diff --git a/pkg/apis/workload/v1alpha1/types.go b/pkg/apis/workload/v1alpha1/types.go index 7060a82ef8e..b3c7956a138 100644 --- a/pkg/apis/workload/v1alpha1/types.go +++ b/pkg/apis/workload/v1alpha1/types.go @@ -162,7 +162,7 @@ const ( // check all the APIBindings with this annotation for scheduling purpose. ComputeAPIExportAnnotationKey = "extra.apis.kcp.io/compute.workload.kcp.io" - // UpsyncDerivedResourcesAnnotationKey is an annotation that can be set on a syncable resource. + // ExperimentalUpsyncDerivedResourcesAnnotationKey is an annotation that can be set on a syncable resource. // It defines the resource types of derived resources (i.e. resources created from the syncable resource // by some controller and that will not exist without it) intended to be upsynced to KCP. // @@ -170,11 +170,22 @@ const ( // // To allow upsyncing an Endpoints resource related to a synced service, the Service instance should be annotated with: // - // workload.kcp.io/upsync-derived-resources: endpoints + // experimental.workload.kcp.io/upsync-derived-resources: endpoints // - // Of course this also requires having, on the physical cluster, the appropriate logic that will effectively - // label the derived resources for Upsync. // For now, only endpoints can be upsynced on demand by the syncer with this mechanism, - // but the list of such resources will increase in the future. - UpsyncDerivedResourcesAnnotationKey = "workload.kcp.io/upsync-derived-resources" + // but the list of such resources would increase in the future. + // + // Of course using this annotation also requires having, on the physical cluster, the appropriate logic + // that will effectively label the derived resources for Upsync. + // This logic should guard against upsyncing unexpected resources. + // In addition, Upsyncing is limited to a limited, well-defined list of resource types on the KCP side, + // so that simply adding this annotation on a synced resource will not be a security risk. + // + // This annotation is user-facing and would typically be set by the client creating the synced resource + // in the KCP workspace, be it the end-user or a third-party controller. + // + // It is experimental since the provided user-experience is unsatisfactory, + // and further work should be done to define such (up)syncing strategies at a more appropriate level + // (SyncTarget, KCP namespace, KCP workspace ?). + ExperimentalUpsyncDerivedResourcesAnnotationKey = "experimental.workload.kcp.io/upsync-derived-resources" ) diff --git a/pkg/syncer/endpoints/endpoint_downstream_process.go b/pkg/syncer/endpoints/endpoint_downstream_process.go index 9c50af55485..52bb1ac711f 100644 --- a/pkg/syncer/endpoints/endpoint_downstream_process.go +++ b/pkg/syncer/endpoints/endpoint_downstream_process.go @@ -90,7 +90,7 @@ func (c *controller) process(ctx context.Context, key string) error { return nil } - derivedResourcesToUpsync := strings.Split(service.GetAnnotations()[workloadv1alpha1.UpsyncDerivedResourcesAnnotationKey], ",") + derivedResourcesToUpsync := strings.Split(service.GetAnnotations()[workloadv1alpha1.ExperimentalUpsyncDerivedResourcesAnnotationKey], ",") if len(derivedResourcesToUpsync) == 0 || !sets.NewString(derivedResourcesToUpsync...).Has(endpointsGVR.GroupResource().String()) { logger.V(3).Info("ignoring endpoint since it is not mentioned in the service 'workload.kcp.io/upsync-derived-resources' annotation") diff --git a/pkg/syncer/endpoints/endpoint_downstream_process_test.go b/pkg/syncer/endpoints/endpoint_downstream_process_test.go index 528d4fb6939..953f55623c6 100644 --- a/pkg/syncer/endpoints/endpoint_downstream_process_test.go +++ b/pkg/syncer/endpoints/endpoint_downstream_process_test.go @@ -79,7 +79,7 @@ func TestEndpointsControllerProcess(t *testing.T) { }).Object(), downstreamEndpoints: endpoints("httpecho").WithNamespace("downstream-ns").Object(), downstreamService: service("httpecho").WithNamespace("downstream-ns").WithAnnotations(map[string]string{ - "workload.kcp.io/upsync-derived-resources": "pods,endpoints", + "experimental.workload.kcp.io/upsync-derived-resources": "pods,endpoints", }).Object(), expectedPatch: `{"metadata": {"labels": {"state.workload.kcp.io/6ohB8yeXhwqTQVuBzJRgqcRJTpRjX7yTZu5g5g":"Upsync"}}}`, expectedPatchType: types.StrategicMergePatchType, diff --git a/test/e2e/syncer/endpoints/service-with-upsync.yaml b/test/e2e/syncer/endpoints/service-with-upsync.yaml index 4f67789eba2..19167915ecf 100644 --- a/test/e2e/syncer/endpoints/service-with-upsync.yaml +++ b/test/e2e/syncer/endpoints/service-with-upsync.yaml @@ -4,7 +4,7 @@ metadata: name: with-endpoints-upsync namespace: default annotations: - workload.kcp.io/upsync-derived-resources: endpoints + experimental.workload.kcp.io/upsync-derived-resources: endpoints spec: selector: app.kubernetes.io/name: with-endpoints-upsync