diff --git a/gslb/gslbutils/gslbutils.go b/gslb/gslbutils/gslbutils.go index cc96be33..2ca455db 100644 --- a/gslb/gslbutils/gslbutils.go +++ b/gslb/gslbutils/gslbutils.go @@ -491,6 +491,15 @@ func GetTenantInNamespaceAnnotation(namespace, cname string) string { return tenant } +func CheckTenant(namespace, cname, tenant string) bool { + namespaceTenant := GetTenantInNamespaceAnnotation(namespace, cname) + if namespaceTenant != "" && tenant != namespaceTenant { + Logf("cluster: %s, nstenant: %s, tenant: %s, msg: %s\n", cname, namespaceTenant, tenant, "rejected object because object tenant is not same as namespace") + return false + } + return true +} + var allClusterContexts []string func AddClusterContext(cc string) { diff --git a/gslb/ingestion/event_handlers.go b/gslb/ingestion/event_handlers.go index 9427de62..2f73f384 100644 --- a/gslb/ingestion/event_handlers.go +++ b/gslb/ingestion/event_handlers.go @@ -58,6 +58,9 @@ func AddLBSvcEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Reso c.name, svc.ObjectMeta.Name, svc.ObjectMeta.Namespace) return } + if !gslbutils.CheckTenant(svc.Namespace, c.name, svcMeta.Tenant) { + return + } if !filter.ApplyFilter(filter.FilterArgs{ Obj: svcMeta, Cluster: c.name, @@ -80,6 +83,8 @@ func AddLBSvcEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Reso if !isSvcTypeLB(svc) { return } + fetchedObj, present := acceptedLBSvcStore.GetClusterNSObjectByName(c.name, + svc.ObjectMeta.Namespace, svc.ObjectMeta.Name) DeleteFromLBSvcStore(acceptedLBSvcStore, svc, c.name) DeleteFromLBSvcStore(rejectedLBSvcStore, svc, c.name) @@ -89,9 +94,11 @@ func AddLBSvcEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Reso if ok { hostName = svcMeta.Hostname } - - publishKeyToGraphLayer(numWorkers, gslbutils.SvcType, c.name, svc.ObjectMeta.Namespace, - svc.ObjectMeta.Name, gslbutils.ObjectDelete, hostName, svcMeta.Tenant, c.workqueue) + if present { + fetchedSvc := fetchedObj.(k8sobjects.SvcMeta) + publishKeyToGraphLayer(numWorkers, gslbutils.SvcType, c.name, svc.ObjectMeta.Namespace, + svc.ObjectMeta.Name, gslbutils.ObjectDelete, hostName, fetchedSvc.Tenant, c.workqueue) + } return }, UpdateFunc: func(old, curr interface{}) { @@ -99,6 +106,9 @@ func AddLBSvcEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Reso svc := curr.(*corev1.Service) if oldSvc.ResourceVersion != svc.ResourceVersion { svcMeta, ok := k8sobjects.GetSvcMeta(svc, c.name) + if !gslbutils.CheckTenant(svc.Namespace, c.name, svcMeta.Tenant) { + return + } if !ok || !isSvcTypeLB(svc) || !filter.ApplyFilter(filter.FilterArgs{ Obj: svcMeta, Cluster: c.name, @@ -122,13 +132,16 @@ func AddLBSvcEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Reso fetchedSvc.Name, gslbutils.ObjectDelete, fetchedSvc.Hostname, fetchedSvc.Tenant, c.workqueue) return } - oldSvcMeta, ok := k8sobjects.GetSvcMeta(oldSvc, c.name) - // check if tenant has changed for service - if ok && oldSvcMeta.Tenant != svcMeta.Tenant { - oper := gslbutils.ObjectDelete - publishKeyToGraphLayer(numWorkers, gslbutils.SvcType, c.name, oldSvcMeta.Namespace, oldSvcMeta.Name, - oper, oldSvcMeta.Hostname, oldSvcMeta.Tenant, c.workqueue) + if fetchedObj, ok := acceptedLBSvcStore.GetClusterNSObjectByName(c.name, oldSvc.ObjectMeta.Namespace, oldSvc.ObjectMeta.Name); ok { + fetchedSvc := fetchedObj.(k8sobjects.SvcMeta) + // check if tenant has changed for service + if fetchedSvc.Tenant != svcMeta.Tenant { + oper := gslbutils.ObjectDelete + publishKeyToGraphLayer(numWorkers, gslbutils.SvcType, c.name, fetchedSvc.Namespace, fetchedSvc.Name, + oper, fetchedSvc.Hostname, fetchedSvc.Tenant, c.workqueue) + } } + AddOrUpdateLBSvcStore(acceptedLBSvcStore, svc, c.name) // If the svc was already part of rejected store, we need to remove // this svc from the rejected store. @@ -143,7 +156,7 @@ func AddLBSvcEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Reso } func filterAndAddIngressMeta(ingressHostMetaObjs []k8sobjects.IngressHostMeta, c *GSLBMemberController, - acceptedIngStore, rejectedIngStore *store.ClusterStore, numWorkers uint32, fullsync bool) { + acceptedIngStore, rejectedIngStore *store.ClusterStore, numWorkers uint32, fullsync bool, namespaceTenant string) { for _, ihm := range ingressHostMetaObjs { if ihm.IPAddr == "" || ihm.Hostname == "" { gslbutils.Debugf("cluster: %s, ns: %s, ingress: %s, msg: %s\n", @@ -151,6 +164,11 @@ func filterAndAddIngressMeta(ingressHostMetaObjs []k8sobjects.IngressHostMeta, c "rejected ADD ingress because IP address/Hostname not found in status field") continue } + if namespaceTenant != "" && ihm.Tenant != namespaceTenant { + gslbutils.Debugf("cluster: %s, ns: %s, ingress: %s, msg: %s\n", + c.name, ihm.Namespace, ihm.IngName, "rejected ADD ingress because ingress tenant is different from namespace") + continue + } if !filter.ApplyFilter(filter.FilterArgs{ Obj: ihm, Cluster: c.name, @@ -171,35 +189,44 @@ func filterAndAddIngressMeta(ingressHostMetaObjs []k8sobjects.IngressHostMeta, c func deleteIngressMeta(ingressHostMetaObjs []k8sobjects.IngressHostMeta, c *GSLBMemberController, acceptedIngStore, rejectedIngStore *store.ClusterStore, numWorkers uint32) { for _, ihm := range ingressHostMetaObjs { - present := DeleteFromIngressStore(acceptedIngStore, ihm, c.name) + fetchedObj, isAccepted := acceptedIngStore.GetClusterNSObjectByName(c.name, ihm.Namespace, + ihm.ObjName) + DeleteFromIngressStore(acceptedIngStore, ihm, c.name) DeleteFromIngressStore(rejectedIngStore, ihm, c.name) // Only if the ihm object was part of the accepted list previously, we will send a delete key // otherwise we will assume that the object was already deleted - if present { + if isAccepted { + fetchedIngHost := fetchedObj.(k8sobjects.IngressHostMeta) publishKeyToGraphLayer(numWorkers, gslbutils.IngressType, c.name, - ihm.Namespace, ihm.ObjName, gslbutils.ObjectDelete, ihm.Hostname, ihm.Tenant, c.workqueue) + ihm.Namespace, ihm.ObjName, gslbutils.ObjectDelete, ihm.Hostname, fetchedIngHost.Tenant, c.workqueue) } } } func filterAndUpdateIngressMeta(oldIngMetaObjs, newIngMetaObjs []k8sobjects.IngressHostMeta, c *GSLBMemberController, - acceptedIngStore, rejectedIngStore *store.ClusterStore, numWorkers uint32) { + acceptedIngStore, rejectedIngStore *store.ClusterStore, numWorkers uint32, namespaceTenant string) { for _, ihm := range oldIngMetaObjs { // Check whether this exists in the new ingressHost list, if not, we need // to delete this ingressHost object newIhm, found := ihm.IngressHostInList(newIngMetaObjs) + if namespaceTenant != "" && namespaceTenant != newIhm.Tenant { + gslbutils.Debugf("cluster: %s, ns: %s, ingress: %s, msg: %s\n", + c.name, ihm.Namespace, ihm.IngName, "rejected update ingress because ingress tenant is different from namespace") + continue + } if !found { // ingressHost doesn't exist anymore, delete this ingressHost object - _, isAccepted := acceptedIngStore.GetClusterNSObjectByName(c.name, ihm.Namespace, + fetchedObj, isAccepted := acceptedIngStore.GetClusterNSObjectByName(c.name, ihm.Namespace, ihm.ObjName) DeleteFromIngressStore(acceptedIngStore, ihm, c.name) DeleteFromIngressStore(rejectedIngStore, ihm, c.name) // If part of accepted store, only then publish the delete key if isAccepted { + fetchedIngHost := fetchedObj.