This repository has been archived by the owner on Nov 17, 2021. It is now read-only.
Make GC work also with RBAC #190
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently the GC does a pass through all the resource types and performs a single cluster scoped list of all the objects. This kind of requests is forbidden if the user has no rights list every object of that type in all the namespaces. When RBAC is configured, the user is likely to have at least one namespace + resource type combination that they cannot list. I tested this on a cluster with 4k objects in 12 namespaces, and it was 2x slower on my slow ADSL (2m vs 1m before this patch). That's bearable But another cluster I have to use has 67 namespaces and it took 9m. That's tough. There is no significant changes if by parallelizing by namespace. Hence this change makes this new behavior optional and driven by flags: 1. --gc-list-mode: governs whether to use the current "cluster-scope", or the slower "per-namespace" mode. 2. --gc-ns-selector: allows users to only scan namespaces that match a given label selector. This is usually going to be some kind of team or project label that all namespaces associated with that user would have. Unfortunately we cannot assume kubecfg can set the --gc-tag on the namespaces objects it operates into, since they might not be writable by users who have otherwise full control to all the other reasurces in it. Closes #189 (also removes some dead code)
|
fyi, I added some tests for garbage collection just recently in #193 |
|
I like the change generally. I don't like adding new flags to force onto the user what could be determined automatically. I think we should either just always do per-namespace listing, or (better) try global and fall back to per-namespace if we get a permission error. (separately for each resource type - if they all fail, then it's only one extra RPC per resource type) |
yeah it makes sense |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently the GC does a pass through all the resource types
and performs a single cluster scoped list of all the objects.
This kind of requests is forbidden if the user has no rights list
every object of that type in all the namespaces.
When RBAC is configured, the user is likely to have at least one
namespace + resource type combination that they cannot list.
I tested this on a cluster with 4k objects in 12 namespaces,
and it was 2x slower on my slow ADSL (2m vs 1m before this patch).
That's bearable
But another cluster I have to use has 67 namespaces and it took
9m. That's tough.
There is no significant changes if by parallelizing by namespace.
Hence this change makes this new behavior optional and driven by flags:
or the slower "per-namespace" mode.
given label selector. This is usually going to be some kind of team
or project label that all namespaces associated with that user would
have.
Unfortunately we cannot assume kubecfg can set the --gc-tag on the
namespaces objects it operates into, since they might not be writable by
users who have otherwise full control to all the other reasurces in it.
Closes #189
(also removes some dead code)
This PR doesn't add any tests. The existing code path for listing all resources for GC doesn't seem to have many tests either, so I'll shave this yak asynchronously.