(feat) classify managed clusters from management-cluster resources

.github/workflows/main.yaml

@@ -16,7 +16,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
     - name: Set up Go
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
       with:
         go-version: 1.26.4
     - name: Build
@@ -35,7 +35,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
     - name: Set up Go
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
       with:
         go-version: 1.26.4
     - name: ut
@@ -48,7 +48,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
     - name: Set up Go
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
       with:
         go-version: 1.26.4
     - name: fv
@@ -61,7 +61,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
     - name: Set up Go
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
       with:
         go-version: 1.26.4
     - name: fv-sharding
@@ -74,7 +74,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
     - name: Set up Go
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
       with:
         go-version: 1.26.4
     - name: fv-agentless
@@ -87,7 +87,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
     - name: Set up Go
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
       with:
         go-version: 1.26.4
     - name: fv-pullmode
@@ -100,7 +100,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
     - name: Set up Go
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
       with:
         go-version: 1.26.4
     - name: fv

Makefile

@@ -60,7 +60,7 @@ KUBECTL := $(TOOLS_BIN_DIR)/kubectl
 CLUSTERCTL := $(TOOLS_BIN_DIR)/clusterctl
 
 GOLANGCI_LINT_VERSION := "v2.12.1"
-CLUSTERCTL_VERSION := v1.13.2
+CLUSTERCTL_VERSION := v1.13.3
 
 KUSTOMIZE_VER := v5.8.0
 KUSTOMIZE_BIN := kustomize
@@ -221,6 +221,8 @@ deploy-crds: $(KUBECTL) ## Install all required Sveltos CRDs
 	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/libsveltos/$(TAG)/manifests/apiextensions.k8s.io_v1_customresourcedefinition_debuggingconfigurations.lib.projectsveltos.io.yaml
 	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/libsveltos/$(TAG)/manifests/apiextensions.k8s.io_v1_customresourcedefinition_classifiers.lib.projectsveltos.io.yaml
 	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/libsveltos/$(TAG)/manifests/apiextensions.k8s.io_v1_customresourcedefinition_classifierreports.lib.projectsveltos.io.yaml
+	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/libsveltos/$(TAG)/manifests/apiextensions.k8s.io_v1_customresourcedefinition_managementclusterclassifiers.lib.projectsveltos.io.yaml
+	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/libsveltos/$(TAG)/manifests/apiextensions.k8s.io_v1_customresourcedefinition_managementclusterclassifierreports.lib.projectsveltos.io.yaml
 	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/libsveltos/$(TAG)/manifests/apiextensions.k8s.io_v1_customresourcedefinition_accessrequests.lib.projectsveltos.io.yaml
 	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/libsveltos/$(TAG)/manifests/apiextensions.k8s.io_v1_customresourcedefinition_rolerequests.lib.projectsveltos.io.yaml
 	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/libsveltos/$(TAG)/manifests/apiextensions.k8s.io_v1_customresourcedefinition_sveltosclusters.lib.projectsveltos.io.yaml

config/manager/manager.yaml

@@ -26,13 +26,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        # TODO(user): For common cases that do not require escalating privileges
-        # it is recommended to ensure that all your Pods/Containers are restrictive.
-        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
-        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
-        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
-        # seccompProfile:
-        #   type: RuntimeDefault
+        seccompProfile:
+          type: RuntimeDefault
       initContainers:
       - name: migrate
         command:

config/rbac/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
 - service_account.yaml
 - role.yaml
 - role_binding.yaml
+- role_extra.yaml
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.

config/rbac/role.yaml

@@ -65,6 +65,7 @@ rules:
   - classifiers
   - configurationbundles
   - configurationgroups
+  - managementclusterclassifiers
   verbs:
   - create
   - delete
@@ -77,6 +78,7 @@ rules:
   - lib.projectsveltos.io
   resources:
   - classifierreports
+  - managementclusterclassifierreports
   verbs:
   - create
   - delete
@@ -89,6 +91,8 @@ rules:
   resources:
   - classifierreports/status
   - classifiers/status
+  - managementclusterclassifierreports/status
+  - managementclusterclassifiers/status
   verbs:
   - get
   - patch
@@ -97,6 +101,7 @@ rules:
   - lib.projectsveltos.io
   resources:
   - classifiers/finalizers
+  - managementclusterclassifiers/finalizers
   verbs:
   - update
 - apiGroups:

config/rbac/role_binding.yaml

@@ -10,3 +10,16 @@ subjects:
 - kind: ServiceAccount
   name: manager
   namespace: system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-rolebinding-extra
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: controller-role-extra
+subjects:
+- kind: ServiceAccount
+  name: manager
+  namespace: system

config/rbac/role_extra.yaml

@@ -0,0 +1,20 @@
+---
+# ManagementClusterClassifier evaluates resources on the management cluster
+# to classify managed clusters and apply labels to them.
+# Grant this ClusterRole the verbs (get, list, watch) on whatever API groups
+# and resources your ManagementClusterClassifier instances reference in
+# spec.matchResources. A ClusterRoleBinding tying this role to the classifier
+# ServiceAccount is created automatically when Sveltos is installed.
+# Example: to allow watching ConfigMaps and ScanResult CRs add
+#
+#   rules:
+#   - apiGroups: [""]
+#     resources: ["configmaps"]
+#     verbs: ["get", "list", "watch"]
+#   - apiGroups: ["compliance.example.io"]
+#     resources: ["scanresults"]
+#     verbs: ["get", "list", "watch"]
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: controller-role-extra

controllers/controllers_suite_test.go

@@ -129,6 +129,14 @@ var _ = BeforeSuite(func() {
 	Expect(err).To(BeNil())
 	Expect(testEnv.Create(ctx, classifierReportCRD)).To(Succeed())
 
+	mgmtClusterClassifierCRD, err := k8s_utils.GetUnstructured(crd.GetManagementClusterClassifierCRDYAML())
+	Expect(err).To(BeNil())
+	Expect(testEnv.Create(ctx, mgmtClusterClassifierCRD)).To(Succeed())
+
+	mgmtClusterClassifierReportCRD, err := k8s_utils.GetUnstructured(crd.GetManagementClusterClassifierReportCRDYAML())
+	Expect(err).To(BeNil())
+	Expect(testEnv.Create(ctx, mgmtClusterClassifierReportCRD)).To(Succeed())
+
 	ns := &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: sveltosNamespace,

controllers/export_test.go

@@ -90,3 +90,19 @@ var (
 const (
 	Controlplaneendpoint = controlplaneendpoint
 )
+
+// ManagementClusterClassifier exports for unit tests.
+var (
+	DoesMatchLabelFilters      = doesMatchLabelFilters
+	RunClassificationLua       = runClassificationLua
+	ClusterTypeFromKind        = clusterTypeFromKind
+	MgmtClassifierAsClassifier = mgmtClassifierAsClassifier
+	EnsureMgmtClassifierReport = ensureMgmtClassifierReport
+	ClassifierLabelKeys        = classifierLabelKeys
+	FetchResourcesForSelector  = fetchResourcesForSelector
+	ListMgmtClassifierReports  = listMgmtClassifierReports
+	GetMgmtClassifierReport    = getMgmtClassifierReport
+	DeleteMgmtClassifierReport = deleteMgmtClassifierReport
+	ApplyLabelsToCluster       = applyLabelsToCluster
+	RemoveLabelsFromCluster    = removeLabelsFromCluster
+)

controllers/keymanager/keymanager.go

@@ -354,7 +354,7 @@ func isClassifierAlreadyRegistered(classifiers []string, classifierKey string) b
 
 // rebuildRegistrations rebuilds internal structures to identify Classifiers managing
 // labels and Classifiers currently just registered but not managing.
-// Reads from ClassifierReport.Status (the authoritative post-migration location).
+// Reads from ClassifierReport.Status and ManagementClusterClassifierReport.Status.
 func (m *instance) rebuildRegistrations(ctx context.Context, c client.Client) error {
 	// Lock here
 	m.chartMux.Lock()
@@ -389,6 +389,47 @@ func (m *instance) rebuildRegistrations(ctx context.Context, c client.Client) er
 		m.addManagedLabelsInCluster(classifierKey, clusterKey, unManagedKeys)
 	}
 
+	// Also rebuild registrations from ManagementClusterClassifierReports.
+	// ManagementClusterClassifier names are stored with the "mgmt:" prefix to avoid
+	// collision with regular Classifier names.
+	if err := m.rebuildMgmtClassifierRegistrations(ctx, c); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// rebuildMgmtClassifierRegistrations reads ManagementClusterClassifierReports and registers
+// each ManagementClusterClassifier's label ownership using the "mgmt:" prefix.
+func (m *instance) rebuildMgmtClassifierRegistrations(ctx context.Context, c client.Client) error {
+	mgmtReportList := &libsveltosv1beta1.ManagementClusterClassifierReportList{}
+	if err := c.List(ctx, mgmtReportList); err != nil {
+		return err
+	}
+
+	// First pass: managed labels (primary managers).
+	for i := range mgmtReportList.Items {
+		report := &mgmtReportList.Items[i]
+		if report.Spec.ClusterNamespace == "" || len(report.Status.ManagedLabels) == 0 {
+			continue
+		}
+		clusterKey := m.getClusterKey(report.Spec.ClusterNamespace, report.Spec.ClusterName, report.Spec.ClusterType)
+		classifierKey := m.getClassifierKey("mgmt:" + report.Spec.ClassifierName)
+		m.addManagedLabelsInCluster(classifierKey, clusterKey, report.Status.ManagedLabels)
+	}
+
+	// Second pass: unmanaged labels (waiting to take over).
+	for i := range mgmtReportList.Items {
+		report := &mgmtReportList.Items[i]
+		if report.Spec.ClusterNamespace == "" || len(report.Status.UnManagedLabels) == 0 {
+			continue
+		}
+		clusterKey := m.getClusterKey(report.Spec.ClusterNamespace, report.Spec.ClusterName, report.Spec.ClusterType)
+		classifierKey := m.getClassifierKey("mgmt:" + report.Spec.ClassifierName)
+		unManagedKeys := m.buildSliceOfUnManagedLabels(report.Status.UnManagedLabels)
+		m.addManagedLabelsInCluster(classifierKey, clusterKey, unManagedKeys)
+	}
+
 	return nil
 }