don't sync on terminating and system namespaces

Author: stlaz

pkg/psalabelsyncer/podsecurity_label_sync_controller.go

@@ -3,6 +3,7 @@ package psalabelsyncer
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -125,7 +126,7 @@ func NewPodSecurityAdmissionLabelSynchronizationController(
 				if ns.Annotations == nil || len(ns.Annotations[securityv1.UIDRangeAnnotation]) == 0 {
 					return false
 				}
-				return true
+				return checkNSControlled(ns)
 			},
 			namespaceInformer.Informer(),
 		).
@@ -148,6 +149,11 @@ func (c *PodSecurityAdmissionLabelSynchronizationController) sync(ctx context.Co
 		return fmt.Errorf(errFmt, qKey, err)
 	}
 
+	if ns.Status.Phase == corev1.NamespaceTerminating {
+		klog.Infof("skipping synchronizing namespace %q because it is terminating", ns.Name)
+		return nil
+	}
+
 	if err := c.syncNamespace(ctx, controllerContext, ns); err != nil {
 		return fmt.Errorf(errFmt, qKey, err)
 	}
@@ -304,17 +310,28 @@ func (c *PodSecurityAdmissionLabelSynchronizationController) saToSCCCAcheEnqueue
 	}
 }
 
-func (c *PodSecurityAdmissionLabelSynchronizationController) checkNSControlled(ns string) (bool, error) {
-	nsObj, err := c.namespaceLister.Get(ns)
+func (c *PodSecurityAdmissionLabelSynchronizationController) checkNSControlled(nsName string) (bool, error) {
+	ns, err := c.namespaceLister.Get(nsName)
 	if err != nil {
 		return false, err
 	}
 
-	if nsObj.Labels[labelSyncControlLabel] != "false" {
-		return true, nil
+	return checkNSControlled(ns), nil
+
+}
+
+func checkNSControlled(ns *corev1.Namespace) bool {
+	nsName := ns.Name
+	isSystemNS := strings.HasPrefix(nsName, "openshift-") || nsName == "openshift" || nsName == "kube-system"
+	if isSystemNS {
+		return false
+	}
+
+	if ns.Labels[labelSyncControlLabel] != "false" {
+		return true
 	}
 
-	return false, nil
+	return false
 }
 
 // controlledNamespacesLabelSelector returns label selector to be used with the