search

FairwindsOps / goldilocks

Get your resource requests "Just Right"
https://fairwinds.com
Apache License 2.0
2.55k stars 135 forks source link

Ability to ignore some controller by Kind #534

Closed FrancoisPoinsot closed 4 months ago

FrancoisPoinsot commented 2 years ago

Is your feature request related to a problem? Please describe. I am testing goldilocks. I see it creates a VPA for each controller. In my case I have a lot of Job and I would prefer to play it safe and not create VPA for those

Describe the solution you'd like An envar/argument that would allow me to ignore some Controller by kind. Such as --ignore-controller-kind=Job,CronJob

Maybe we would want some combinaison of namespace+kind

Describe alternatives you've considered For now we can technically use RBAC to control what the goldilock controller can access By removing the permission on specific Kind we can achieve something similar. Goldilocks handles this error nicely. But it does throw a lot of error logs.

rverchere commented 1 year ago

Hi,

Is the ClusterRole already manage it?

When installing it using Helm, I have a ClusterRole with these rules, and job/cronjobs are not allowed:

rules:
- apiGroups:
  - apps
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling.k8s.io
  resources:
  - verticalpodautoscalers
  verbs:
  - get
  - list
  - create
  - delete
  - update
- apiGroups:
  - argoproj.io
  resources:
  - rollouts
  verbs:
  - get
  - list
  - watch

Some logs:

goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.022461       1 controller.go:229]  "msg"="Error retrieving parent object" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "v1beta1"="cronjobs"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.022497       1 controller.go:147]  "msg"="An error occured retrieving the top level controller for this pod" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "my-job-1677685200-klwq5"="default"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.122148       1 controller.go:229]  "msg"="Error retrieving parent object" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "v1beta1"="cronjobs"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.122192       1 controller.go:147]  "msg"="An error occured retrieving the top level controller for this pod" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "my-job-1677685800-vqnr6"="default"

Your idea to add ability to NOT watch some resources is a good one.