feat(sandbox-manager): introduce scoped sandbox-related custom resource informer

lxs137 · furykerry · commit 4d5825cac48f · 2026-03-24T14:56:14.000+08:00
Signed-off-by: menya &lt;lxs137@hotmail.com&gt;
diff --git a/cmd/sandbox-manager/main.go b/cmd/sandbox-manager/main.go
@@ -34,6 +34,8 @@ func main() {
 	var e2bMaxTimeout int
 	var sysNs string
 	var peerSelector string
+	var sandboxNamespace string
+	var sandboxLabelSelector string
 	var maxClaimWorkers int
 	var maxCreateQPS int
 	var extProcMaxConcurrency int
@@ -54,6 +56,8 @@ func main() {
 	pflag.IntVar(&e2bMaxTimeout, "e2b-max-timeout", models.DefaultMaxTimeout, "E2B maximum timeout in seconds")
 	pflag.StringVar(&sysNs, "system-namespace", utils.DefaultSandboxDeployNamespace, "The namespace where the sandbox manager is running (required)")
 	pflag.StringVar(&peerSelector, "peer-selector", "", "Peer selector for sandbox manager (required)")
+	pflag.StringVar(&sandboxNamespace, "sandbox-namespace", "", "Namespace to filter sandbox-related custom resources (Sandbox, SandboxSet, Checkpoint, SandboxTemplate). Defaults to all.")
+	pflag.StringVar(&sandboxLabelSelector, "sandbox-label-selector", "", "Label selector to filter sandbox-related custom resources (Sandbox, SandboxSet, Checkpoint, SandboxTemplate). Defaults to all.")
 	pflag.IntVar(&maxClaimWorkers, "max-claim-workers", consts.DefaultClaimWorkers, "Maximum number of claim workers (0 uses default)")
 	pflag.IntVar(&maxCreateQPS, "max-create-qps", consts.DefaultCreateQPS, "Maximum QPS for sandbox creation (0 uses default)")
 	pflag.IntVar(&extProcMaxConcurrency, "ext-proc-max-concurrency", consts.DefaultExtProcConcurrency, "Maximum concurrency for external processor (0 uses default)")
@@ -129,7 +133,7 @@ func main() {
 		klog.Fatalf("Failed to initialize Kubernetes client: %v", err)
 	}
 
-	sandboxController := e2b.NewController(domain, e2bAdminKey, sysNs, e2bMaxTimeout, maxClaimWorkers, maxCreateQPS, uint32(extProcMaxConcurrency),
+	sandboxController := e2b.NewController(domain, e2bAdminKey, sysNs, sandboxNamespace, sandboxLabelSelector, e2bMaxTimeout, maxClaimWorkers, maxCreateQPS, uint32(extProcMaxConcurrency),
 		port, e2bEnableAuth, clientSet)
 	if err := sandboxController.Init(); err != nil {
 		klog.Fatalf("Failed to initialize sandbox controller: %v", err)
diff --git a/pkg/sandbox-manager/config/manager.go b/pkg/sandbox-manager/config/manager.go
@@ -7,6 +7,8 @@ import (
 
 type SandboxManagerOptions struct {
 	SystemNamespace       string
+	SandboxNamespace      string
+	SandboxLabelSelector  string
 	MaxClaimWorkers       int
 	MaxCreateQPS          int
 	ExtProcMaxConcurrency uint32
diff --git a/pkg/sandbox-manager/infra/sandboxcr/cache.go b/pkg/sandbox-manager/infra/sandboxcr/cache.go
@@ -9,6 +9,7 @@ import (
 
 	"golang.org/x/sync/singleflight"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	k8sinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
@@ -45,7 +46,16 @@ type Cache struct {
 
 func NewCache(client *clients.ClientSet, opts config.SandboxManagerOptions) (*Cache, error) {
 	// Create informer factory for custom Sandbox resources
-	informerFactory := informers.NewSharedInformerFactory(client.SandboxClient, time.Minute*10)
+	informerOptions := []informers.SharedInformerOption{}
+	if opts.SandboxNamespace != "" {
+		informerOptions = append(informerOptions, informers.WithNamespace(opts.SandboxNamespace))
+	}
+	if opts.SandboxLabelSelector != "" {
+		informerOptions = append(informerOptions, informers.WithTweakListOptions(func(lo *metav1.ListOptions) {
+			lo.LabelSelector = opts.SandboxLabelSelector
+		}))
+	}
+	informerFactory := informers.NewSharedInformerFactoryWithOptions(client.SandboxClient, time.Minute*10, informerOptions...)
 	sandboxInformer := informerFactory.Api().V1alpha1().Sandboxes().Informer()
 	sandboxSetInformer := informerFactory.Api().V1alpha1().SandboxSets().Informer()
 	checkpointInformer := informerFactory.Api().V1alpha1().Checkpoints().Informer()
@@ -87,11 +97,15 @@ func NewCache(client *clients.ClientSet, opts config.SandboxManagerOptions) (*Ca
 }
 
