feat: fix manager memory usage (eraser-dev#965)

Signed-off-by: ashnamehrotra <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Sertac Ozercan <[email protected]> Signed-off-by: Fabian Gonzalez <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sertaç Özercan <[email protected]> Co-authored-by: Fabian Gonzalez <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Xander Grzywinski <[email protected]>
ashnamehrotra · Feb 1, 2024 · 1e4401b · 1e4401b
1 parent e6c15ca
commit 1e4401b
Show file tree

Hide file tree

Showing 16 changed files with 147 additions and 189 deletions.
diff --git a/...c/imagejob_pods_cluster_role_binding.yaml → config/rbac/cluster_role_binding.yaml b/...c/imagejob_pods_cluster_role_binding.yaml → config/rbac/cluster_role_binding.yaml
@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: imagejob-pods-cluster-rolebinding
+  name: manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: imagejob-pods-cluster-role
+  name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: imagejob-pods
+  name: controller-manager
   namespace: system
diff --git a/config/rbac/eraserconfig_editor_role.yaml b/config/rbac/eraserconfig_editor_role.yaml
diff --git a/config/rbac/eraserconfig_viewer_role.yaml b/config/rbac/eraserconfig_viewer_role.yaml
diff --git a/config/rbac/imagejob_pods_cluster_role.yaml b/config/rbac/imagejob_pods_cluster_role.yaml
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -7,9 +7,8 @@ resources:
 - service_account.yaml
 - role.yaml
 - role_binding.yaml
-- imagejob_pods_cluster_role.yaml
 - imagejob_pods_service.yaml
-- imagejob_pods_cluster_role_binding.yaml
+- cluster_role_binding.yaml
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -4,18 +4,6 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -25,52 +13,50 @@ rules:
   - list
   - watch
 - apiGroups:
-  - ""
+  - eraser.sh
   resources:
-  - pods
+  - imagejobs
   verbs:
   - create
   - delete
   - get
   - list
-  - update
   - watch
 - apiGroups:
-  - ""
+  - eraser.sh
   resources:
-  - podtemplates
+  - imagejobs/status
   verbs:
-  - create
-  - delete
   - get
-  - list
   - patch
   - update
-  - watch
 - apiGroups:
   - eraser.sh
   resources:
-  - imagejobs
+  - imagelists
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - eraser.sh
   resources:
-  - imagejobs/status
+  - imagelists/status
   verbs:
   - get
   - patch
   - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role
+  namespace: system
+rules:
 - apiGroups:
-  - eraser.sh
+  - ""
   resources:
-  - imagelists
+  - configmaps
   verbs:
   - create
   - delete
@@ -80,10 +66,25 @@ rules:
   - update
   - watch
 - apiGroups:
-  - eraser.sh
+  - ""
   resources:
-  - imagelists/status
+  - pods
   verbs:
+  - create
+  - delete
   - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - podtemplates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
   - patch
   - update
+  - watch
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -1,10 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: manager-rolebinding
+  namespace: system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: manager-role
 subjects:
 - kind: ServiceAccount

diff --git a/controllers/imagecollector/imagecollector_controller.go b/controllers/imagecollector/imagecollector_controller.go
@@ -198,7 +198,11 @@ func add(mgr manager.Manager, r *Reconciler) error {
 	return nil
 }
 
-//+kubebuilder:rbac:groups="",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=eraser.sh,resources=imagelists,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",namespace="system",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=eraser.sh,resources=imagelists/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",namespace="system",resources=pods,verbs=get;list;watch;update;create;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/controllers/imagejob/imagejob_controller.go b/controllers/imagejob/imagejob_controller.go
@@ -188,10 +188,10 @@ func checkNodeFitness(pod *corev1.Pod, node *corev1.Node) bool {
 	return true
 }
 
-//+kubebuilder:rbac:groups=eraser.sh,resources=imagejobs,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups="",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=eraser.sh,resources=imagejobs,verbs=get;list;watch;create;delete
+//+kubebuilder:rbac:groups="",namespace="system",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=eraser.sh,resources=imagejobs/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",namespace="system",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/controllers/imagelist/imagelist_controller.go b/controllers/imagelist/imagelist_controller.go
@@ -121,11 +121,11 @@ type Reconciler struct {
 	eraserConfig *config.Manager
 }
 
-//+kubebuilder:rbac:groups=eraser.sh,resources=imagelists,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups="",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=eraser.sh,resources=imagelists,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",namespace="system",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=eraser.sh,resources=imagelists/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
-//+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;update;create;delete
+//+kubebuilder:rbac:groups="",namespace="system",resources=pods,verbs=get;list;watch;update;create;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/main.go b/main.go
@@ -32,11 +32,14 @@ import (
 	"k8s.io/utils/inotify"
 	"sigs.k8s.io/yaml"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 
 	"github.com/eraser-dev/eraser/api/unversioned"
@@ -50,6 +53,7 @@ import (
 	v1alpha3Config "github.com/eraser-dev/eraser/api/v1alpha3/config"
 	"github.com/eraser-dev/eraser/controllers"
 	"github.com/eraser-dev/eraser/pkg/logger"
+	"github.com/eraser-dev/eraser/pkg/utils"
 	"github.com/eraser-dev/eraser/version"
 	//+kubebuilder:scaffold:imports
 )
@@ -104,6 +108,26 @@ func main() {
 		Port:                   9443,
 		HealthProbeBindAddress: ":8081",
 		LeaderElection:         false,
+		NewCache: cache.BuilderWithOptions(cache.Options{
+			SelectorsByObject: cache.SelectorsByObject{
+				// to watch eraser pods
+				&corev1.Pod{}: {
+					Field: fields.OneTermEqualSelector("metadata.namespace", utils.GetNamespace()),
+				},
+				// to watch eraser podTemplates
+				&corev1.PodTemplate{}: {
+					Field: fields.OneTermEqualSelector("metadata.namespace", utils.GetNamespace()),
+				},
+				// to watch eraser-manager-configs
+				&corev1.ConfigMap{}: {
+					Field: fields.OneTermEqualSelector("metadata.namespace", utils.GetNamespace()),
+				},
+				// to watch ImageJobs
+				&eraserv1.ImageJob{}: {},
+				// to watch ImageLists
+				&eraserv1.ImageList{}: {},
+			},
+		}),
 	}
 
 	if configFile == "" {

diff --git a/manifest_staging/charts/eraser/templates/eraser-imagejob-pods-cluster-role-clusterrole.yaml b/manifest_staging/charts/eraser/templates/eraser-imagejob-pods-cluster-role-clusterrole.yaml
diff --git a/manifest_staging/charts/eraser/templates/eraser-manager-role-clusterrole.yaml b/manifest_staging/charts/eraser/templates/eraser-manager-role-clusterrole.yaml
@@ -8,18 +8,6 @@ metadata:
     helm.sh/chart: '{{ template "eraser.name" . }}'
   name: eraser-manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -28,29 +16,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - podtemplates
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - eraser.sh
   resources:
@@ -60,8 +25,6 @@ rules:
   - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - eraser.sh
@@ -76,12 +39,8 @@ rules:
   resources:
   - imagelists
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - eraser.sh