📖 Add a design for cache options configuration #2261
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alvaroaleman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
|
/lgtm |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
designs/cache_options.md
Outdated
| "": {}, | ||
| }, | ||
| }, | ||
| DefaultNamespaces: map[string]*cache.CacheSetting{ |
There was a problem hiding this comment.
| DefaultNamespaces: map[string]*cache.CacheSetting{ | |
| ByNamespace: map[string]*cache.CacheSetting{ |
Maybe? The DefaultNamespaces doesn't really give away what it's doing
There was a problem hiding this comment.
The reason I used DefaultNamespaces is to clarify that this will only be used if ByObject has no namespace settings
k8s-ci-robot
removed
the
lgtm
alvaroaleman
force-pushed
the
cache-opts
branch
3 times, most recently
from
b25ef88 to
ff08978
Compare
|
/retest |
alvaroaleman
force-pushed
the
cache-opts
branch
from
ff08978 to
c9fc2f9
Compare
alvaroaleman
force-pushed
the
cache-opts
branch
2 times, most recently
from
8f637fe to
dc57410
Compare
|
Thank you very much! /lgtm /hold |
k8s-ci-robot
added
the
lgtm
| // An empty map prevents this. | ||
| // | ||
| // This must be unset for cluster-scoped objects. | ||
| Namespaces map[string]*Config |
There was a problem hiding this comment.
How does this map to RBAC? Do I only need list, get, watch permissions in the namespaces specified in this map, or do I need those permissions for all namespaces? Does this option limit what is requested/ watched from the APIServer or does it just limit what is being cached?
There was a problem hiding this comment.
What is cached is what is being watched, so both.
There was a problem hiding this comment.
What is cached is what is being watched, so both.
At the moment the calls to the kube apiserver to LIST resources are different (this might be in client-go, not sure) depending on whether the whole cache is scoped to a namespace or whether the namespace selector is applied as a field selector.
Because of that (I think) a namespace-scoped cache allows us to also scope RBAC to that namespace whereas the selector does not.
We have a use case where we want to watch Secrets in namespace X and Configmaps in all namespaces. We create two caches for this because although we could use the existing cache options to apply namespace filter to Secrets, only namespaced cache allows us to scope RBAC down so that users only need to give our controller permissions to list Secrets in that one namespace.
For us, it would be quite useful if we were able to use this Namespaces option in such a way that the namespace filter is also reflected in the required RBAC for our controller
There was a problem hiding this comment.
Yes, it will be. Something like your use-case is what we want to support. Your config would look something like:
cache.Options{
ByObject: map[client.Object]*cache.ByObject{
&corev1.Secrets{}: *cache.ByObject{
Namespaces: map[string]*cache.Config{"the-namespace-for-secrets": nil},
}
}
The above config would watch secrets in one namespace and everything else in all namespaces. That also applies to rbac.
There was a problem hiding this comment.
Thank you- for us this would be very valuable 👍🏼
k8s-ci-robot
removed
the
lgtm
| // DefaultNamespaces maps namespace names to cache settings. If set, it | ||
| // will be used for all objects that have a nil Namespaces setting. | ||
| // | ||
| // It is possible to have a specific Config for just some namespaces | ||
| // but cache all namespaces by using the `AllNamespaces` const as the map | ||
| // key. This wil then include all namespaces that do not have a more | ||
| // specific setting. | ||
| // | ||
| // The options in the Config that are nil will be defaulted from | ||
| // the respective Default* settings. | ||
| DefaultNamespaces map[string]*Config | ||
|
|
||
| // DefaultLabelSelector is the label selector that will be used as | ||
| // the default field label selector for everything that doesn't | ||
| // have one configured. | ||
| DefaultLabelSelector labels.Selector | ||
|
|
||
| // DefaultFieldSelector is the field selector that will be used as | ||
| // the default field selector for everything that doesn't have | ||
| // one configured. | ||
| DefaultFieldSelector fields.Selector | ||
|
|
||
| // DefaultUnsafeDisableDeepCopy is the default for UnsafeDisableDeepCopy | ||
| // for everything that doesn't specify this. | ||
| DefaultUnsafeDisableDeepCopy *bool | ||
|
|
||
| // DefaultTransform will be used as transform for all object types | ||
| // unless they have a more specific transform set in ByObject. | ||
| DefaultTransform toolscache.TransformFunc |
There was a problem hiding this comment.
Would it be better or worse to drop the Default prefix? It seems redundant, given that the ByObject seems clear that it overrides these imo
There was a problem hiding this comment.
I like it because it clarifies that this is the last layer of defaulting
| type Options struct { | ||
| // ByObject specifies per-object cache settings. If unset for a given | ||
| // object, this will fall through to Default* settings. | ||
| ByObject map[client.Object]*ByObject |
There was a problem hiding this comment.
| ByObject map[client.Object]*ByObject | |
| ByObject map[client.Object]ByObject |
Maybe?
There was a problem hiding this comment.
Not a super strong opinion here, the reason I chose the pointer type is in some contexts an empty thing has a meaning (for example an empty labelSelector is a match-everything selector) so I thought by not requireding ppl to do a map[string]ByObject{"namespace":{}} we can avoid a bit of confusion
| // Config will be used for cluster-scoped objects and to default | ||
| // Config in the Namespaces field. | ||
| // | ||
| // It gets defaulted from the cache'sDefaultLabelSelector, DefaultFieldSelector, | ||
| // DefaultUnsafeDisableDeepCopy and DefaultTransform. | ||
| Config *Config |
There was a problem hiding this comment.
| // Config will be used for cluster-scoped objects and to default | |
| // Config in the Namespaces field. | |
| // | |
| // It gets defaulted from the cache'sDefaultLabelSelector, DefaultFieldSelector, | |
| // DefaultUnsafeDisableDeepCopy and DefaultTransform. | |
| Config *Config | |
| // Overrides will be used for cluster-scoped objects and to default | |
| // Config in the Namespaces field. | |
| // | |
| // It gets defaulted from the cache'sDefaultLabelSelector, DefaultFieldSelector, | |
| // DefaultUnsafeDisableDeepCopy and DefaultTransform. | |
| Overrides *Overrides |
Maybe? Could be a bit more readable, 🤔
There was a problem hiding this comment.
I think that might be confusing because with an override, ppl expect the value in there to be the final setting but:
- Its not the top-most setting for namespaced resources
- It gets defaulted itself
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
Prior art
/cc @joelanford @vincepri @sbueringer @FillZpp