Experimental New secret manager that watches secrets at host level. #1182
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
|
||
| // ensure this is the same as cache.MetaNamespaceKeyFunc | ||
| func (s *byHostSecretManager) key(tenant, namespace, name string) string { | ||
| result := name |
There was a problem hiding this comment.
Minor: using fmt might be easiler for read and goland optimization
pkg/kubelet/secret/secret_manager.go
Outdated
| key := s.key(tenant, namespace, name) | ||
| klog.Infof("get secret: %s", key) | ||
| for _, store := range s.stores { | ||
| klog.Infof("debug: dump store keys: [%v]", store.ListKeys()) |
There was a problem hiding this comment.
Please remove debug for large scale test.
| return "", fmt.Errorf("object has no meta: %v", err) | ||
| } | ||
|
|
||
| metaKey := meta.GetName() |
| klog.Infof("create secret manager for host: %s", hostName) | ||
| stores := make([]cache.Store, len(kubeClients)) | ||
|
|
||
| for i, tenantPartitionClient := range kubeClients { |
There was a problem hiding this comment.
This push all secrets tied to namespaces to all node, could really be a security concern.
There was a problem hiding this comment.
Also greatly increased secret data population.
There was a problem hiding this comment.
i agree. as it is commented, the list/watch will be node based once the secret controller logic is in
pod secret controller
Issue #1170
First step to enable hostbased secrets watcher: new secret manager, to evaluate the trade off on reduced watchers and node based watch to secrets.
passed 500 node perf run.
remaining works: