Merge pull request #1582 from crazy-max/k8s-exclude-namespaces

crazy-max · web-flow · commit 2894204def3f · 2025-12-24T12:23:51.000+01:00
kubernetes: support negating namespaces
diff --git a/docs/providers/kubernetes.md b/docs/providers/kubernetes.md
@@ -2,15 +2,16 @@
 
 ## About
 
-The Kubernetes provider allows you to analyze the pods of your Kubernetes cluster to extract images found and check
-for updates on the registry.
+The Kubernetes provider allows you to analyze the pods of your Kubernetes
+cluster to extract images found and check for updates on the registry.
 
 ## Quick start
 
-In this section we quickly go over a basic deployment using your local Kubernetes cluster.
+In this section, we quickly go over a basic deployment using your local
+Kubernetes cluster.
 
-Here we use our local Kubernetes provider with a minimum configuration to analyze annotated pods (watch by default
-disabled).
+Here we use our local Kubernetes provider with a minimum configuration to
+analyze annotated pods (watch by default disabled).
 
 Now let's create a simple pod for Diun:
 
@@ -127,8 +128,9 @@ spec:
             - containerPort: 80
 ```
 
-As an example we use [nginx](https://hub.docker.com/_/nginx/) Docker image. A few [annotations](#kubernetes-annotations)
-are added to configure the image analysis of this pod for Diun. We can now start these 2 pods:
+As an example we use [nginx](https://hub.docker.com/_/nginx/) Docker image. A
+few [annotations](#kubernetes-annotations) are added to configure the image
+analysis of this pod for Diun. We can now start these 2 pods:
 
 ```
 kubectl apply -f diun.yml
@@ -176,20 +178,22 @@ The Kubernetes server endpoint as URL.
 !!! abstract "Environment variables"
     * `DIUN_PROVIDERS_KUBERNETES_ENDPOINT`
 
-Kubernetes server endpoint as URL, which is only used when the behavior based on environment variables described below
-does not apply.
+Kubernetes server endpoint as URL, which is only used when the behavior based
+on environment variables described below does not apply.
 
-When deployed into Kubernetes, Diun reads the environment variables `KUBERNETES_SERVICE_HOST` and
-`KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to create the endpoint.
+When deployed into Kubernetes, Diun reads the environment variables
+`KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to
+create the endpoint.
 
-The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate
-in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. They are both provided automatically as mounts in the
-pod where Diun is deployed.
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token`
+and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+They are both provided automatically as mounts in the pod where Diun is deployed.
 
-When the environment variables are not found, Diun tries to connect to the Kubernetes API server with an
-external-cluster client. In which case, the endpoint is required. Specifically, it may be set to the URL used
-by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the
-associated kubeconfig.
+When the environment variables are not found, Diun tries to connect to the
+Kubernetes API server with an external-cluster client. In which case, the
+endpoint is required. Specifically, it may be set to the URL used by
+`kubectl proxy` to connect to a Kubernetes cluster using the granted
+authentication and authorization of the associated kubeconfig.
 
 ### `token`
 
@@ -221,7 +225,8 @@ Use content of secret file as bearer token if `token` not defined.
 
 ### `certAuthFilePath`
 
-Path to the certificate authority file. Used for the Kubernetes client configuration.
+Path to the certificate authority file. Used for the Kubernetes client
+configuration.
 
 !!! example "File"
     ```yaml
@@ -235,7 +240,8 @@ Path to the certificate authority file. Used for the Kubernetes client configura
 
 ### `tlsInsecure`
 
-Controls whether client does not verify the server's certificate chain and hostname (default `false`).
+Controls whether client does not verify the server's certificate chain and
+hostname (default `false`).
 
 !!! example "File"
     ```yaml
@@ -249,7 +255,9 @@ Controls whether client does not verify the server's certificate chain and hostn
 
 ### `namespaces`
 
-Array of namespaces to watch (default all namespaces).
+Array of namespaces to watchBy default, it watches all namespaces. You can
+limit monitoring to specific namespaces by listing them. This helps reduce
+scope and focus on relevant pods only.
 
 !!! example "File"
     ```yaml
@@ -260,13 +268,26 @@ Array of namespaces to watch (default all namespaces).
           - production
     ```
 
+You can also negate namespaces by prefixing them with `!` if you want to watch
+all namespaces except specific ones:
+
+!!! example "File"
+    ```yaml
+    providers:
+      kubernetes:
+        namespaces:
+          - !kube-system
+          - !kube-public
+          - !kube-node-lease
+    ```
+
 !!! abstract "Environment variables"
     * `DIUN_PROVIDERS_KUBERNETES_NAMESPACES` (comma separated)
 
 ### `watchByDefault`
 
-Enable watch by default. If false, pods that don't have `diun.enable: "true"` annotation will be ignored
-(default `false`).
+Enable watch by default. If false, pods that don't have `diun.enable: "true"`
+annotation will be ignored (default `false`).
 
