cert-controller
cert-controller copied to clipboard
open-policy-agent
WIP: add objectfilters
I ran into the issue that we cannot set resourceNames in (cluster)Role.rules.resourceNames because the cache/watch includes all the object of a kind in the selected namespace. This PR will limit the cache to only the secrets and webhooks that are needed for the cert-controller.
I tested this locally and verified it works, any feedback would be much appreciated.;
@JaydipGabani Can this one be merged?
waiting for one more review at least.
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 62.83%. Comparing base (
190188d) to head (5f2f330). Report is 26 commits behind head on master.
Additional details and impacted files
@@ Coverage Diff @@
## master #228 +/- ##
==========================================
+ Coverage 57.16% 62.83% +5.67%
==========================================
Files 1 1
Lines 572 479 -93
==========================================
- Hits 327 301 -26
+ Misses 181 114 -67
Partials 64 64
| Flag | Coverage Δ | |
|---|---|---|
| unittests | 62.83% <100.00%> (+5.67%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
While writing tests, I found that this doesn't work with multiple webhooks, it will only add the last added webhook in the filter.
I'm putting this back in WIP, and continue this when I get to it.
While writing tests, I found that this doesn't work with multiple webhooks, it will only add the last added webhook in the filter.
Are you talking about multiple webhooks of the same type?, The map ObjectFilers [sic] maps from one GVK to a webhook name. For example, if you have two or more validating webhooks, each will have its own name. However, you can only map the validating webhook GVK to one webhook name.
https://github.com/open-policy-agent/cert-controller/blob/7e39bd74a24a68bb72abbf7103283638b16a3102/pkg/rotator/rotator.go#L199-L205
We can assign exactly one field selector per GVK, and since field selectors do not support set-based operators, we can only target one value.
Yes exactly, that's while experimenting, what I found.
Taking a step back, my goal is to limit the the cache to only the web-hooks that are needed/configured for the cert-controller, so in the end I can setup the K8S role, limited by resourceNames.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: role
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- get
- list
- update
- watch
resourceNames: <---
- webhooka
- webhookb
If you have a suggestion to how this could be accomplished, please let me know and I'd be happy to dig in.
Taking a step back, my goal is to limit the the cache to only the web-hooks that are needed/configured for the cert-controller, so in the end I can setup the K8S role, limited by resourceNames. If you have a suggestion to how this could be accomplished, please let me know and I'd be happy to dig in.
To support name-based filters, I think controller-runtime would have to implement delegating caches for every resource name. Right now, it implements a delegating cache for every resource (identified by its GroupVersionKind) [1].
One option is to propose per-resource caching to contoller-runtime. But that proposal might not be accepted, since most controllers (I"m assuming here) built with controller-runtime reconcile a group of resources across namespaces, and they don't need the cache granularity you're looking to add to cert-controller.
Another option is to implement a per-resource cache in cert-controller.
And finally, there's a "hack" that would work: reference resource names in the RBAC, apply a label to the resources, and use a label selector in cert-controller. (This would break cert-controller when the label is applied to a resource that isn't referenced in RBAC).
1: https://github.com/kubernetes-sigs/controller-runtime/blob/main/designs/cache_options.md