(k8sobjects.IngressHostMeta) publishKeyToGraphLayer(numWorkers, gslbutils.IngressType, c.name, - ihm.Namespace, ihm.ObjName, gslbutils.ObjectDelete, ihm.Hostname, ihm.Tenant, c.workqueue) + ihm.Namespace, ihm.ObjName, gslbutils.ObjectDelete, ihm.Hostname, fetchedIngHost.Tenant, c.workqueue) } continue } @@ -234,17 +261,19 @@ func filterAndUpdateIngressMeta(oldIngMetaObjs, newIngMetaObjs []k8sobjects.Ingr continue } - // check if tenant has changed for ingressHost - if ihm.Tenant != newIhm.Tenant { - oper := gslbutils.ObjectDelete - publishKeyToGraphLayer(numWorkers, gslbutils.IngressType, c.name, newIhm.Namespace, newIhm.ObjName, - oper, newIhm.Hostname, ihm.Tenant, c.workqueue) - } - // check if the object existed in the acceptedIngStore oper := gslbutils.ObjectAdd - if _, ok := acceptedIngStore.GetClusterNSObjectByName(c.name, newIhm.Namespace, newIhm.ObjName); ok { - oper = gslbutils.ObjectUpdate + if fetchedObj, ok := acceptedIngStore.GetClusterNSObjectByName(c.name, newIhm.Namespace, newIhm.ObjName); ok { + fetchedIngHost := fetchedObj.(k8sobjects.IngressHostMeta) + // check if tenant has changed for ingressHost + if fetchedIngHost.Tenant != newIhm.Tenant { + oper = gslbutils.ObjectDelete + publishKeyToGraphLayer(numWorkers, gslbutils.IngressType, c.name, fetchedIngHost.Namespace, fetchedIngHost.ObjName, + oper, fetchedIngHost.Hostname, fetchedIngHost.Tenant, c.workqueue) + oper = gslbutils.ObjectAdd + } else { + oper = gslbutils.ObjectUpdate + } } // ingHost passed through the filter, need to send an update key // if the ingHost was already part of rejected store, we need to move this ingHost @@ -262,6 +291,11 @@ func filterAndUpdateIngressMeta(oldIngMetaObjs, newIngMetaObjs []k8sobjects.Ingr if found { continue } + if namespaceTenant != "" && ihm.Tenant != namespaceTenant { + gslbutils.Debugf("cluster: %s, ns: %s, ingress: %s, msg: %s\n", + c.name, ihm.Namespace, ihm.IngName, "rejected ADD ingress because tenant mismatch") + continue + } // only the new ones will be considered, because the old ones // have been taken care of already // Add this ingressHost object @@ -302,7 +336,8 @@ func AddIngressEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Re // Don't add this ingr if there's no status field present or no IP is allocated in this // status field ingressHostMetaObjs := k8sobjects.GetIngressHostMeta(ingr, c.name) - filterAndAddIngressMeta(ingressHostMetaObjs, c, acceptedIngStore, rejectedIngStore, numWorkers, false) + namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(ingr.Namespace, c.name) + filterAndAddIngressMeta(ingressHostMetaObjs, c, acceptedIngStore, rejectedIngStore, numWorkers, false, namespaceTenant) }, DeleteFunc: func(obj interface{}) { ingr, ok := obj.(*networkingv1.Ingress) @@ -324,8 +359,9 @@ func AddIngressEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Re if oldIngr.ResourceVersion != ingr.ResourceVersion { oldIngMetaObjs := k8sobjects.GetIngressHostMeta(oldIngr, c.name) newIngMetaObjs := k8sobjects.GetIngressHostMeta(ingr, c.name) + namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(ingr.Namespace, c.name) filterAndUpdateIngressMeta(oldIngMetaObjs, newIngMetaObjs, c, acceptedIngStore, rejectedIngStore, - numWorkers) + numWorkers, namespaceTenant) } }, } @@ -347,6 +383,9 @@ func AddRouteEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Reso return } routeMeta := k8sobjects.GetRouteMeta(route, c.name) + if !gslbutils.CheckTenant(route.Namespace, c.name, routeMeta.Tenant) { + return + } if !filter.ApplyFilter(filter.FilterArgs{ Cluster: c.name, Obj: routeMeta, @@ -367,12 +406,15 @@ func AddRouteEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Reso return } // Delete from all route stores - present := DeleteFromRouteStore(acceptedRouteStore, route, c.name) + fetchedObj, ok := acceptedRouteStore.GetClusterNSObjectByName(c.name, + route.ObjectMeta.Namespace, route.ObjectMeta.Name) + DeleteFromRouteStore(acceptedRouteStore, route, c.name) DeleteFromRouteStore(rejectedRouteStore, route, c.name) routeMeta := k8sobjects.GetRouteMeta(route, c.name) - if present { + if ok { + fetchedRoute := fetchedObj.(k8sobjects.RouteMeta) publishKeyToGraphLayer(numWorkers, gslbutils.RouteType, c.name, route.ObjectMeta.Namespace, - route.ObjectMeta.Name, gslbutils.ObjectDelete, routeMeta.Hostname, routeMeta.Tenant, c.workqueue) + route.ObjectMeta.Name, gslbutils.ObjectDelete, routeMeta.Hostname, fetchedRoute.Tenant, c.workqueue) } }, UpdateFunc: func(old, curr interface{}) { @@ -380,6 +422,9 @@ func AddRouteEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Reso route := curr.(*routev1.Route) if oldRoute.ResourceVersion != route.ResourceVersion { routeMeta := k8sobjects.GetRouteMeta(route, c.name) + if !gslbutils.CheckTenant(route.Namespace, c.name, routeMeta.Tenant) { + return + } if _, ok := gslbutils.RouteGetIPAddr(route); !ok || !filter.ApplyFilter(filter.FilterArgs{ Cluster: c.name, Obj: routeMeta, @@ -403,16 +448,18 @@ func AddRouteEventHandler(numWorkers uint32, c *GSLBMemberController) cache.Reso fetchedRoute.Name, gslbutils.ObjectDelete, fetchedRoute.Hostname, fetchedRoute.Tenant, c.workqueue) return } - oldRouteMeta := k8sobjects.GetRouteMeta(oldRoute, c.name) - // check if tenant has changed for route - if oldRouteMeta.Tenant != routeMeta.Tenant { - oper := gslbutils.ObjectDelete - publishKeyToGraphLayer(numWorkers, gslbutils.RouteType, c.name, oldRouteMeta.Namespace, oldRouteMeta.Name, - oper, oldRouteMeta.Hostname, oldRouteMeta.Tenant, c.workqueue) - } op := gslbutils.ObjectUpdate - if _, ok := acceptedRouteStore.GetClusterNSObjectByName(c.name, route.GetObjectMeta().GetNamespace(), - route.GetObjectMeta().GetName()); !ok { + if fetchedObj, ok := acceptedRouteStore.GetClusterNSObjectByName(c.name, route.GetObjectMeta().GetNamespace(), + route.GetObjectMeta().GetName()); ok { + fetchedRoute := fetchedObj.(k8sobjects.RouteMeta) + // check if tenant has changed for route + if fetchedRoute.Tenant != routeMeta.Tenant { + oper := gslbutils.ObjectDelete + publishKeyToGraphLayer(numWorkers, gslbutils.RouteType, c.name, fetchedRoute.Namespace, fetchedRoute.Name, + oper, fetchedRoute.Hostname, fetchedRoute.Tenant, c.workqueue) + op = gslbutils.ObjectAdd + } + } else { op = gslbutils.ObjectAdd } AddOrUpdateRouteStore(acceptedRouteStore, route, c.name) @@ -919,7 +966,7 @@ func AddHostRuleEventHandler(numWorkers uint32, c *GSLBMemberController) cache.R } func filterAndAddMultiClusterIngressMeta(ingressHostMetaObjs []k8sobjects.MultiClusterIngressHostMeta, c *GSLBMemberController, - acceptedIngStore, rejectedIngStore *store.ClusterStore, numWorkers uint32, fullsync bool) { + acceptedIngStore, rejectedIngStore *store.ClusterStore, numWorkers uint32, fullsync bool, namespaceTenant string) { for _, ihm := range ingressHostMetaObjs { if ihm.IPAddr == "" || ihm.Hostname == "" { gslbutils.Debugf("cluster: %s, ns: %s, ingress: %s, msg: %s\n", @@ -927,6 +974,11 @@ func filterAndAddMultiClusterIngressMeta(ingressHostMetaObjs []k8sobjects.MultiC "rejected ADD ingress because IP address/Hostname not found in status field") continue } + if namespaceTenant != "" && ihm.Tenant != namespaceTenant { + gslbutils.Debugf("cluster: %s, ns: %s, ingress: %s, msg: %s\n", + c.name, ihm.Namespace, ihm.IngName, "rejected ADD ingress because tenant mismatch") + continue + } if !filter.ApplyFilter(filter.FilterArgs{ Obj: ihm, Cluster: c.name, @@ -945,12 +997,17 @@ func filterAndAddMultiClusterIngressMeta(ingressHostMetaObjs []k8sobjects.MultiC } func filterAndUpdateMultiClusterIngressMeta(oldIngMetaObjs, newIngMetaObjs []k8sobjects.MultiClusterIngressHostMeta, c *GSLBMemberController, - acceptedStore, rejectedStore *store.ClusterStore, numWorkers uint32) { + acceptedStore, rejectedStore *store.ClusterStore, numWorkers uint32, namespaceTenant string) { for _, mcihm := range oldIngMetaObjs { // Check whether this exists in the new ingressHost list, if not, we need // to delete this ingressHost object newMCIhm, found := mcihm.IngressHostInList(newIngMetaObjs) + if namespaceTenant != "" && namespaceTenant != newMCIhm.Tenant { + gslbutils.Debugf("cluster: %s, ns: %s, mcingress: %s, msg: %s\n", + c.name, newMCIhm.Namespace, newMCIhm.IngName, "rejected update mcingress because tenant mismatch") + continue + } if !found { // ingressHost doesn't exist anymore, delete this ingressHost object _, isAccepted := acceptedStore.GetClusterNSObjectByName(c.name, mcihm.Namespace, @@ -994,15 +1051,16 @@ func filterAndUpdateMultiClusterIngressMeta(oldIngMetaObjs, newIngMetaObjs []k8s fetchedIngHost.Hostname, fetchedIngHost.Tenant, c.workqueue) continue } - // check if tenant has changed for service - if mcihm.Tenant != newMCIhm.Tenant { - oper := gslbutils.ObjectDelete - publishKeyToGraphLayer(numWorkers, gslbutils.RouteType, c.name, mcihm.Namespace, mcihm.ObjName, - oper, mcihm.Hostname, mcihm.Tenant, c.workqueue) - } // check if the object existed in the acceptedIngStore oper := gslbutils.ObjectAdd - if _, ok := acceptedStore.GetClusterNSObjectByName(c.name, newMCIhm.Namespace, newMCIhm.ObjName); ok { + if fetchedObj, ok := acceptedStore.GetClusterNSObjectByName(c.name, newMCIhm.Namespace, newMCIhm.ObjName); ok { + fetchedIngHost := fetchedObj.(k8sobjects.MultiClusterIngressHostMeta) + // check if tenant has changed for service + if fetchedIngHost.Tenant != newMCIhm.Tenant { + oper := gslbutils.ObjectDelete + publishKeyToGraphLayer(numWorkers, gslbutils.RouteType, c.name, fetchedIngHost.Namespace, fetchedIngHost.ObjName, + oper, fetchedIngHost.Hostname, fetchedIngHost.Tenant, c.workqueue) + } oper = gslbutils.ObjectUpdate } // ingHost passed through the filter, need to send an update key @@ -1030,6 +1088,11 @@ func filterAndUpdateMultiClusterIngressMeta(oldIngMetaObjs, newIngMetaObjs []k8s "rejected ADD ingress because IP address/Hostname not found in status field") continue } + if namespaceTenant != "" && namespaceTenant != mcihm.Tenant { + gslbutils.Debugf("cluster: %s, ns: %s, mcingress: %s, msg: %s\n", + c.name, mcihm.Namespace, mcihm.IngName, "rejected update mcingress because tenant mismatch") + continue + } if !filter.ApplyFilter(filter.FilterArgs{ Obj: mcihm, Cluster: c.name, @@ -1049,14 +1112,17 @@ func filterAndUpdateMultiClusterIngressMeta(oldIngMetaObjs, newIngMetaObjs []k8s func deleteMultiClusterIngressMeta(ingressHostMetaObjs []k8sobjects.MultiClusterIngressHostMeta, c *GSLBMemberController, acceptedStore, rejectedStore *store.ClusterStore, numWorkers uint32) { for _, mcihm := range ingressHostMetaObjs { - present := DeleteFromMultiClusterIngressStore(acceptedStore, mcihm, c.name) + fetchedObj, isAccepted := acceptedStore.GetClusterNSObjectByName(c.name, mcihm.Namespace, + mcihm.ObjName) + DeleteFromMultiClusterIngressStore(acceptedStore, mcihm, c.name) DeleteFromMultiClusterIngressStore(rejectedStore, mcihm, c.name) // Only if the ihm object was part of the accepted list previously, we will send a delete key // otherwise we will assume that the object was already deleted - if present { + if isAccepted { + fetchedMultiIngHost := fetchedObj.