Open jackjii79 opened 7 months ago
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale I think it is worth restricting the permissions to a single namespace as much as it is possible.
/area vertical-pod-autoscaler
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
Which component are you using?: vertical-pod-autoscaler
Is your feature request designed to solve a problem? If so describe the problem this feature should solve.:
Installation of VPA requires cluster level role to all three core components even if the pods need VPA support is constrained in single namespace. In certain production environment, very often cluster admin wants to limit VPA components can only access resources on namespace level for administration and security concern. Additionally, limiting VPA on namespace resources would be benefit from performance aspect.
--vpa-object-namespace
is supported in all three components, clusterrole is not necessary to access VPA cross namespaces.Describe the solution you'd like.: VPA components should respect
--vpa-object-namespace
if specified by accessing VPA on the given namespace level only (it seemsverticalPodAutoscalerNamespaceLister
does the job but not been used`) so that clusterrole for accessing VPA can be replaced by role.Describe any alternative solutions you've considered.:
Additional context.: In addition to specific VPA access level control, other resources may be also able to limit access on namespace level for instance, deployment,replicasets,statefulset,daemonset as well. recommender may not need to access namespace resources as well if
--vpa-object-namespace
is defined. metric api does seems support namespace access https://github.com/kubernetes/autoscaler/blob/0c62f543f1a1a8922f1579ffe2a238bb2e269325/vertical-pod-autoscaler/pkg/recommender/input/metrics/metrics_client.go#L56-L64