Running in a subset of namespaces #620
Comments
|
It can be implemented with in the enqeue process. If we need it, I'd like to contribute. |
|
It seems that The use-case / issue here is when the |
|
As a feature of functionality, |
|
@kuizhiqing totally agree that filtering is the way to go – assuming that RBAC permissions already allows for resources to be listed in all namespaces. The current use-case / problem is that the Kubernetes cluster has a really restrictive RBAC configuration. With that being the case, because the controller is unable to list certain objects in the namespace to begin with (such as In trying to solve this issue, I came across https://github.com/maistra/xns-informer, which (using codegen) creates a multi-namespace informer out of existing informers. It seems that all the informers it generates are API-compatible with On the bright side, using these generated multi-namespace informers looks like it can solve this issue, but on the darker side, bringing in this third-party library, along with all it's dependencies and codegen is [probably] non-starter! |
|
It would be better to contribute to |
|
Been doing a bit more thinking about this and I'm wondering if having a level of abstraction / indirection when creating Informers could be an acceptable approach? 😕 In other words abstract the creation of an Informer to something more pluggable. When creating an Informer (such as here, instead of calling I'll work on mocking something up to validate this idea, and [hopefully] update the issue with a prototype ... |
Currently it doesn't seem possible to run the
mpi-operatorin a subset of namespaces. It's either all namespaces or a specific (single) namespace.This limitation looks like it comes from Kubernetes itself, where [generated] Informers are either scoped to a single namespace using
<factory>.WithNamespace(...), or if no namespace is provider, defaults tometav1.NamespaceAll.An example (real-world) use-case for running the
mpi-operatorin subset of namespaces is when it's deployed to a Kubernetes cluster with tightly controlled cluster-wide permissions. E.g. when obtaining cluster-wide access toSecretsis non-starter. In such a case, it's still possible to create a namespace-localRoleBinding, whereby access can be granted to the Service Account running thempi-operatorfor namespace-local secrets. However, because thempi-operatoroperates only in either all namespaces or a single namespace, using namespace-localRoleBindingsisn't expandable beyond a single namespace.The text was updated successfully, but these errors were encountered: