fritzlab-public/flock
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

M1.5: NodeConfig dynamic informer + RBAC
Build flock Image / build (push) Has been cancelled
Details

Browse Source 
Agent now watches nodeconfigs.flock.fritzlab.net via a client-go dynamic
informer, filters events to its own node name, and caches the typed
NodeConfig in memory (NodeConfigCache, atomic pointer). M2's IPAM will
read from that cache.

- pkg/agent/nodeconfig.go: informer + JSON-round-trip decode (avoids
  hand-written DeepCopy + scheme registration for this small a use).
- pkg/agent/server.go: starts the informer goroutine; Run terminates if
  the informer returns.
- pkg/api/v1alpha1: switch placeholder TypeMeta/ObjectMeta to metav1.
- deploy/rbac: get/list/watch on nodeconfigs.
- cmd/flock-agent: --kubeconfig flag for out-of-cluster runs (tests).

Satisfies M1 verified-by: "kubectl apply NodeConfig; agent logs read it".

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Donavan Fritz
2026-04-24 22:00:48 -05:00
parent e0ae98ad6c
commit 759ed21b37
8 changed files with 383 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/install.yaml
+5 -3
View File
@@ -77,13 +77,15 @@ metadata:
name: flock-agent
namespace: kube-system
---
# M1 RBAC: empty. The agent does not yet read any Kubernetes objects.
# M2+ will add Pod, NetworkPolicy, and NodeConfig permissions here.
# M1.5 RBAC: just enough to read NodeConfig. M2 adds pods + networkpolicies.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flock-agent
rules: []
rules:
- apiGroups: ["flock.fritzlab.net"]
resources: ["nodeconfigs"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
deploy/rbac/serviceaccount.yaml
+5 -3
View File
@@ -4,13 +4,15 @@ metadata:
name: flock-agent
namespace: kube-system
---
# M1 RBAC: empty. The agent does not yet read any Kubernetes objects.
# M2+ will add Pod, NetworkPolicy, and NodeConfig permissions here.
# M1.5 RBAC: just enough to read NodeConfig. M2 adds pods + networkpolicies.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flock-agent
rules: []
rules:
- apiGroups: ["flock.fritzlab.net"]
resources: ["nodeconfigs"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding