allow multiple namespaces to be watched for policies #42
Conversation
Signed-off-by: Jan Willies <[email protected]>
|
reading #11 this seems a bit more work than this? |
There was a problem hiding this comment.
@janwillies this looks fine. I have one comment we should address but other than that, LGTM. Also, you'll need to sign-off on your changes before we can merge this.
| source := cache.NewListWatchFromClient( | ||
| client, | ||
| "configmaps", | ||
| namespace, |
There was a problem hiding this comment.
Users can deploy kube-mgmt with --policies=* in which case configmaps in all namespaces will be replicated into OPA (this is used in conjunction with --require-policy-label` to filter configmaps.)
Could you add a flag to kube-mgmt so that users can tell it to watch specific namespaces? Otherwise this change will not be backwards compatible.
There was a problem hiding this comment.
I'm a bit afraid that adding another parameter would maybe clutter the UI too much? Note that the help for --policies currently says:
--policies stringSlice automatically load policies from these namespaces (default [opa,kube-federation-scheduling-policy])
Can we not simply parse the --policies= parameter and in case of * use v1.NamespaceAll? Something like
if namespaces[0] == "*" {
namespaces[0] = v1.NamespaceAll
namespaces = namespaces[0:1]
}There was a problem hiding this comment.
This looks fine. I would probably check whether the slice contained * at all but this will work.
…lity Signed-off-by: Jan Willies <[email protected]>
| source := cache.NewListWatchFromClient( | ||
| client, | ||
| "configmaps", | ||
| namespace, |
There was a problem hiding this comment.
This looks fine. I would probably check whether the slice contained * at all but this will work.
this fixes an inconsistency with the docs:
but
v1.NamespaceAllwas hardcoded