 func NewTestCache(t *testing.T) (*Cache, *clients.ClientSet, error) {
-	t.Helper()
-	clientSet := clients.NewFakeClientSet(t)
-	c, err := NewCache(clientSet, config.SandboxManagerOptions{
+	return NewTestCacheWithOptions(t, config.SandboxManagerOptions{
 		SystemNamespace: utils.DefaultSandboxDeployNamespace,
 	})
+}
+
+func NewTestCacheWithOptions(t *testing.T, opts config.SandboxManagerOptions) (*Cache, *clients.ClientSet, error) {
+	t.Helper()
+	clientSet := clients.NewFakeClientSet(t)
+	c, err := NewCache(clientSet, opts)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/pkg/sandbox-manager/infra/sandboxcr/cache_test.go b/pkg/sandbox-manager/infra/sandboxcr/cache_test.go
@@ -6,7 +6,9 @@ import (
 	"time"
 
 	agentsv1alpha1 "github.com/openkruise/agents/api/v1alpha1"
+	sandboxfake "github.com/openkruise/agents/client/clientset/versioned/fake"
 	"github.com/openkruise/agents/pkg/sandbox-manager/clients"
+	"github.com/openkruise/agents/pkg/sandbox-manager/config"
 	constantUtils "github.com/openkruise/agents/pkg/utils"
 	sandboxManagerUtils "github.com/openkruise/agents/pkg/utils/sandbox-manager"
 	utils "github.com/openkruise/agents/pkg/utils/sandbox-manager"
@@ -15,6 +17,9 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	k8stesting "k8s.io/client-go/testing"
 )
 
