enhancement: deploy operator in single namespace without ClusterRole
#5807
Conversation
zhuangzhi-cc
changed the title
ClusterRole
zhuangzhi-cc
changed the title
ClusterRoleClusterRole
pkg/alertmanager/operator.go
Outdated
| ), | ||
| &v1.Namespace{}, nsResyncPeriod, cache.Indexers{}, | ||
| ) | ||
| if !operator.IsSingleNamespace(c.config.Namespaces) { |
There was a problem hiding this comment.
I think that the test should be more elaborated and dependent on the controller: e.g. Alertmanager can skip the namespace informers if AlertmanagerAllowList and AlertmanagerConfigAllowList have a single item (and different from v1.NamespaceAll).
For Prometheus and Thanos, the checks will be different.
pkg/prometheus/server/operator.go
Outdated
| @@ -969,11 +978,15 @@ func (c *Operator) handleConfigMapUpdate(old, cur interface{}) { | |||
| } | |||
|
|
|||
| func (c *Operator) enqueueForPrometheusNamespace(nsName string) { | |||
| c.enqueueForNamespace(c.nsPromInf.GetStore(), nsName) | |||
| if !operator.IsSingleNamespace(c.config.Namespaces) { | |||
| c.enqueueForNamespace(c.nsPromInf.GetStore(), nsName) | |||
There was a problem hiding this comment.
We still need to run the reconciliation. I think that the change should rather be to enqueueForNamespace().
There was a problem hiding this comment.
Yes, it woule be more simplefy, I would change it.
pkg/prometheus/server/operator.go
Outdated
| @@ -521,7 +530,7 @@ func (c *Operator) Run(ctx context.Context) error { | |||
|
|
|||
| c.addHandlers() | |||
|
|
|||
| if c.kubeletSyncEnabled { | |||
| if c.kubeletSyncEnabled && !operator.IsSingleNamespace(c.config.Namespaces) { | |||
There was a problem hiding this comment.
why do we need this?
There was a problem hiding this comment.
level=error ts=2023-09-01T11:39:50.560491434Z caller=operator.go:626 component=prometheusoperator msg="Syncing nodes into Endpoints object failed" err="listing nodes failed: nodes is forbidden: User "system:serviceaccount:rio:prometheus-operator" cannot list resource "nodes" in API group "" at the cluster scope"
That's the error log if disable this limit.
There was a problem hiding this comment.
Thinking more about it, I wonder if it wouldn't be simpler in terms of implementation to add a special "single namespace" lister/watcher. In other words, extend NewUnprivilegedNamespaceListWatchFromClient() to avoid the "get namespace" requests when a single namespace (not equal to all namespaces) is given.
Another thing to keep in mind: when running the operator in single namespace mode, the .spec.*NamespaceSelector fields become ineffective. When these selectors aren't nil, I wonder if the operator should report it via the "Reconciled=False" status configuration or if it should ignore the namespace selectors? I'd rather lean towards the first option as it's more explicit.
Do you means create a fake ListerWatcher in func NewUnprivilegedNamespaceListWatchFromClient( ..... |
|
Yes something along those lines. It could even work when there are multiple namespaces in func NewUnprivilegedNamespaceListWatchFromClient(
ctx context.Context,
l log.Logger,
c cache.Getter,
allowedNamespaces, deniedNamespaces map[string]struct{},
fieldSelector fields.Selector,
) cache.ListerWatcher {
...
if IsAllNamespaces(allowedNamespaces) {
....
}
listFunc := func(options metav1.ListOptions) (runtime.Object, error) {
list := &v1.NamespaceList{}
for name := range allowedNamespaces {
result := &v1.Namespace{}
list.Items = append(list.Items, &v1.Namespace{
ObjectMeta: metav1.ObjectMeta{Name: name},
})
}
return list, nil
})
}
watchFunc := func(_ metav1.ListOptions) (watch.Interface, error) {
// Since the client does not have Watch privileges, do not
// actually watch anything. Use a watch.FakeWatcher here to
// implement watch.Interface but not send any events.
return watch.NewFake(), nil
}
return &cache.ListWatch{ListFunc: listFunc, WatchFunc: watchFunc}
) |
…s related logic create a fake watch list, and remove anyother change
pkg/prometheus/server/operator.go
Outdated
| @@ -521,7 +523,7 @@ func (c *Operator) Run(ctx context.Context) error { | |||
|
|
|||
| c.addHandlers() | |||
|
|
|||
| if c.kubeletSyncEnabled { | |||
| if c.kubeletSyncEnabled && !operator.IsPrometheusInSingleNamespace(c.config.Namespaces) { | |||
There was a problem hiding this comment.
still not sure why this change is required :)
There was a problem hiding this comment.
It's my misunderstand, I have remove the related check.
pkg/operator/config.go
Outdated
| _, ok := ns[v1.NamespaceAll] | ||
| return !ok && len(ns) == 1 |
There was a problem hiding this comment.
(nit)
| _, ok := ns[v1.NamespaceAll] | |
| return !ok && len(ns) == 1 | |
| _, allNamespaces := ns[v1.NamespaceAll] | |
| return !allNamespaces && len(ns) == 1 |
There was a problem hiding this comment.
this code has been removed.
|
There's an issue with the prometheus-operator/pkg/prometheus/server/rules.go Lines 174 to 182 in 6d3714e We have the same "problem" in other places: prometheus-operator/pkg/prometheus/resource_selector.go Lines 78 to 91 in 6d3714e This is similar to what I said in a previous comment
In retrospect, the controllers should rather default the namespace selectors to nil and report the situation via the |
|
@zhuangzhi-cc thanks for keeping up the PR up-to-date! I'd advise to wait for #5898 which fixes a problem that's a bit different but after it (and with the refactoring), it should be even easier to implement single-namespace watcher. |
|
@zhuangzhi-cc now that #5898 and #5934 have merged, it's possible to run the operator watching a single namespace without ClusterRoleBinding. If you create a role binding to the |
@simonpasquier I see that PR #5898 has alreay merged, is there any idea about single-namespace feature? |
@zhuangzhi-cc please check my comment right before (#5807 (comment)). |
Sorry for my browser not sync the latest message because I am not connect to VPN :), I would make some test with the latest code. thanks a lot! |
Sorry for my browser not sync the latest message because I am not connected to VPN :), I would make some test with the latest code. thanks a lot! |
|
Thanks for confirming! |
Description
We need deploy prometheus operator in single namespace without cluster role rabc. Follow simonpasquier's suggestion if the --namespaces is a single namespace, operator would running in none clusterrole mode.
eg. --namespaces=monitoring
Type of change
What type of changes does your code introduce to the Prometheus operator? Put an
xin the box that apply.CHANGE(fix or feature that would cause existing functionality to not work as expected)FEATURE(non-breaking change which adds functionality)BUGFIX(non-breaking change which fixes an issue)ENHANCEMENT(non-breaking change which improves existing functionality)NONE(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)Changelog entry
Please put a one-line changelog entry below. This will be copied to the changelog file during the release process.
namespacesargumentrolerbac instead ofClusterRole