enisoc
commented
5 years ago Some background copied from our Slack discussion:
The proposed proxy resource was only needed because we wanted to support creating children that we know might get adopted, like Pod, ReplicaSet, PVC. In fact, if you think about it, the proxy object seems pointless; the proxy itself would be an orphan, so what have you really gained? The answer is that the proxy object is only safe because we assume it's some CRD that no one else would try to adopt. Similarly, if you're creating cluster-scoped attachments, you can be reasonably sure no one is going to try to adopt them, because OwnerRefs only recently became possible on cluster-scoped objects and nothing in core or out in the wild (that I know of) does adoption on cluster-scoped objects.
So for the specific case of cluster-scoped children of a namespace-scoped object, I think you'd only need to make Metacontroller put some OwnerRef-like annotation on cluster-scoped children of namespaced parents so it can use that to filter its own children. The finalizer part can already be done with a finalize hook that deletes (omits from the result) the cluster-scoped child/attachment.
Would you be interested in working on this?
kentwelcome
Hi, we've come across a scenario to use DecorateController to create a cluster-scoped resource from the namespaced resource. As we understand the docs says it's not supported, and kubernetes ownerReference can't have namespaced parent for cluster-scoped resources. The discussion here suggested a proxy resources https://github.com/GoogleCloudPlatform/metacontroller/issues/2#issuecomment-397080752 but has there been any design for that?