Closed FrancoisPoinsot closed 4 months ago
Hi,
Is the ClusterRole already manage it?
When installing it using Helm, I have a ClusterRole with these rules, and job/cronjobs are not allowed:
rules:
- apiGroups:
- apps
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- pods
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling.k8s.io
resources:
- verticalpodautoscalers
verbs:
- get
- list
- create
- delete
- update
- apiGroups:
- argoproj.io
resources:
- rollouts
verbs:
- get
- list
- watch
Some logs:
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.022461 1 controller.go:229] "msg"="Error retrieving parent object" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "v1beta1"="cronjobs"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.022497 1 controller.go:147] "msg"="An error occured retrieving the top level controller for this pod" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "my-job-1677685200-klwq5"="default"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.122148 1 controller.go:229] "msg"="Error retrieving parent object" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "v1beta1"="cronjobs"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.122192 1 controller.go:147] "msg"="An error occured retrieving the top level controller for this pod" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "my-job-1677685800-vqnr6"="default"
Your idea to add ability to NOT watch some resources is a good one.
Is your feature request related to a problem? Please describe. I am testing goldilocks. I see it creates a VPA for each controller. In my case I have a lot of Job and I would prefer to play it safe and not create VPA for those
Describe the solution you'd like An envar/argument that would allow me to ignore some Controller by kind. Such as
--ignore-controller-kind=Job,CronJob
Maybe we would want some combinaison of namespace+kind
Describe alternatives you've considered For now we can technically use RBAC to control what the goldilock controller can access By removing the permission on specific Kind we can achieve something similar. Goldilocks handles this error nicely. But it does throw a lot of error logs.