Use an APIReader so that we don't cache reads and can limit K8s RBAC #104
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While validating OSD-13906 , the controller runs into this error:
because
client.Client
tries to build a cache before performing any actions against the Kubernetes API. This is generally a good thing and decreases load on etcd, but since aws-vpce-operator is cluster-scoped, it tries to build a cache of secrets at the cluster scope as well. As we would like to restrict the K8s RBAC for this controller to only be able to get secrets fromopenshift-aws-vpce-operator
at this time (https://github.com/openshift/aws-vpce-operator/blob/main/deploy/17_role.yaml), switching to a non-cached client,client.Reader
, is the way to do this.Ref: