Use cluster-scoped cache only when required #3868
Conversation
charith-elastic
added
>bug
|
Jenkins test this please |
|
I might be missing something, but why we would query for ES/Ent in the cluster scope if they are namespaced resources? I thought we do know that we don't do that. |
|
Last time I checked, the controller-runtime caches used client-side filtering. So, they would create unfiltered informers for all the kinds they are interested in and fetch all the objects from the server. This is why the operator used to get OOM killed in very large clusters with lots of deployed resources (which we plastered over by increasing the memory limit). The issue is still open: kubernetes-sigs/controller-runtime#244 In this case, the presence of the empty string in the list of namespaces would result in the cache trying to eagerly fetch all the cluster-scoped resources it is interested in. |
Oh, that's surprising (for me)! LGTM then. |
When the operator is installed with the restricted profile, the controller-runtime cache starts logging errors because the operator does not have permission to access resources outside the namespaces it manages.
This is due to a change introduced in #3810 to allow watching cluster resources by default. It should be made conditional instead.