(k8sobjects.MultiClusterIngressHostMeta) publishKeyToGraphLayer(numWorkers, gslbutils.MCIType, c.name, - mcihm.Namespace, mcihm.ObjName, gslbutils.ObjectDelete, mcihm.Hostname, mcihm.Tenant, c.workqueue) + mcihm.Namespace, mcihm.ObjName, gslbutils.ObjectDelete, mcihm.Hostname, fetchedMultiIngHost.Tenant, c.workqueue) } } } @@ -1077,7 +1143,8 @@ func AddMultiClusterIngressEventHandler(numWorkers uint32, c *GSLBMemberControll // Don't add this ingr if there's no status field present or no IP is allocated in this // status field ingressHostMetaObjs := k8sobjects.GetHostMetaForMultiClusterIngress(mciObj, c.name) - filterAndAddMultiClusterIngressMeta(ingressHostMetaObjs, c, acceptedStore, rejectedStore, numWorkers, false) + namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(mciObj.Namespace, c.name) + filterAndAddMultiClusterIngressMeta(ingressHostMetaObjs, c, acceptedStore, rejectedStore, numWorkers, false, namespaceTenant) }, DeleteFunc: func(obj interface{}) { mciObj, ok := obj.(*akov1alpha1.MultiClusterIngress) @@ -1099,8 +1166,9 @@ func AddMultiClusterIngressEventHandler(numWorkers uint32, c *GSLBMemberControll if oldMCIObj.ResourceVersion != mciObj.ResourceVersion { oldIngMetaObjs := k8sobjects.GetHostMetaForMultiClusterIngress(oldMCIObj, c.name) newIngMetaObjs := k8sobjects.GetHostMetaForMultiClusterIngress(mciObj, c.name) + namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(mciObj.Namespace, c.name) filterAndUpdateMultiClusterIngressMeta(oldIngMetaObjs, newIngMetaObjs, c, acceptedStore, rejectedStore, - numWorkers) + numWorkers, namespaceTenant) } }, } diff --git a/gslb/ingestion/fullsync.go b/gslb/ingestion/fullsync.go index 313a9e9d..a274ab56 100644 --- a/gslb/ingestion/fullsync.go +++ b/gslb/ingestion/fullsync.go @@ -56,7 +56,8 @@ func fetchAndApplyAllIngresses(c *GSLBMemberController, nsList *corev1.Namespace } for _, ing := range ingList { ihms := k8sobjects.GetIngressHostMeta(ing, c.GetName()) - filterAndAddIngressMeta(ihms, c, acceptedIngStore, rejectedIngStore, 0, true) + namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(ing.Namespace, c.GetName()) + filterAndAddIngressMeta(ihms, c, acceptedIngStore, rejectedIngStore, 0, true, namespaceTenant) } } @@ -81,6 +82,9 @@ func fetchAndApplyAllServices(c *GSLBMemberController, nsList *corev1.NamespaceL c.GetName(), namespace.Name, svc.Name) continue } + if !gslbutils.CheckTenant(svc.Namespace, c.GetName(), svcMeta.Tenant) { + continue + } if !filter.ApplyFilter(filter.FilterArgs{ Obj: svcMeta, Cluster: c.GetName(), @@ -113,6 +117,9 @@ func fetchAndApplyAllRoutes(c *GSLBMemberController, nsList *corev1.NamespaceLis routeMeta.Name, "rejected ADD route because IP address/hostname not found in status field") continue } + if !gslbutils.CheckTenant(route.Namespace, c.GetName(), routeMeta.Tenant) { + continue + } if !filter.ApplyFilter(filter.FilterArgs{ Cluster: c.name, Obj: routeMeta, @@ -146,7 +153,8 @@ func fetchAndApplyAllMultiClusterIngresses(c *GSLBMemberController, nsList *core } for _, mci := range mciList { ihms := k8sobjects.GetHostMetaForMultiClusterIngress(mci, c.GetName()) - filterAndAddMultiClusterIngressMeta(ihms, c, acceptedStore, rejectedStore, 