security-profiles-operator
security-profiles-operator copied to clipboard
kubernetes-sigs
Security Profiles Operator should support dynamic infrastructures
What would you like to be added:
Currently SPO does not support dynamic infrastructures from an update and deletion of a seccomp profile object point of view. When installing a seccomp profile on a node, the operator will add this node to the finalizers list of the object. In the case of a dynamic node infrastructure, such as with using Karpenter on AWS, this will mean that over time the finalizers list does not reflect the current infrastructure.
There does not seem to be any mechanism for watching nodes that are deleted, and then in turn remove that finalizer from the list when a node is removed from the cluster.
In the case of a very large and very dynamic cluster that's using hundreds or thousands of nodes which are also spot instances, this could mean that in a very short time a finalizers array could grow to thousands or tens of thousands in the matter of weeks.
Why is this needed:
Supporting the removal of deleted nodes from finalizers would ease the management of profiles, especially when it comes to updating or deleting and ensuring current security needs are being met without too much overhead.
User story covered
Please let me know if I should add any more details to this.
Hey @jlowe64, thank you for the feature request! Yes having a better substitution for the finalizer would be awesome. Are you interested in contributing the change to the operator?
@saschagrunert I will look into what it'll take and see if it can be part of my scheduled work and get back to you.
@saschagrunert I've done further testing and it seems node removal works in a very bare cluster. So there's something about my specific production-like staging cluster that prevents SPO from editing finalizers. We have Kyverno and RBAC permissions set up so I'll need to dig a bit more. But I'll close this request since it's not your system that is at fault.