Add a webhook for namespace deletion (#719)

This commit makes KMM set the kmm.node.k8s.io/contains-modules label on
all namespaces that contain at least one Module.
It also adds a new webhook to the bundle and the corresponding handler
in the manager.
The new webhook rejects namespace deletions if the
kmm.node.k8s.io/contains-modules label is present on the namespace.
This avoids entering situations where the namespace is being deleted and
KMM cannot create unloading Pods to honor Module deletion.

Author: qbarrand

Makefile

@@ -100,7 +100,7 @@ help: ## Display this help.
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) crd paths="./api/..." output:crd:artifacts:config=config/crd/bases
-	$(CONTROLLER_GEN) webhook paths="./api/..." output:webhook:artifacts:config=config/webhook
+	$(CONTROLLER_GEN) webhook paths="./api/..." paths="./internal/webhook/..." output:webhook:artifacts:config=config/webhook
 	$(CONTROLLER_GEN) rbac:roleName=manager-role paths="./internal/controllers" output:rbac:artifacts:config=config/rbac
 	# Hub
 	$(CONTROLLER_GEN) crd paths="./api-hub/..." output:crd:artifacts:config=config/crd-hub/bases

cmd/manager/main.go

@@ -22,6 +22,7 @@ import (
 	"os"
 	"strconv"
 
+	"github.com/kubernetes-sigs/kernel-module-management/internal/webhook"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -207,6 +208,10 @@ func main() {
 		}
 	}
 
+	if err = (&webhook.NamespaceDeletion{}).SetupWebhookWithManager(mgr); err != nil {
+		cmd.FatalError(setupLogger, err, "unable to create webhook", "webhook", "Namespace")
+	}
+
 	if err = (&v1beta12.Module{}).SetupWebhookWithManager(mgr); err != nil {
 		cmd.FatalError(setupLogger, err, "unable to create webhook", "webhook", "Module")
 	}

config/rbac/role.yaml

@@ -42,6 +42,15 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
 - apiGroups:
   - ""
   resources:

config/webhook/kustomization.yaml

@@ -7,3 +7,6 @@ resources:
 
 configurations:
 - kustomizeconfig.yaml
+
+patches:
+- path: manifests_namespace_selector_patch.yaml

config/webhook/manifests.yaml

@@ -24,3 +24,22 @@ webhooks:
     resources:
     - modules
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate--v1-namespace
+  failurePolicy: Fail
+  name: namespace-deletion.kmm.sigs.k8s.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - DELETE
+    resources:
+    - namespaces
+  sideEffects: None

config/webhook/manifests_namespace_selector_patch.yaml

@@ -0,0 +1,9 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validating-webhook-configuration
+webhooks:
+- name: namespace-deletion.kmm.sigs.k8s.io
+  namespaceSelector:
+    matchLabels:
+      kmm.node.k8s.io/contains-modules: ''

docs/mkdocs/documentation/deploy_kmod.md

@@ -236,11 +236,10 @@ KMM will then create worker Pods where required to run `modprobe -r` and unload
     This includes the `ServiceAccount` that are referenced in the `Module` as well as any RBAC you may have defined to
     allow privileged KMM worker Pods to run.
     It also includes any pull secret referenced in `.spec.imageRepoSecret`.  
-    To avoid situations where KMM is unable to unload the kernel module from nodes:  
-
-      - do not delete those resources while the `Module` resource is still present in the cluster in any state,
-        including `Terminating`;
-      - do not delete any namespace containing at least a `Module` resource.
+    To avoid situations where KMM is unable to unload the kernel module from nodes, make sure those resources are not
+    deleted while the `Module` resource is still present in the cluster in any state, including `Terminating`.  
+    KMM ships with a validating admission webhook that rejects the deletion of namespaces that contain at least one
+    `Module` resource.
 
 ## Security and permissions
 

internal/constants/constants.go

@@ -8,6 +8,7 @@ const (
 	PodHashAnnotation    = "kmm.node.kubernetes.io/last-hash"
 	KernelLabel          = "kmm.node.kubernetes.io/kernel-version.full"
 	DaemonSetRole        = "kmm.node.kubernetes.io/role"
+	NamespaceLabelKey    = "kmm.node.k8s.io/contains-modules"
 
 	WorkerPodVersionLabelPrefix    = "beta.kmm.node.kubernetes.io/version-worker-pod"
 	DevicePluginVersionLabelPrefix = "beta.kmm.node.kubernetes.io/version-device-plugin"

internal/controllers/mock_module_nmc_reconciler.go

@@ -30,6 +30,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
+//+kubebuilder:rbac:groups="core",resources=namespaces,verbs=get;list;patch;watch
 //+kubebuilder:rbac:groups="core",resources=nodes,verbs=get;watch
 //+kubebuilder:rbac:groups=kmm.sigs.x-k8s.io,resources=nodemodulesconfigs,verbs=get;list;watch;patch;create;delete
 
@@ -47,6 +48,7 @@ type schedulingData struct {
 
 type ModuleNMCReconciler struct {
 	filter      *filter.Filter
+	nsLabeler   namespaceLabeler
 	reconHelper moduleNMCReconcilerHelperAPI
 }
 
@@ -59,6 +61,7 @@ func NewModuleNMCReconciler(client client.Client,
 	reconHelper := newModuleNMCReconcilerHelper(client, kernelAPI, registryAPI, nmcHelper, scheme)
 	return &ModuleNMCReconciler{
 		filter:      filter,
+		nsLabeler:   newNamespaceLabeler(client),
 		reconHelper: reconHelper,
 	}
 }
@@ -78,13 +81,21 @@ func (mnr *ModuleNMCReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	}
 	if mod.GetDeletionTimestamp() != nil {
 		//Module is being deleted
+		if err = mnr.nsLabeler.tryRemovingLabel(ctx, mod.Namespace, mod.Name); err != nil {
+			return ctrl.Result{}, fmt.Errorf("error while trying to remove the label on namespace %s: %v", mod.Namespace, err)
+		}
+
 		err = mnr.reconHelper.finalizeModule(ctx, mod)
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("failed to finalize %s Module: %v", req.NamespacedName, err)
 		}
 		return ctrl.Result{}, nil
 	}
 
+	if err = mnr.nsLabeler.setLabel(ctx, mod.Namespace); err != nil {
+		return ctrl.Result{}, fmt.Errorf("could not set label %q on namespace %s: %v", constants.NamespaceLabelKey, mod.Namespace, err)
+	}
+
 	err = mnr.reconHelper.setFinalizerAndStatus(ctx, mod)
 	if err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to set finalizer on %s Module: %v", req.NamespacedName, err)
@@ -145,7 +156,7 @@ func (mnr *ModuleNMCReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Complete(mnr)
 }
 
-//go:generate mockgen -source=module_nmc_reconciler.go -package=controllers -destination=mock_module_nmc_reconciler.go moduleNMCReconcilerHelperAPI
+//go:generate mockgen -source=module_nmc_reconciler.go -package=controllers -destination=mock_module_nmc_reconciler.go moduleNMCReconcilerHelperAPI,namespaceLabeler
 
 type moduleNMCReconcilerHelperAPI interface {
 	setFinalizerAndStatus(ctx context.Context, mod *kmmv1beta1.Module) error
@@ -439,6 +450,80 @@ func (mnrh *moduleNMCReconcilerHelper) moduleUpdateWorkerPodsStatus(ctx context.
 	return mnrh.client.Status().Patch(ctx, mod, client.MergeFrom(unmodifiedMod))
 }
 
+type namespaceLabeler interface {
+	setLabel(ctx context.Context, name string) error
+	tryRemovingLabel(ctx context.Context, name, moduleName string) error
+}
+
+type namespaceLabelerImpl struct {
+	client client.Client
+}
+
+func newNamespaceLabeler(client client.Client) namespaceLabeler {
+	return &namespaceLabelerImpl{client: client}
+}
+
+func (h *namespaceLabelerImpl) setLabel(ctx context.Context, name string) error {
+	logger := log.FromContext(ctx)
+
+	ns := v1.Namespace{}
+
+	if err := h.client.Get(ctx, types.NamespacedName{Name: name}, &ns); err != nil {
+		return fmt.Errorf("could not get namespace %s: %v", name, err)
+	}
+
+	if !meta.HasLabel(&ns, constants.NamespaceLabelKey) {
+		nsCopy := ns.DeepCopy()
+
+		logger.Info("Setting namespace label")
+		meta.SetLabel(&ns, constants.NamespaceLabelKey, "")
+
+		return h.client.Patch(ctx, &ns, client.MergeFrom(nsCopy))
+	}
+
+	return nil
+}
+
+func (h *namespaceLabelerImpl) tryRemovingLabel(ctx context.Context, name, moduleName string) error {
+	logger := log.FromContext(ctx)
+
+	modList := kmmv1beta1.ModuleList{}
+
+	opt := client.InNamespace(name)
+
+	if err := h.client.List(ctx, &modList, opt); err != nil {
+		return fmt.Errorf("could not list modules in namespace %s: %v", name, err)
+	}
+
+	if count := len(modList.Items); count > 1 {
+		logger.Info("Namespace still contains modules; not removing the label", "count", count)
+
+		if verboseLogger := logger.V(1); verboseLogger.Enabled() {
+			modNames := make([]string, 0, count)
+
+			for _, m := range modList.Items {
+				modNames = append(modNames, m.Name)
+			}
+
+			verboseLogger.Info("Remaining modules", "names", modNames)
+		}
+
+		return nil
+	}
+
+	ns := &v1.Namespace{}
+
+	if err := h.client.Get(ctx, types.NamespacedName{Name: name}, ns); err != nil {
+		return fmt.Errorf("could not get namespace %s: %v", name, err)
+	}
+
+	nsCopy := ns.DeepCopy()
+
+	meta.RemoveLabel(ns, constants.NamespaceLabelKey)
+
+	return h.client.Patch(ctx, ns, client.MergeFrom(nsCopy))
+}
+
 func prepareNodeSchedulingData(node v1.Node, mld *api.ModuleLoaderData, currentNMCs sets.Set[string]) schedulingData {
 	versionLabel := ""
 	present := false