Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gha: Allow the controller to watch Secrets / ConfigMaps in the single namespace mode #5

Merged
merged 1 commit into from
Nov 22, 2024
Merged

gha: Allow the controller to watch Secrets / ConfigMaps in the single namespace mode #5

merged 1 commit into from
Nov 22, 2024

Conversation

tfujiwar
Copy link
Collaborator

@tfujiwar tfujiwar commented Nov 22, 2024
edited
Loading

WHAT

  • Allow the controller to watch Secrets / ConfigMaps in the single namespace mode.
  • Enable the k8s API client cache for Secrets / ConfigMaps in the single namespace mode.

WHY

The EphemeralRunnerReconciler retrieves a JITConfig Secret for every reconciliation once the Secret is created for a reconciling runner. It can be a performance bottleneck because the cache of the k8s API client is disabled for Secrets, and the client has a rate limiter with QPS=20.

The cache is disabled for Secrets because it requires cluster-wide list/watch permissions in the default mode. But in the single namespace mode, we can narrow down the permissions only to the single namespace and the controller namespace, which would be acceptable.

This change is aligned with ADR 2023-04-11: Limit Permissions for Service Accounts in Actions-Runner-Controller.

In this mode, you will end up with a manager Role that has all Get/List/Create/Delete/Update/Patch/Watch permissions on resources we need, and a RoleBinding to bind the Role with the controller ServiceAccount in the watched single namespace and the controller namespace

@tfujiwar tfujiwar force-pushed the tfujiwar-enable-cache branch from f5d9ae8 to c119b90 Compare November 22, 2024 02:05
@tfujiwar tfujiwar marked this pull request as ready for review November 22, 2024 03:13
@tfujiwar tfujiwar self-assigned this Nov 22, 2024
@tfujiwar tfujiwar merged commit d1f3427 into mercari-master Nov 22, 2024
9 checks passed
@tfujiwar tfujiwar deleted the tfujiwar-enable-cache branch November 22, 2024 04:36
@tfujiwar tfujiwar restored the tfujiwar-enable-cache branch November 27, 2024 02:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hisaharu hisaharu hisaharu approved these changes

Assignees

@tfujiwar tfujiwar

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tfujiwar @hisaharu