operator icon indicating copy to clipboard operation
operator copied to clipboard

Published 20 hours ago verified publisher icon VictoriaMetrics

Continuous Updates in Kubernetes API

Open vozerov opened this issue 2 years ago • 1 comments

Hey everyone!

Just a small question regarding secrets, configmaps, vmalert and vmalertmanager updates.

According to this code - https://github.com/VictoriaMetrics/operator/blob/master/controllers/factory/vmalert.go#L125 - vmalert secret would be updated every time when this function runs - am i right?

Just wondering, because we have audit logs configured on our kubernetes and it's a bit spammy after vmoperator installation. We have the following events running all the time:


{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "auditID": "bc9a20c0-f999-4a64-92d9-46606ce029cd",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/namespaces/victoria-metrics/secrets/vmalertmanager-vm-victoria-metrics-k8s-stack-config",
  "verb": "update",
  "user": {
    "username": "system:serviceaccount:victoria-metrics:vm-victoria-metrics-operator",
    "uid": "3908cb51-194f-44be-8c60-78cb946cbd26",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:victoria-metrics",
      "system:authenticated"
    ],
    "extra": {
      "authentication.kubernetes.io/pod-name": [
        "vm-victoria-metrics-operator-867f85964f-szqff"
      ],
      "authentication.kubernetes.io/pod-uid": [
        "d1d7d921-278a-43b4-9b9c-3fe2ec80cd33"
      ]
    }
  },
  "sourceIPs": [
    "172.16.0.31"
  ],
  "userAgent": "manager/v0.0.0 (linux/amd64) kubernetes/$Format",
  "objectRef": {
    "resource": "secrets",
    "namespace": "victoria-metrics",
    "name": "vmalertmanager-vm-victoria-metrics-k8s-stack-config",
    "apiVersion": "v1"
  },
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "requestReceivedTimestamp": "2023-11-28T14:55:21.884725Z",
  "stageTimestamp": "2023-11-28T14:55:21.887383Z",
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"vm-victoria-metrics-operator\" of ClusterRole \"vm-victoria-metrics-operator\" to ServiceAccount \"vm-victoria-metrics-operator/victoria-metrics\""
  }
}

Also we have the same situation with deployments, statefulset, services and so on. Is it possible to update object only if they have any differences?

Thank you so much!

vozerov avatar Nov 28 '23 15:11 vozerov

Hello, currently, operator doesn't stored last-applied state for resource. Without it correct difference calculation isn't possible. And it's easier to perform an update for resource each time reconciliation happens.

f41gh7 avatar Dec 01 '23 13:12 f41gh7