Use metadata only watches for configmaps and secrets resources on workload clusters #3887
Comments
k8s-ci-robot
added
the
kind/feature
|
/milestone v0.4.0 |
|
backporting will be nice, but it requires some work in older versions of controller runtime |
|
Other possible things to consider:
|
This is interesting. It would be really nice if we could create some sort of caching intermediary, like a squid proxy for the API server, so that the cache for remote clusters would live in the same namespace as the objects that represent those clusters. |
|
@vincepri: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
User Story
As an operator,
I would like CAPI controllers to use metadata-only watches for
secretsresources on the management cluster,Because otherwise CAPI has trouble scaling to large environments with hundreds/thousands of workload clusters.
As an operator,
I would like CAPI controllers to use metadata-only watches for
configmapsandsecretsresources on workload clusters,Because otherwise CAPI has trouble scaling to large environments with hundreds/thousands of workload clusters.
As an operator,
I would like CAPI controllers to use metadata-only watches for
configmapsandsecretsresources on workload clusters,Because otherwise anyone on a workload cluster has the ability to force an OOM error in the CABPK and KCP pods on the management server by creating enough
configmapsorsecretsresources to exceed the memory limit of those pods on the management cluster.Detailed Description
Today Cluster API watches (1) many different resources, but here are some that are particularly relevant to this issue:
configmapsnodessecretsThese resources are important, especially the
configmapsandsecrets. Asecretsresource is created on the management cluster by CAPBK for every machine in a workload cluster. In CAPI v1alpha2, before CAPBK, this resource was around 16KiB in size. Today it is 45KiB. That means for 300 guest clusters with three nodes each,secretsresources alone will consume ~40MiB in each cache for a controller that is watching, explicitly or implicitly,secretsresources.The situation with
configmapsis even more concerning. Because CAPI, from the management cluster, watches and caches resources from all workload clusters, it means at best it is simply not possible to accurately estimate the memory resource requirements for CAPI pods. At worst it means a rogue workload cluster administrator could willfully and maliciously ensure that CAPI pods running on the management cluster are terminated with OOM errors by creatingconfigmapsandsecretsresources on a workload cluster.While it will not solve any of these issues completely (because of labels and annotations), CAPI should try to adopt metadata-only watches (kubernetes-sigs/controller-runtime#1174) for
configmapsandsecretsresources, opting to do live reads where necessary. This is the minimum CAPI should consider, but in the future consider extending this strategy to include additional resources as well.Anything else you would like to add:
/kind feature
GetorListcall.The text was updated successfully, but these errors were encountered: