-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: add objectfilters #228
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: duncan485 <[email protected]>
Thanks @JaydipGabani , I'd say this also closes #24 |
@JaydipGabani Can this one be merged? |
@maxsmythe @ritazh @sozercan PTAL |
waiting for one more review at least. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #228 +/- ##
==========================================
+ Coverage 57.16% 62.83% +5.67%
==========================================
Files 1 1
Lines 572 479 -93
==========================================
- Hits 327 301 -26
+ Misses 181 114 -67
Partials 64 64
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Mapper: mgr.GetRESTMapper(), | ||
DefaultNamespaces: namespaces, | ||
}) | ||
ObjectFilers := make(map[client.Object]cache.ByObject) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ObjectFilers := make(map[client.Object]cache.ByObject) | |
objectFilers := make(map[client.Object]cache.ByObject) |
} | ||
} | ||
|
||
ObjectFilers[&corev1.Secret{}] = cache.ByObject{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@duncan485 can we add tests for this?
While writing tests, I found that this doesn't work with multiple webhooks, it will only add the last added webhook in the filter. I'm putting this back in WIP, and continue this when I get to it. |
Are you talking about multiple webhooks of the same type?, The map cert-controller/pkg/rotator/rotator.go Lines 199 to 205 in 7e39bd7
We can assign exactly one field selector per GVK, and since field selectors do not support set-based operators, we can only target one value. |
Yes exactly, that's while experimenting, what I found. Taking a step back, my goal is to limit the the cache to only the web-hooks that are needed/configured for the cert-controller, so in the end I can setup the K8S role, limited by resourceNames. apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: role
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- get
- list
- update
- watch
resourceNames: <---
- webhooka
- webhookb If you have a suggestion to how this could be accomplished, please let me know and I'd be happy to dig in. |
To support name-based filters, I think controller-runtime would have to implement delegating caches for every resource name. Right now, it implements a delegating cache for every resource (identified by its GroupVersionKind) [1]. One option is to propose per-resource caching to contoller-runtime. But that proposal might not be accepted, since most controllers (I"m assuming here) built with controller-runtime reconcile a group of resources across namespaces, and they don't need the cache granularity you're looking to add to cert-controller. Another option is to implement a per-resource cache in cert-controller. And finally, there's a "hack" that would work: reference resource names in the RBAC, apply a label to the resources, and use a label selector in cert-controller. (This would break cert-controller when the label is applied to a resource that isn't referenced in RBAC). 1: https://github.com/kubernetes-sigs/controller-runtime/blob/main/designs/cache_options.md |
I ran into the issue that we cannot set resourceNames in (cluster)Role.rules.resourceNames because the cache/watch includes all the object of a kind in the selected namespace. This PR will limit the cache to only the secrets and webhooks that are needed for the cert-controller.
I tested this locally and verified it works, any feedback would be much appreciated.;