goldilocks icon indicating copy to clipboard operation
goldilocks copied to clipboard

Published 20 hours ago verified publisher icon FairwindsOps

Ability to ignore some controller by Kind

Open FrancoisPoinsot opened this issue 3 years ago • 1 comments

Is your feature request related to a problem? Please describe. I am testing goldilocks. I see it creates a VPA for each controller. In my case I have a lot of Job and I would prefer to play it safe and not create VPA for those

Describe the solution you'd like An envar/argument that would allow me to ignore some Controller by kind. Such as --ignore-controller-kind=Job,CronJob

Maybe we would want some combinaison of namespace+kind

Describe alternatives you've considered For now we can technically use RBAC to control what the goldilock controller can access By removing the permission on specific Kind we can achieve something similar. Goldilocks handles this error nicely. But it does throw a lot of error logs.

FrancoisPoinsot avatar Oct 06 '22 08:10 FrancoisPoinsot

Hi,

Is the ClusterRole already manage it?

When installing it using Helm, I have a ClusterRole with these rules, and job/cronjobs are not allowed:

rules:
- apiGroups:
  - apps
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling.k8s.io
  resources:
  - verticalpodautoscalers
  verbs:
  - get
  - list
  - create
  - delete
  - update
- apiGroups:
  - argoproj.io
  resources:
  - rollouts
  verbs:
  - get
  - list
  - watch

Some logs:

goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.022461       1 controller.go:229]  "msg"="Error retrieving parent object" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "v1beta1"="cronjobs"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.022497       1 controller.go:147]  "msg"="An error occured retrieving the top level controller for this pod" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "my-job-1677685200-klwq5"="default"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.122148       1 controller.go:229]  "msg"="Error retrieving parent object" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "v1beta1"="cronjobs"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.122192       1 controller.go:147]  "msg"="An error occured retrieving the top level controller for this pod" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "my-job-1677685800-vqnr6"="default"

Your idea to add ability to NOT watch some resources is a good one.

rverchere avatar Mar 01 '23 16:03 rverchere