 func TestCache_WaitForSandboxSatisfied(t *testing.T) {
@@ -439,3 +444,193 @@ func TestCache_GetSecret_FromSync(t *testing.T) {
 	assert.Equal(t, testSecret.Data, result.Data)
 	assert.Equal(t, testSecret.Type, result.Type)
 }
+
+func TestCache_InformerWithFilter_GetSandboxSet(t *testing.T) {
+	sandboxManagerUtils.InitLogOutput()
+
+	tests := []struct {
+		name             string
+		opts             config.SandboxManagerOptions
+		seedSandboxSets  []*agentsv1alpha1.SandboxSet
+		wantCachedNames  []string // expected SandboxSet names visible in cache (namespace/name)
+		queryName        string   // template name to query via GetSandboxSet
+		wantGetErr       bool     // whether GetSandboxSet should return an error
+		wantGetName      string   // expected name of the returned SandboxSet (if no error)
+		wantGetNamespace string   // expected namespace of the returned SandboxSet (if no error)
+	}{
+		{
+			name: "no filter - all SandboxSets visible",
+			opts: config.SandboxManagerOptions{},
+			seedSandboxSets: []*agentsv1alpha1.SandboxSet{
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-1", Namespace: "team-a"}},
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-2", Namespace: "team-a"}},
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-3", Namespace: "team-b"}},
+			},
+			wantCachedNames:  []string{"team-a/tmpl-1", "team-a/tmpl-2", "team-b/tmpl-3"},
+			queryName:        "tmpl-3",
+			wantGetErr:       false,
+			wantGetName:      "tmpl-3",
+			wantGetNamespace: "team-b",
+		},
+		{
+			name: "namespace filter with multiple SandboxSets in same namespace",
+			opts: config.SandboxManagerOptions{
+				SandboxNamespace: "team-a",
+			},
+			seedSandboxSets: []*agentsv1alpha1.SandboxSet{
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-1", Namespace: "team-a"}},
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-2", Namespace: "team-a"}},
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-3", Namespace: "team-b"}},
+			},
+			wantCachedNames:  []string{"team-a/tmpl-1", "team-a/tmpl-2"},
+			queryName:        "tmpl-2",
+			wantGetErr:       false,
+			wantGetName:      "tmpl-2",
+			wantGetNamespace: "team-a",
+		},
+		{
+			name: "label selector filter with multiple SandboxSets",
+			opts: config.SandboxManagerOptions{
+				SandboxLabelSelector: "env=prod",
+			},
+			seedSandboxSets: []*agentsv1alpha1.SandboxSet{
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-match-selector", Namespace: "team-a", Labels: map[string]string{"env": "prod"}}},
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-not-match-selector", Namespace: "team-a", Labels: map[string]string{"env": "staging"}}},
+			},
+			wantCachedNames:  []string{"team-a/tmpl-match-selector"},
+			queryName:        "tmpl-match-selector",
+			wantGetErr:       false,
+			wantGetName:      "tmpl-match-selector",
+			wantGetNamespace: "team-a",
+		},
+		{
+			name: "namespace and label selector filter with multiple SandboxSets",
+			opts: config.SandboxManagerOptions{
+				SandboxNamespace:     "team-a",
+				SandboxLabelSelector: "env=prod",
+			},
+			seedSandboxSets: []*agentsv1alpha1.SandboxSet{
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-match-selector", Namespace: "team-a", Labels: map[string]string{"env": "prod"}}},
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-not-match-selector", Namespace: "team-a", Labels: map[string]string{"env": "staging"}}},
+				{ObjectMeta: metav1.ObjectMeta{Name: "tmpl-match-selector", Namespace: "team-b", Labels: map[string]string{"env": "prod"}}},
+			},
+			wantCachedNames:  []string{"team-a/tmpl-match-selector"},
+			queryName:        "tmpl-match-selector",
+			wantGetErr:       false,
+			wantGetName:      "tmpl-match-selector",
+			wantGetNamespace: "team-a",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var (
+				c         *Cache
+				clientSet *clients.ClientSet
+				err       error
+			)
+
+			if tt.opts.SandboxLabelSelector != "" {
+				// When a label selector is configured, the fake client does not enforce it
+				// natively. We work around this by:
+				//   1. Creating the fake clientSet manually so we can access the underlying
+				//      *sandboxfake.Clientset and inject a PrependReactor.
+				//   2. Writing seed data into the Tracker BEFORE starting the Cache so that
+				//      the Informer's initial List call goes through our reactor and returns
+				//      only the label-matching objects.
+				//   3. The reactor parses the LabelSelector from ListOptions and filters the
+				//      objects returned by the Tracker, giving the Informer an accurate view.
+				clientSet = clients.NewFakeClientSet(t)
+				fakeClient, ok := clientSet.SandboxClient.(*sandboxfake.Clientset)
+				require.True(t, ok, "SandboxClient must be *sandboxfake.Clientset")
+
+				// Write seed data into the Tracker before the Cache starts.
+				for _, sbs := range tt.seedSandboxSets {
+					require.NoError(t,
+						fakeClient.Tracker().Add(sbs),
+						"failed to add SandboxSet %s/%s to tracker", sbs.Namespace, sbs.Name,
+					)
+				}
+
+				// Inject a PrependReactor that enforces label selector filtering on List.
+				fakeClient.PrependReactor("list", "sandboxsets", func(action k8stesting.Action) (bool, runtime.Object, error) {
+					listAction, ok := action.(k8stesting.ListAction)
+					if !ok {
+						return false, nil, nil
+					}
+					// Retrieve all objects from the Tracker for this resource/namespace.
+					objs, err := fakeClient.Tracker().List(
+						agentsv1alpha1.SchemeGroupVersion.WithResource("sandboxsets"),
+						agentsv1alpha1.SchemeGroupVersion.WithKind("SandboxSet"),
+						listAction.GetNamespace(),
+					)
+					if err != nil {
+						return true, nil, err
+					}
+					rawList, ok := objs.(*agentsv1alpha1.SandboxSetList)
+					if !ok {
+						return false, nil, nil
+					}
+
+					// Apply label selector filtering when one is present.
+					restriction := listAction.GetListRestrictions()
+					selector := restriction.Labels
+					if selector == nil || selector.Empty() {
+						return true, rawList, nil
+					}
+					filtered := make([]agentsv1alpha1.SandboxSet, 0, len(rawList.Items))
+					for _, item := range rawList.Items {
+						if selector.Matches(labels.Set(item.Labels)) {
+							filtered = append(filtered, item)
+						}
+					}
+					rawList.Items = filtered
+					return true, rawList, nil
+				})
+
+				// Build and start the Cache with the pre-seeded, reactor-equipped clientSet.
+				c, err = NewCache(clientSet, tt.opts)
+				require.NoError(t, err)
+				require.NoError(t, c.Run(t.Context()))
+			} else {
+				c, clientSet, err = NewTestCacheWithOptions(t, tt.opts)
+				require.NoError(t, err)
+
+				// Seed SandboxSets after the Cache is running (standard path).
+				for _, sbs := range tt.seedSandboxSets {
+					_, err := clientSet.SandboxClient.ApiV1alpha1().SandboxSets(sbs.Namespace).Create(
+						t.Context(), sbs, metav1.CreateOptions{},
+					)
+					require.NoError(t, err, "failed to create SandboxSet %s/%s", sbs.Namespace, sbs.Name)
+				}
+			}
+			defer c.Stop()
+
+			// Wait for informer sync
+			time.Sleep(300 * time.Millisecond)
+
+			// Inspect all SandboxSets in cache
+			allItems := c.sandboxSetInformer.GetStore().List()
+			cachedKeys := make([]string, 0, len(allItems))
+			for _, item := range allItems {
+				sbs, ok := item.(*agentsv1alpha1.SandboxSet)
+				require.True(t, ok, "unexpected type in sandboxSetInformer store: %T", item)
+				cachedKeys = append(cachedKeys, sbs.Namespace+"/"+sbs.Name)
+			}
+			assert.ElementsMatch(t, tt.wantCachedNames, cachedKeys,
+				"cached SandboxSet keys mismatch")
+
+			// Query via GetSandboxSet
+			got, err := c.GetSandboxSet(tt.queryName)
+			if tt.wantGetErr {
+				require.Error(t, err)
+				assert.Nil(t, got)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, got)
+				assert.Equal(t, tt.wantGetName, got.Name)
+				assert.Equal(t, tt.wantGetNamespace, got.Namespace)
+			}
+		})
+	}
+}
diff --git a/pkg/servers/e2b/core.go b/pkg/servers/e2b/core.go
@@ -34,6 +34,8 @@ type Controller struct {
 	maxClaimWorkers       int
 	maxCreateQPS          int
 	extProcMaxConcurrency uint32
+	sandboxLabelSelector  string
+	sandboxNamespace      string
 
 	// fields
 	mux             *http.ServeMux
@@ -49,7 +51,7 @@ type Controller struct {
 }
 
 // NewController creates a new E2B Controller
-func NewController(domain, adminKey string, sysNs string, maxTimeout, maxClaimWorkers, maxCreateQPS int, extProcMaxConcurrency uint32,
+func NewController(domain, adminKey string, sysNs, sandboxNamespace, sandboxLabelSelector string, maxTimeout, maxClaimWorkers, maxCreateQPS int, extProcMaxConcurrency uint32,
 	port int, enableAuth bool, clientSet *clients.ClientSet) *Controller {
 	sc := &Controller{
 		mux:                   http.NewServeMux(),
@@ -59,6 +61,8 @@ func NewController(domain, adminKey string, sysNs string, maxTimeout, maxClaimWo
 		port:                  port,
 		maxTimeout:            maxTimeout,
 		systemNamespace:       sysNs, // the namespace where the sandbox manager is running
+		sandboxNamespace:      sandboxNamespace,
+		sandboxLabelSelector:  sandboxLabelSelector,
 		maxClaimWorkers:       maxClaimWorkers,
 		maxCreateQPS:          maxCreateQPS,
 		extProcMaxConcurrency: extProcMaxConcurrency,
@@ -88,6 +92,8 @@ func (sc *Controller) Init() error {
 	adapter := adapters.DefaultAdapterFactory(sc.port)
 	sandboxManager, err := sandbox_manager.NewSandboxManager(sc.client, adapter, config.SandboxManagerOptions{
 		SystemNamespace:       sc.systemNamespace,
+		SandboxNamespace:      sc.sandboxNamespace,
+		SandboxLabelSelector:  sc.sandboxLabelSelector,
 		MaxClaimWorkers:       sc.maxClaimWorkers,
 		ExtProcMaxConcurrency: sc.extProcMaxConcurrency,
 		MaxCreateQPS:          sc.maxCreateQPS,
diff --git a/pkg/servers/e2b/core_test.go b/pkg/servers/e2b/core_test.go
@@ -85,7 +85,7 @@ func Setup(t *testing.T) (*Controller, *clients.ClientSet, func()) {
 	_, err := clientSet.CoreV1().Secrets(namespace).Create(t.Context(), secret, metav1.CreateOptions{})
 	assert.NoError(t, err)
 
-	controller := NewController("example.com", InitKey, namespace, models.DefaultMaxTimeout, 10,
+	controller := NewController("example.com", InitKey, namespace, "", "", models.DefaultMaxTimeout, 10,
 		0, 0, TestServerPort, true, clientSet)
 	assert.NoError(t, controller.Init())
 	_, err = controller.Run(namespace, "component=sandbox-manager")