 !!! example "File"
     ```yaml
@@ -280,7 +301,8 @@ Enable watch by default. If false, pods that don't have `diun.enable: "true"` an
 
 ## Kubernetes annotations
 
-You can configure more finely the way to analyze the image of your pods through Kubernetes annotations:
+You can configure more finely the way to analyze the image of your pods through
+Kubernetes annotations:
 
 | Name                | Default                        | Description                                                                                                                                             |
 |---------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
diff --git a/internal/provider/dockerfile/image.go b/internal/provider/dockerfile/image.go
@@ -2,13 +2,13 @@ package dockerfile
 
 import (
 	"reflect"
+	"slices"
 	"strings"
 
 	"github.com/bmatcuk/doublestar/v3"
 	"github.com/crazy-max/diun/v4/internal/model"
 	"github.com/crazy-max/diun/v4/internal/provider"
 	"github.com/crazy-max/diun/v4/pkg/dockerfile"
-	"github.com/crazy-max/diun/v4/pkg/utl"
 )
 
 func (c *Client) listExtImage() (list []model.Image) {
@@ -67,7 +67,7 @@ func (c *Client) listDockerfiles(patterns []string) (dfiles []string) {
 			continue
 		}
 		for _, dfile := range matches {
-			if utl.Contains(dfiles, dfile) {
+			if slices.Contains(dfiles, dfile) {
 				continue
 			}
 			dfiles = append(dfiles, dfile)
diff --git a/pkg/k8s/client.go b/pkg/k8s/client.go
@@ -15,9 +15,10 @@ import (
 
 // Client represents an active kubernetes object
 type Client struct {
-	ctx        context.Context
-	namespaces []string
-	API        *kubernetes.Clientset
+	ctx                context.Context
+	namespaces         []string
+	namespacesExcludes []string
+	API                *kubernetes.Clientset
 }
 
 // Options holds kubernetes client object options
@@ -47,14 +48,29 @@ func New(opts Options) (*Client, error) {
 		api, err = newExternalClusterClient(opts)
 	}
 
-	if len(opts.Namespaces) == 0 {
-		opts.Namespaces = []string{metav1.NamespaceAll}
+	var namespaces []string
+	var namespacesExcluded []string
+	for _, ns := range opts.Namespaces {
+		if ns == "" {
+			continue
+		}
+		if ns[0] == '!' {
+			if len(ns) > 1 {
+				namespacesExcluded = append(namespacesExcluded, ns[1:])
+			}
+		} else {
+			namespaces = append(namespaces, ns)
+		}
+	}
+	if len(namespaces) == 0 {
+		namespaces = []string{metav1.NamespaceAll}
 	}
 
 	return &Client{
-		ctx:        context.Background(),
-		namespaces: opts.Namespaces,
-		API:        api,
+		ctx:                context.Background(),
+		namespaces:         namespaces,
+		namespacesExcludes: namespacesExcluded,
+		API:                api,
 	}, err
 }
 
diff --git a/pkg/k8s/pod.go b/pkg/k8s/pod.go
@@ -1,6 +1,7 @@
 package k8s
 
 import (
+	"slices"
 	"sort"
 
 	v1 "k8s.io/api/core/v1"
@@ -17,6 +18,9 @@ func (c *Client) PodList(opts metav1.ListOptions) ([]v1.Pod, error) {
 			return nil, err
 		}
 		for _, pod := range pods.Items {
+			if slices.Contains(c.namespacesExcludes, pod.Namespace) {
+				continue
+			}
 			podList = appendPod(podList, pod)
 		}
 	}
diff --git a/pkg/utl/utl.go b/pkg/utl/utl.go
@@ -83,13 +83,3 @@ func NewTrue() *bool {
 func NewDuration(duration time.Duration) *time.Duration {
 	return &duration
 }
-
-// Contains checks if a slice contains a string
-func Contains(s []string, e string) bool {
-	for _, a := range s {
-		if a == e {
-			return true
-		}
-	}
-	return false
-}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`package k8s`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+ "slices"`
`4`	`5`	`"sort"`
`5`	`6`
`6`	`7`	`v1 "k8s.io/api/core/v1"`
`@@ -17,6 +18,9 @@ func (c *Client) PodList(opts metav1.ListOptions) ([]v1.Pod, error) {`
`17`	`18`	`return nil, err`
`18`	`19`	`}`
`19`	`20`	`for _, pod := range pods.Items {`
	`21`	`+ if slices.Contains(c.namespacesExcludes, pod.Namespace) {`
	`22`	`+ continue`
	`23`	`+ }`
`20`	`24`	`podList = appendPod(podList, pod)`
`21`	`25`	`}`
`22`	`26`	`}`