vcluster icon indicating copy to clipboard operation
vcluster copied to clipboard

Published 20 hours ago verified publisher icon loft-sh

Sync namespace labels to pods

Open FabianKramm opened this issue 3 years ago • 5 comments

Currently namespaceSelectors are not supported in vcluster, which means that networkpolicies and spec.affinity.podAffinitity are not fully supported.

One way to translate a namespaceSelector into a pod labelSelector is by syncing all namespace labels to all pods within that namespace in the host cluster. This makes it then possible to rewrite a namespaceSelector.

In order to implement this, we would need a new controller that makes sure that as soon as labels are changed on a virtual namespace, all labels are changed on the pods within that namespace in the host cluster as well.

FabianKramm avatar Jun 23 '21 11:06 FabianKramm

@FabianKramm any plans to solving this one? As far I see network policy ...-control-plane cannot works correctly because CoreDNS pod does not have those kubernetes.io/metadata.name: 'kube-system' and k8s-app: kube-dns labels in host cluster side.

olljanat avatar Jun 27 '22 10:06 olljanat

@olljanat this should actually work, we have an option to allow network policies to work

FabianKramm avatar Jun 28 '22 09:06 FabianKramm

@FabianKramm that is different case. I mean those network policies which get created when isolation mode + network policy is enabled with config like:

isolation:
  enabled: true
  namespace: vcluster
  networkPolicy:
    enabled: true

On that case these will be deployed to host cluster and they cannot works because CoreDNS pods does not have needed labels: https://github.com/loft-sh/vcluster/blob/40d7c65b8a016ec32a8cfc3c5a1761e0237cf8b2/charts/k8s/templates/networkpolicy.yaml#L62-L67

olljanat avatar Jun 28 '22 11:06 olljanat

@olljanat oh I see, this would be a different issue then. However, it should still work as the networkpolicy you referred to is the policy for the control plane (vcluster itself) that doesn't need to connect to the inner core dns and rather needs to connect to the coredns of the host cluster which almost always is in the kube-system namespace (that will get the ubernetes.io/metadata.name: 'kube-system' label automatically. So it should work fine with the current configuration, or is there a problem you currently experience?

FabianKramm avatar Jun 29 '22 06:06 FabianKramm

Ah, I yes that network policy just handles traffic from vcluster to host cluster and I need another one, inside of vcluster to handle traffic from kube dns to api-server.

olljanat avatar Jul 02 '22 08:07 olljanat

This was implemented in #195 but we forgot to close the issue, so closing it now :)

P.S: Network policies inside the cluster should also work (since v0.5.0) - Docs.

matskiv avatar Nov 02 '22 18:11 matskiv