-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use metadata only watches for configmaps and secrets resources on workload clusters #3887
Comments
/milestone v0.4.0 |
backporting will be nice, but it requires some work in older versions of controller runtime |
Other possible things to consider:
|
This is interesting. It would be really nice if we could create some sort of caching intermediary, like a squid proxy for the API server, so that the cache for remote clusters would live in the same namespace as the objects that represent those clusters. |
@vincepri: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
User Story
As an operator,
I would like CAPI controllers to use metadata-only watches for
secrets
resources on the management cluster,Because otherwise CAPI has trouble scaling to large environments with hundreds/thousands of workload clusters.
As an operator,
I would like CAPI controllers to use metadata-only watches for
configmaps
andsecrets
resources on workload clusters,Because otherwise CAPI has trouble scaling to large environments with hundreds/thousands of workload clusters.
As an operator,
I would like CAPI controllers to use metadata-only watches for
configmaps
andsecrets
resources on workload clusters,Because otherwise anyone on a workload cluster has the ability to force an OOM error in the CABPK and KCP pods on the management server by creating enough
configmaps
orsecrets
resources to exceed the memory limit of those pods on the management cluster.Detailed Description
Today Cluster API watches (1) many different resources, but here are some that are particularly relevant to this issue:
configmaps
nodes
secrets
These resources are important, especially the
configmaps
andsecrets
. Asecrets
resource is created on the management cluster by CAPBK for every machine in a workload cluster. In CAPI v1alpha2, before CAPBK, this resource was around 16KiB in size. Today it is 45KiB. That means for 300 guest clusters with three nodes each,secrets
resources alone will consume ~40MiB in each cache for a controller that is watching, explicitly or implicitly,secrets
resources.The situation with
configmaps
is even more concerning. Because CAPI, from the management cluster, watches and caches resources from all workload clusters, it means at best it is simply not possible to accurately estimate the memory resource requirements for CAPI pods. At worst it means a rogue workload cluster administrator could willfully and maliciously ensure that CAPI pods running on the management cluster are terminated with OOM errors by creatingconfigmaps
andsecrets
resources on a workload cluster.While it will not solve any of these issues completely (because of labels and annotations), CAPI should try to adopt metadata-only watches (kubernetes-sigs/controller-runtime#1174) for
configmaps
andsecrets
resources, opting to do live reads where necessary. This is the minimum CAPI should consider, but in the future consider extending this strategy to include additional resources as well.Anything else you would like to add:
/kind feature
Get
orList
call.The text was updated successfully, but these errors were encountered: