-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running in a subset of namespaces #620
Comments
It can be implemented with
in the enqeue process. If we need it, I'd like to contribute. |
It seems that The use-case / issue here is when the |
As a feature of functionality, |
@kuizhiqing totally agree that filtering is the way to go – assuming that RBAC permissions already allows for resources to be listed in all namespaces. The current use-case / problem is that the Kubernetes cluster has a really restrictive RBAC configuration. With that being the case, because the controller is unable to list certain objects in the namespace to begin with (such as In trying to solve this issue, I came across https://github.com/maistra/xns-informer, which (using codegen) creates a multi-namespace informer out of existing informers. It seems that all the informers it generates are API-compatible with On the bright side, using these generated multi-namespace informers looks like it can solve this issue, but on the darker side, bringing in this third-party library, along with all it's dependencies and codegen is [probably] non-starter! |
It would be better to contribute to |
Been doing a bit more thinking about this and I'm wondering if having a level of abstraction / indirection when creating Informers could be an acceptable approach? 😕 In other words abstract the creation of an Informer to something more pluggable. When creating an Informer (such as here, instead of calling I'll work on mocking something up to validate this idea, and [hopefully] update the issue with a prototype ... |
Currently it doesn't seem possible to run the
mpi-operator
in a subset of namespaces. It's either all namespaces or a specific (single) namespace.This limitation looks like it comes from Kubernetes itself, where [generated] Informers are either scoped to a single namespace using
<factory>.WithNamespace(...)
, or if no namespace is provider, defaults tometav1.NamespaceAll
.An example (real-world) use-case for running the
mpi-operator
in subset of namespaces is when it's deployed to a Kubernetes cluster with tightly controlled cluster-wide permissions. E.g. when obtaining cluster-wide access toSecrets
is non-starter. In such a case, it's still possible to create a namespace-localRoleBinding
, whereby access can be granted to the Service Account running thempi-operator
for namespace-local secrets. However, because thempi-operator
operates only in either all namespaces or a single namespace, using namespace-localRoleBindings
isn't expandable beyond a single namespace.The text was updated successfully, but these errors were encountered: