server could not find the requested resource

As expected the ListWatcher fails to List the nodes because when the namespace is set it will form an incorrect request to list Nodes by adding the namespace in the REST path.
https://github.com/kubernetes-sigs/controller-runtime/pull/136/files#diff-fc36bd1640f2ed10bc9e4f4d24789edfR235

The behavior seems consistent with the need for namespacing the manager i.e you don't expect to Watch cluster-scoped resources if your permissions are restricted to a namespace.

I've updated the comment to document this behavior.

[DirectXMan12]

realized that we also should check if the resource is namespaced in the first place.

[DirectXMan12]

it occurs to me that there's one last wrinkle for this -- we need to also check if the resource is namespace-scoped to begin with using the rest mapping -- i.e. you should be able to watch nodes when watching pods in a specific namespace.

[DirectXMan12]

so this should be NamespaceIfScoped(ip.namespace, ip.namespace != "" && mapping.Scope == apimeta.RESTScopeNameRoot)

[DirectXMan12]

and below (in the watch)

[hasbro17]

Fixed. Minor nit being it's:

ip.namespace != "" && mapping.Scope != apimeta.RESTScopeNameRoot

[DirectXMan12]

ditto here on the "is this namespaced"

[hasbro17]

@DirectXMan12 I've updated the ListWatchers to check if the resource is namespace scoped before making a namespaced request.
With this change ,even if the cache is namespaced, it can still be used to read cluster-scoped resources.

I've updated the tests with the additional case of ensuring a namespaced cache will still let you List a cluster-scoped resource(corev1.Namespace).
Also updated the manager's Namespace option comment to clarify this.

[DirectXMan12]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DirectXMan12, hasbro17

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [DirectXMan12]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment