Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Modify AppsSharedInformer to only fetch deployments restricted to namespace #369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aaronfern merged 2 commits into from
Sep 19, 2025
Merged

Modify AppsSharedInformer to only fetch deployments restricted to namespace #369

aaronfern merged 2 commits into from
Sep 19, 2025

Conversation

@gagan16k
Copy link
Member

@gagan16k gagan16k commented Sep 3, 2025
edited
Loading

Why need a PR:
The changes made in the PR will be relevant when changes to use Role/RoleBinding to provide RBAC permissions to the CA pod instead of ClusterRole/ClusterRoleBinding are added.
Using NewSharedInformerFactory in the mcm cloud provider results in an error of not being able to list resources at the cluster scope when ClusterRole permissions are removed.

E0903 20:30:07.362326       1 reflector.go:200] "Failed to watch" err="failed to list *v1.Deployment: deployments.apps is forbidden: User \"system:serviceaccount:shoot--local--local:cluster-autoscaler\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285" type="*v1.Deployment"
I0903 20:30:10.349752       1 static_autoscaler.go:275] Starting main loop
I0903 20:30:10.349880       1 taints.go:443] Overriding status of node machine-shoot--local--local-local-68499-h4f99, which seems to have startup taint "node.gardener.cloud/critical-components-not-ready"
I0903 20:30:10.349921       1 static_autoscaler.go:1174] Found 18 pods in the cluster: 7 scheduled, 11 unschedulable, 0 unprocessed by scheduler, 0 ignored (most likely using custom scheduler)
E0903 20:30:10.349973       1 static_autoscaler.go:326] Failed to refresh cloud provider config: failed to get machine-controller-manager deployment: deployment.apps "machine-controller-manager" not found

What this PR does:
This function has been replaced by NewSharedInformerFactoryWithOptions, which accepts namespace as an argument.

As a result, only deployments within the specified namespace those for which the CA service account has the necessary permissions are fetched, rather than cluster-wide deployments that the service account is not authorized to access.

Additionally, as a similar function NewFilteredSharedInformerFactory has been deprecated, it is replaced with NewSharedInformerFactoryWithOptions (for machineinformers)

Release note:

Use namespace scoped `NewSharedInformerFactoryWithOptions` function instead of `NewSharedInformerFactory` to restrict Deployment Lister

@gagan16k gagan16k requested review from a team and unmarshall as code owners September 3, 2025 20:47
@gardener-robot gardener-robot added needs/review Needs review size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Sep 3, 2025
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Sep 3, 2025
takoverflow
takoverflow approved these changes Sep 18, 2025
View reviewed changes
Copy link
Member

@takoverflow takoverflow left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the changes!

Just one nit, can you re-word the release note to not say something vague like fix permissions related error and instead be a bit specific?

Just a suggestion, please use something else if you can think of something better

Use namespace scoped `NewSharedInformerFactoryWithOptions` function instead of `NewSharedInformerFactory` to restrict Deployment Lister

@aaronfern aaronfern merged commit cb3a913 into gardener:machine-controller-manager-provider Sep 19, 2025
17 checks passed
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Sep 19, 2025
@gagan16k gagan16k deleted the rbac_changes branch September 19, 2025 08:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@takoverflow takoverflow takoverflow approved these changes

@unmarshall unmarshall Awaiting requested review from unmarshall unmarshall is a code owner

Assignees

No one assigned

Labels

needs/review Needs review reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. status/closed Issue is closed (either delivered or triaged)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gagan16k @takoverflow @gardener-robot-ci-2 @gardener-robot @aaronfern