search

nullplatform / k8s-lease-lock

MIT License
4 stars 2 forks source link

Actually in use/questions #1

Closed impatient closed 2 months ago

impatient commented 4 months ago
  1. Are you actively using this? I love the potential without needing redis or consul.
  2. Any documentation on rbac requirements for this, how about cleanup of stale entries?
    1. See some sample rbac requirements here: https://www.acritelli.com/blog/kubernetes-leases/
    2. How pekko/akka manages their leases in kubernetes: https://nightlies.apache.org/pekko/docs/pekko-management/main-snapshot/docs/kubernetes-lease.html (Custom CRD, etc/mention potential of deletes. Thoughts on doing something like this?)
  3. Does the patch protect against concurrent modifications? Like two apps trying to update a lease concurrently?
    1. Etags or equivalent handy? Is the resource version enough to trigger that?

Apologies for loads of questions. Like the idea and the implicit infrastructure. Feels like it would just work and am probably going to try it out either way, but would need tweaks for managing stale entries.

Also could see this having hundreds of leases in our use, which is probably more than the intent/will be the hardest sale to others on my team. Any thoughts there?

impatient commented 3 months ago

Worked fine. Needed these roles/bindings. Our use case was shorter lived and I was impatient, so I made a new lock with same lock leaser id, to set expiry closer.

If you're around/would accept PRs let me know.

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lease-role
rules:
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create", "update", "patch", "get", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: lease-binding
  namespace: {{ .Release.Namespace }}
subjects:
  - kind: ServiceAccount
    name: service-account-for-deploy
    namespace: {{ .Release.Namespace }}
roleRef:
  kind: Role
  name: lease-ref
  apiGroup: rbac.authorization.k8s.io
geisbruch commented 2 months ago

Hi @impatient sorry the delay. We are actively using it in production. Thanks for the collaboration I will add the roles to the documentation. You are welcome to do a PR too.