Open Danil-Grigorev opened 1 week ago
Upon investigation of the system-agent functionality, the initial approach required larger set of changes.
Number of required resources to allow access and execution of the system-agent plans in Rancher can be decreased to 2 per cluster machine.
Plan
secret for the machineDepending on the authentication model, this can be decreased further to 1 secret per machine. With usage of a TokenRequest
, JWT expiration can be bound to the Plan
secret lifecycle, allowing to remove bootstrap secret after node bootstrap completion.
Original: 25 resources for cluster with 5 machines Current: 10 resources for cluster with 5 machines TokenRequest based: 5 resources (plan secrets) for cluster with 5 machines.
Further improvements are possible only with changes to sytem-agent
.
There are ways to reduce number of resources provisioned by agent for authentication in a Rancher cluster, by employing different authentication methods.
Investigate possible approaches.
Initial set:
spec.expirationSeconds
value to allow revoking access.