Closed flavio closed 1 year ago
This is a draft, I didn't have time to proofread it since I have to leave for holidays.
@jvanz / @viccuad: feel free to take a look at that if you have time. As you will see I think there are other approaches that might be easier to accomplish. We can discuss more once I'm back
LGTM here, the listed alternatives are well documented. From the listed ones, I favour an optional PV and no StatefulSets. I look forward to follow-up discussions.
What if do we remove the load of pre compiling the policies from the policy server? We could use a job which will download the policy pre-compile it and store in a PV. Therefore, policy servers does not write to it just read it. No write concurrent access. The controller can watch for new policies, triggers this job, and only after the successful job execution update/restart the policy server. This job could use a new
kwctl
command to optimize the policies and write the result into the PV read after by the policy server.
Thanks for the suggestion. I still prefer one of the alternative approaches because this would not complicate the rollout strategy used by the controller to start a new instance of the policy server.
Let's experiment a bit with the kubernetes leases and a shared PV. I'll keep you posted.
Closing the RFC as rejected. The alternative solutions illustrated inside of the RFC are more appealing.
I'm going to open a new RFC to explain how one of the alternative solutions can be adopted to solve this problem
Sorry, I accidentally closed the PR. I'll instead merge it, as it's supposed to be. The RFC has status REJECTED
Initial version of the RFC.