0, true) + namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(mci.Namespace, c.name) + filterAndAddMultiClusterIngressMeta(ihms, c, acceptedStore, rejectedStore, 0, true, namespaceTenant) } } diff --git a/gslb/k8sobjects/ingress_object.go b/gslb/k8sobjects/ingress_object.go index d05e5b2b..043ba72c 100644 --- a/gslb/k8sobjects/ingress_object.go +++ b/gslb/k8sobjects/ingress_object.go @@ -141,6 +141,13 @@ func GetIngressHostMeta(ingress *networkingv1.Ingress, cname string) []IngressHo var controllerUUID, tenant string vsUUIDs, controllerUUID, tenant, err = parseVSAndControllerAnnotations(ingress.Annotations) + namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(ingress.Namespace, cname) + + if namespaceTenant == "" { + tenant = gslbutils.GetTenant() + gslbutils.Debugf("cluster: %s, ns: %s, ingress: %s, tenant:%s, namespaceTenant %s ", + cname, ingress.Namespace, ingress.Name, tenant, namespaceTenant) + } if err != nil && !syncVIPsOnly { // Note that the ingress key will still be published to graph layer, but the key // won't be processed, this is just to maintain the ingress information as part diff --git a/gslb/k8sobjects/multicluster_ingress_objects.go b/gslb/k8sobjects/multicluster_ingress_objects.go index 4fc671ee..079f6713 100644 --- a/gslb/k8sobjects/multicluster_ingress_objects.go +++ b/gslb/k8sobjects/multicluster_ingress_objects.go @@ -62,6 +62,10 @@ func GetHostMetaForMultiClusterIngress(mci *akov1alpha1.MultiClusterIngress, cna var controllerUUID, tenant string vsUUIDs, controllerUUID, tenant, err = parseVSAndControllerAnnotations(mci.ObjectMeta.Annotations) + namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(mci.Namespace, cname) + if namespaceTenant == "" { + tenant = gslbutils.GetTenant() + } if err != nil && !syncVIPsOnly { // Note that the ingress key will still be published to graph layer, but the key // won't be processed, this is just to maintain the ingress information as part diff --git a/gslb/k8sobjects/route_object.go b/gslb/k8sobjects/route_object.go index 9cd30dc2..b287f801 100644 --- a/gslb/k8sobjects/route_object.go +++ b/gslb/k8sobjects/route_object.go @@ -56,6 +56,12 @@ func GetRouteMeta(route *routev1.Route, cname string) RouteMeta { gslbutils.Logf("cluster: %s, ns: %s, route: %s, msg: parsing Controller annotations", cname, route.Namespace, route.Name) vsUUIDs, controllerUUID, tenant, err = parseVSAndControllerAnnotations(route.Annotations) } + namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(route.Namespace, cname) + if namespaceTenant == "" { + tenant = gslbutils.GetTenant() + gslbutils.Debugf("cluster: %s, ns: %s, ingress: %s, tenant:%s, namespaceTenant %s ", + cname, route.Namespace, route.Name, tenant, namespaceTenant) + } if err != nil && !syncVIPsOnly { gslbutils.Logf("cluster: %s, ns: %s, route: %s, msg: skipping route because of error: %v", cname, route.Namespace, route.Name, err) diff --git a/gslb/k8sobjects/service_object.go b/gslb/k8sobjects/service_object.go index 42f759ae..ebb771c0 100644 --- a/gslb/k8sobjects/service_object.go +++ b/gslb/k8sobjects/service_object.go @@ -83,6 +83,10 @@ func GetSvcMeta(svc *corev1.Service, cname string) (SvcMeta, bool) { cname, svc.Namespace, svc.Name, err) } vsUUIDs, controllerUUID, tenant, err := parseVSAndControllerAnnotations(svc.Annotations) + namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(svc.Namespace, cname) + if namespaceTenant == "" { + tenant = gslbutils.GetTenant() + } if err != nil && !syncVIPsOnly { gslbutils.Logf("cluster: %s, ns: %s, service: %s, msg: skipping service because of error in parsing VS and Controller annotations: %v", cname, svc.Namespace, svc.Name, err)