Reloader icon indicating copy to clipboard operation
Reloader copied to clipboard

Published 20 hours ago verified publisher icon stakater

Namespaces to include

Open edscadding opened this issue 5 years ago • 12 comments

Currently I believe Reloader only supports the exclusion of namespaces, using the --namespaces-to-ignore flag.

Some users (hello! 🙂) may find it easier / more appropriate to specify inclusion rather than exclusion, e.g. via --namespaces or --namespaces-to-include. Definitely helpful when using a shared cluster!

It's possible to achieve similar by configuring the annotations used, but Reloader will ultimately still be watching namespaces that are not of interest.

edscadding avatar Sep 04 '20 13:09 edscadding

Related to the same question, what possibilities does reloader have to only watch namespaces that the service account has correct access to through RBAC settings?

goober avatar Sep 10 '20 12:09 goober

Since we're using quite a big shared OpenShift cluster this would be interesting for us as well.

rehbergtr avatar Oct 22 '20 14:10 rehbergtr

Related to the same question, what possibilities does reloader have to only watch namespaces that the service account has correct access to through RBAC settings?

if it doesn't have valid RBAC to take actions then it will log

rasheedamir avatar Oct 25 '20 08:10 rasheedamir

Is it possible to install reloader in x namespace and watch y namespace?

dilip-panwar-by avatar Dec 01 '20 09:12 dilip-panwar-by

@dilip-panwar-by no, it is currently not possible to do this. Currently, the reloader can watch the namespace where it is running or it can watch all the namespaces while running on cluster scope. Although, you can ignore certain namespaces if you want with ignoreNamespaces flag.

faizanahmad055 avatar Dec 01 '20 09:12 faizanahmad055

@dilip-panwar-by no, it is currently not possible to do this. Currently, the reloader can watch the namespace where it is running or it can watch all the namespaces while running on cluster scope. Although, you can ignore certain namespaces if you want with ignoreNamespaces flag.

@faizanahmad055 Actually, I've set the frequency to 2m so it is generating too many logs. Is there any way, i can disable or minimize logging of reloader

dilip-panwar-by avatar Dec 01 '20 09:12 dilip-panwar-by

@faizanahmad055 Actually, I've set the frequency to 2m so it is generating too many logs. Is there any way, i can disable or minimize logging of reloader

Can you please elaborate on what do you mean by frequency and how did you set it? Regarding the logs, what kind of logs you are seeing? Reloader only prints logs which are either errors or an event and subsequent update based on that. So, if it is working properly then there might be a lot of events happening and the reloader might be performing a lot of updates as well. In that case, logs are there to show which resource has been updated and we cannot decrease the number of logs via any configuration in the chart.

faizanahmad055 avatar Dec 01 '20 10:12 faizanahmad055

@faizanahmad055 Actually, I've set the frequency to 2m so it is generating too many logs. Is there any way, i can disable or minimize logging of reloader

Can you please elaborate on what do you mean by frequency and how did you set it? Regarding the logs, what kind of logs you are seeing? Reloader only prints logs which are either errors or an event and subsequent update based on that. So, if it is working properly then there might be a lot of events happening and the reloader might be performing a lot of updates as well. In that case, logs are there to show which resource has been updated and we cannot decrease the number of logs via any configuration in the chart.

@faizanahmad055 Sorry for the confusion. Frequency params is not related to reloader.

dilip-panwar-by avatar Dec 01 '20 10:12 dilip-panwar-by

Hi, is there any update on this one? We want to have a single Reloader deployment but avoid giving full access to all secrets in a cluster (which effectively makes it a cluster admin). Ideally we need a way for namespaces to opt-in to Reloader and use a RoleBinding to allow the operator access secrets under the namespace. Trying that approach with the latest Reloader version produces the following logs:

E0419 13:26:39.133161       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kube-system:reloader-reloader" cannot list resource "secrets" in API group "" at the cluster scope

and doesn't seem to work. If I understand how this works, this is a limit because of the namespace passed here (either a single namespace or v1.NamespaceAll): https://github.com/stakater/Reloader/blob/master/internal/pkg/controller/controller.go#L48 and to make this feature work it will require to spin up multiple watchers? We are happy to help PRing something in case you guys want to proceed with a solution for this issue. @faizanahmad055

ffilippopoulos avatar Apr 20 '22 12:04 ffilippopoulos

@ffilippopoulos Currently we can ignore certain namespaces but we don't have the functionality to include namespaces at the moment. But we definitely welcome all the contributions in the form of PR.

faizanahmad055 avatar Apr 21 '22 12:04 faizanahmad055

We have a similar case and would welcome the ability to specifically state the desired namespaces to be watched by the reloader (which does a very good job so far...)

tmeltser avatar Jul 21 '22 11:07 tmeltser

It would be awesome if Reloader was able to filter in/out namespaces by label (maybe using the kubernetes LabelSelector pattern)

aslafy-z avatar Aug 05 '22 11:08 aslafy-z

@faizanahmad055 I am using the helm chart to deploy reloader like this:

helm install stakater/reloader \
    --namespace=reloader \
    --generate-name \
    --set reloader.watchGlobally=true

I can see a clusterRole and clusterRoleBinding is created for this. So I hope it should be able to watch configmap changes in all namespaces. reloader-1668050029-reloader-role-binding ClusterRole/reloader-1668050029-reloader-role

I have a deployment object defined as below. It has container with a cm mounted as a volume and is marked as optional. Initially I deployed MyApp without creating a cm. Once the pod is up, I created a cm and expected the pod to be restarted.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: MyApp
  annotations:
    configmap.reloader.stakater.com/reload: "MyApp-policy"
  namespace: MyApp
  ..
  
    volumes:
      - name: MyApp-policy
        configMap:
          name: MyApp-policy
          optional: true

But the creation of MyApp-policy configmap is not detected by the reloader. I later tried editing the cm using kubectl edit. But this is also not detected.

Could you please let me know if this scenario is valid and if so what's wrong here. Thanks!

ata18 avatar Nov 10 '22 18:11 ata18

@ata18 are both the configmap and deployment in the same namespace? It can only work if both are in the same namespace. If it is in the same namespace then please share the reloader logs.

faizanahmad055 avatar Nov 11 '22 08:11 faizanahmad055

@faizanahmad055 Thanks for your response. I retried the same steps in a fresh deployment and it seems to be working this time.

ata18 avatar Nov 11 '22 18:11 ata18

#356 should fix this.

faizanahmad055 avatar Jan 05 '23 21:01 faizanahmad055

Brilliant, thanks very much – that sounds like it'll do the trick! :)

edscadding avatar Jan 07 '23 10:01 edscadding