wip: address comments

Author: stlaz

pkg/psalabelsyncer/podsecurity_label_sync_controller.go

@@ -17,6 +17,7 @@ import (
 	corev1listers "k8s.io/client-go/listers/core/v1"
 	rbacv1listers "k8s.io/client-go/listers/rbac/v1"
 	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
 	psapi "k8s.io/pod-security-admission/api"
 
@@ -50,6 +51,7 @@ type PodSecurityAdmissionLabelSynchronizationController struct {
 
 	nsLabelSelector labels.Selector
 
+	workQueue     workqueue.RateLimitingInterface
 	saToSCCsCache *SAToSCCCache
 }
 
@@ -80,6 +82,7 @@ func NewPodSecurityAdmissionLabelSynchronizationController(
 		return nil, err
 	}
 
+	syncCtx := factory.NewSyncContext(controllerName, eventRecorder.WithComponentSuffix(controllerName))
 	c := &PodSecurityAdmissionLabelSynchronizationController{
 		namespaceClient: namespaceClient,
 
@@ -93,25 +96,22 @@ func NewPodSecurityAdmissionLabelSynchronizationController(
 
 		nsLabelSelector: controlledNamespacesLabelSelector,
 
-		saToSCCsCache: NewSAToSCCCache(rbacInformers, sccInformer),
+		workQueue: syncCtx.Queue(),
 	}
 
+	saToSCCCache := NewSAToSCCCache(rbacInformers, sccInformer).WithExternalQueueEnqueue(c.saToSCCCAcheEnqueueFunc)
+
+	c.saToSCCsCache = saToSCCCache
+
 	return factory.New().
 		WithSync(c.sync).
+		WithSyncContext(syncCtx).
 		WithFilteredEventsInformersQueueKeysFunc(
 			c.queueKeysForObj,
 			c.saToSCCsCache.IsRoleBindingRelevant,
 			rbacInformers.RoleBindings().Informer(),
 			rbacInformers.ClusterRoleBindings().Informer(),
 		).
-		WithFilteredEventsInformersQueueKeysFunc(
-			c.queueKeysForObj,
-			func(obj interface{}) bool {
-				return c.saToSCCsCache.IsRoleInvolvesSCCs(obj, true)
-			},
-			rbacInformers.Roles().Informer(),
-			rbacInformers.ClusterRoles().Informer(),
-		).
 		WithFilteredEventsInformersQueueKeysFunc(
 			nameToKey,
 			func(obj interface{}) bool {
@@ -133,19 +133,6 @@ func NewPodSecurityAdmissionLabelSynchronizationController(
 			c.queueKeysForObj,
 			serviceAccountInformer.Informer(),
 		).
-		WithInformersQueueKeysFunc(
-			func(o runtime.Object) []string {
-				// we need to reinitialize the SCC cache as the roles might be now granting
-				// access to new SCCs, or won't grant access to removed SCCs
-				err := c.saToSCCsCache.ReinitializeRoleCache()
-				if err != nil {
-					klog.Errorf("failed to reinitialize role cache: %v", err)
-					return nil
-				}
-				return c.allWatchedNamespacesAsQueueKeys(o)
-			},
-			sccInformer.Informer(),
-		).
 		ToController(
 			controllerName,
 			eventRecorder.WithComponentSuffix(controllerName),
@@ -273,6 +260,39 @@ func (c *PodSecurityAdmissionLabelSynchronizationController) allWatchedNamespace
 	return qKeys
 }
 
+func (c *PodSecurityAdmissionLabelSynchronizationController) saToSCCCAcheEnqueueFunc(obj interface{}) {
+	enqeueAllNS := func() {
+		// NS was zero-len, we need to enqueue all controlled namespaces
+		nsList, err := c.namespaceLister.List(c.nsLabelSelector)
+		if err != nil {
+			klog.Errorf("failed to enqueue all namespaces: %v", err)
+			return
+		}
+		for _, ns := range nsList {
+			c.workQueue.Add(ns.Name)
+		}
+	}
+
+	// TODO: maybe just allow setting 2 separate enqueuers for roles and SCCs?
+	switch t := obj.(type) {
+	case roleInterface: // TODO: should be exported
+		if nsName := t.Namespace(); len(nsName) > 0 {
+			ns, err := c.namespaceLister.Get(nsName)
+			if err != nil {
+				klog.Errorf("failed to enqueue namespace %q: %v", nsName, err)
+				return
+			}
+			if ns.Labels[labelSyncControlLabel] != "false" {
+				c.workQueue.Add(nsName)
+			}
+			return
+		}
+		enqeueAllNS()
+	case *securityv1.SecurityContextConstraints:
+		enqeueAllNS()
+	}
+}
+
 // controlledNamespacesLabelSelector returns label selector to be used with the
 // PodSecurityAdmissionLabelSynchronizationController.
 func controlledNamespacesLabelSelector() (labels.Selector, error) {