Ability to ignore some controller by Kind #534

FrancoisPoinsot · 2022-10-06T08:00:07Z

Is your feature request related to a problem? Please describe.
I am testing goldilocks.
I see it creates a VPA for each controller.
In my case I have a lot of Job and I would prefer to play it safe and not create VPA for those

Describe the solution you'd like
An envar/argument that would allow me to ignore some Controller by kind.
Such as --ignore-controller-kind=Job,CronJob

Maybe we would want some combinaison of namespace+kind

Describe alternatives you've considered
For now we can technically use RBAC to control what the goldilock controller can access
By removing the permission on specific Kind we can achieve something similar.
Goldilocks handles this error nicely.
But it does throw a lot of error logs.

The text was updated successfully, but these errors were encountered:

rverchere · 2023-03-01T16:25:31Z

Hi,

Is the ClusterRole already manage it?

When installing it using Helm, I have a ClusterRole with these rules, and job/cronjobs are not allowed:

rules:
- apiGroups:
  - apps
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling.k8s.io
  resources:
  - verticalpodautoscalers
  verbs:
  - get
  - list
  - create
  - delete
  - update
- apiGroups:
  - argoproj.io
  resources:
  - rollouts
  verbs:
  - get
  - list
  - watch

Some logs:

goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.022461       1 controller.go:229]  "msg"="Error retrieving parent object" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "v1beta1"="cronjobs"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.022497       1 controller.go:147]  "msg"="An error occured retrieving the top level controller for this pod" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "my-job-1677685200-klwq5"="default"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.122148       1 controller.go:229]  "msg"="Error retrieving parent object" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "v1beta1"="cronjobs"
goldilocks-controller-6f94c5d65f-62mg8 goldilocks E0301 16:06:21.122192       1 controller.go:147]  "msg"="An error occured retrieving the top level controller for this pod" "error"="cronjobs.batch is forbidden: User \"system:serviceaccount:vpa:goldilocks-controller\" cannot list resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" "my-job-1677685800-vqnr6"="default"

Your idea to add ability to NOT watch some resources is a good one.

FrancoisPoinsot added enhancement Adding additional functionality or improvements triage This bug needs triage labels Oct 6, 2022

sudermanjr added help wanted Extra attention is needed pinned Prevents stalebot from removing hacktoberfest and removed triage This bug needs triage labels Oct 6, 2022

reactiveops-bot removed the hacktoberfest label Dec 27, 2022

rverchere mentioned this issue Mar 1, 2023

Goldilocks RBAC: jobs & cronjobs FairwindsOps/charts#1111

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ability to ignore some controller by Kind #534

Ability to ignore some controller by Kind #534

FrancoisPoinsot commented Oct 6, 2022

rverchere commented Mar 1, 2023

Ability to ignore some controller by Kind #534

Ability to ignore some controller by Kind #534

Comments

FrancoisPoinsot commented Oct 6, 2022

rverchere commented Mar 1, 2023