Serpentiel
commented
1 year ago hey, @mortenlj! 👋
we'll discuss this with the team and will get back to you with feedback on your idea soon
thanks!
Open mortenlj opened 1 year ago
Serpentiel
commented
1 year ago hey, @mortenlj! 👋
we'll discuss this with the team and will get back to you with feedback on your idea soon
thanks!
mortenlj
commented
1 year ago After some testing, we've found that in addition to not installing the relevant CRDs, the operator itself would need to either be configurable, or ignore services if the relevant CRD is missing in the cluster. Currently the operator will exit the controller goroutine (but not the operator istelf) if a CRD is missing.
byashimov
commented
1 year ago That's correct. It is more about configuring the operator itself. But probably there is a better option with RBAC or any other restrictions. Because it might be inventing a wheel here.
mortenlj
commented
1 year ago Our initial approach is to use RBAC to restrict this, but as an additional measure it would be good to not have the CRD at all. An additional point is that we see performance issues in the API server when the number of CRDs get excessive, so limiting the number of CRDs to the ones that are actually in use would be a benefit.
We will use RBAC rules for now, as this seems to be less of a "quick win" than we initially thought it would be. Feel free to close if you don't like the idea.
byashimov
commented
1 year ago Limiting resource consuming is a good thing. I'll leave this opened. Thanks for the idea.
In our cluster we want to limit which Aiven services are available to our users. The best way to solve that would be to only install the CRDs for the services we want to allow.
Would you be open for a PR that allows selecting which services are installed with the aiven-operator-crds chart?