Enable filtered list watches as watches

kubernetes-sigs / controller-runtime

Repo for the controller-runtime subproject of kubebuilder (sig-apimachinery)

Apache License 2.0

2.43k stars 1.12k forks source link

Enable filtered list watches as watches #244

Closed nkvoll closed 3 years ago

nkvoll commented 5 years ago

When setting up watches during initialization it's currently not possible to filter by any selectors (which is possible using list watches).

For example it is not possible to only watch pods with specific labels (e.g having the label pod-type: my-controller-type). The current behavior results in very broad caching, which might not be desirable for large Kubernetes deployments.

In some scenarios an operator could contain multiple controllers, and they all share caches, so keying caches on GVK's alone might be problematic if they want to watch the same resource type, but with different filters.

When doing List/Get, how would one decide which of the caches to use? It seems that perhaps this needs to be an explicit choice by the operator developers?

estroz commented 3 years ago

1435 is now merged, so is this resolved?

@invidian yes I believe this is resolved.

/close

k8s-ci-robot commented 3 years ago

@estroz: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/controller-runtime/issues/244#issuecomment-829356188): >>#1435 is now merged, so is this resolved? > >@invidian yes I believe this is resolved. > >/close > > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

roee88 commented 3 years ago

It seems like the current solution doesn't address the use case mentioned in https://github.com/kubernetes-sigs/controller-runtime/issues/244#issuecomment-557656216.

It should be possible to create a namespace scoped client in ListFunc and WatchFunc if there is a field selector for metadata.namespace (vs the current logic of just looking at the global namespace field). Is that reasonable?

alvaroaleman commented 3 years ago

@roee88 what was merged allows to set a FieldSelector so yes, this is possible

roee88 commented 3 years ago

To clarify, I suspect that without affecting the parameters to NamespaceIfScoped, the selector opts have no effect on the required rbac (cluster role bindings vs role bindings). For example here:

https://github.com/kubernetes-sigs/controller-runtime/blob/64b1c729991a0316f1500ce5fc52544cd86c5fce/pkg/cache/internal/informers_map.go#L282-L288

My question is whether changing the code here makes sense. Specifically for the case where ip.namespace is empty, the value from a metadata.namespace field selector should be used (if exists).

cc @shlomitk1

alvaroaleman commented 3 years ago

My question is whether changing the code here makes sense. Specifically for the case where ip.namespace is empty, the value from a metadata.namespace field selector should be used (if exists).

That sounds reasonable