Support namespace scoped VPA and pods scale

[jackjii79]

Which component are you using?: vertical-pod-autoscaler

Is your feature request designed to solve a problem? If so describe the problem this feature should solve.:

• motivation:

Installation of VPA requires cluster level role to all three core components even if the pods need VPA support is constrained in single namespace. In certain production environment, very often cluster admin wants to limit VPA components can only access resources on namespace level for administration and security concern. Additionally, limiting VPA on namespace resources would be benefit from performance aspect.

• issue:

--vpa-object-namespace is supported in all three components, clusterrole is not necessary to access VPA cross namespaces.

Describe the solution you'd like.: VPA components should respect --vpa-object-namespace if specified by accessing VPA on the given namespace level only (it seems verticalPodAutoscalerNamespaceLister does the job but not been used`) so that clusterrole for accessing VPA can be replaced by role.

Describe any alternative solutions you've considered.:

Additional context.: In addition to specific VPA access level control, other resources may be also able to limit access on namespace level for instance, deployment,replicasets,statefulset,daemonset as well. recommender may not need to access namespace resources as well if --vpa-object-namespace is defined. metric api does seems support namespace access https://github.com/kubernetes/autoscaler/blob/0c62f543f1a1a8922f1579ffe2a238bb2e269325/vertical-pod-autoscaler/pkg/recommender/input/metrics/metrics_client.go#L56-L64

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[voelzmo]

/remove-lifecycle stale I think it is worth restricting the permissions to a single namespace as much as it is possible.

[adrianmoisey]

/area vertical-pod-autoscaler

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale