to isolate controller effects to one or more namespaces
- pro: allows to decouple number of controllers from number of namespaces managed by these controllers
- pro: avoids duplication of namespace configuration in rbac and controller configs
- pro: works with controllers that cannot be modified or do not support namespacing out of the box
- con: ideally would be implemented in kubernetes api server
- con: proxying overhead?
- con: controller configuration has to be modified to redirect api requests (via env variable)
+-------------------------+ +-------+ +----------------------------+
| controller (downstream) | --- TLS --> | proxy | --- TLS --> | kube api-server (upstream) |
+-------------------------+ +-------+ +----------------------------+
- both controller and proxy would typically run inside the cluster
- TLS certs are issued through Kubernetes CA
- modify controller source code to support multiple namespaces
- coreos/prometheus-operator seems to achieve that with their own library: pkg/listwatch -> example usage
To install see ./hack/deploy.sh.
- Talk abstract
- Development
- list: implement limit & continue token support
- list: implement list's revisionVersion support
- deletecollection
Do let's know if you run into them.
build-controller-ff68c9946-ftgnr > build-controller | W0115 01:22:22.955946 1 reflector.go:341] github.com/knative/build/pkg/client/informers/externalversions/factory.go:114: watch of *v1alpha1.Build ended with: very short watch: github.com/knative/build/pkg/client/informers/externalversions/factory.go:114: Unexpected watch close - watch lasted less than a second and no items received
build-controller-ff68c9946-ftgnr > build-controller | W0115 01:22:50.191934 1 reflector.go:341] github.com/knative/build/vendor/github.com/knative/caching/pkg/client/informers/externalversions/factory.go:117: watch of *v1alpha1.Image ended with: very short watch: github.com/knative/build/vendor/github.com/knative/caching/pkg/client/informers/externalversions/factory.go:117: Unexpected watch close - watch lasted less than a second and no items received