-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Argo Server with SSO enabled should not require List on all Secrets #8534
Comments
ResourceCache was introduced in #6990 @basanthjenuhb -- I think this could be considered a regression because |
Also, having a cluster-wide informer on Secrets (and/or ConfigMaps) is never really a good idea. It will balloon the memory requirements of the server unnecessarily because these two objects tend to contain a lot of data. We learned this the hard way with Argo Rollout controller. At the very least, this can be restricted to label filters. But as I mentioned in the description, I think list/watch on Secrets is an unnecessary requirement that should be removed. |
we had discusses I am open to removing the list and just do |
Yes please. If we can remove the list secrets, that’d be great. You could use an lru cache to hold them. |
Using a cache would again lead us to unnecessary cache invalidation issues . |
@alexec @jessesuen Please review. #8555 |
Signed-off-by: bjenuhb <[email protected]>
…8555) Signed-off-by: bjenuhb <[email protected]>
…8555) Signed-off-by: bjenuhb <[email protected]>
…8555) Signed-off-by: bjenuhb <[email protected]>
…8555) Signed-off-by: bjenuhb <[email protected]>
…8555) Signed-off-by: bjenuhb <[email protected]>
Summary
When Argo Server starts up with SSO, it will call
cache.NewResourceCache()
:But NewResourceCache wants the ability to list all service accounts and all secrets of the entire cluster.
There are two problems with this:
--namespaced
modeInstead of listing all secrets, I think we could look up the secret of the ServiceAccount on-demand, to find the bearer token. This will allow administrators to only give the controller limited permissions to Secrets. If the use of a Lister was because of performance, we could cache this in-memory rather than rely on a lister.
Use Cases
When would you use this?
In a secure, multi-tenant environment.
Message from the maintainers:
Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.
The text was updated successfully, but these errors were encountered: