concurrent namespace reconciliation to ensure openshift rbac requisites #2468
Conversation
tekton-robot
added
the
release-note-none
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
needs-ok-to-test
|
Hi @anithapriyanatarajan. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tekton-robot
added
the
size/L
|
/ok-to-test |
tekton-robot
added
ok-to-test
| withError = true | ||
| logger.Errorf("failed to ensure default SA in namespace %s, %v", ns.Name, err) | ||
| } | ||
| go func(ns corev1.Namespace) { |
There was a problem hiding this comment.
can you separate the worker logic for a single namespace in a function for readability and testing
There was a problem hiding this comment.
Created a separate function processNamespace that includes the namespace scoped reconciliation steps.
| @@ -393,76 +394,116 @@ func (r *rbac) createResources(ctx context.Context) error { | |||
| return err | |||
| } | |||
|
|
|||
| // Semaphore to limit concurrency (max 100 goroutines at a time) | |||
| sem := make(chan struct{}, 100) | |||
There was a problem hiding this comment.
we will need a configurable thing here, with a default of 50 for example
There was a problem hiding this comment.
This has been made configurable by introducing a new param rbacConcurrencyLimit in TektonConfig. It is defaulted to 25. While testing in CI cluster 50 gave throttling warnings
| } | ||
|
|
||
| // Locking section to ensure clusterRoleBinding is updated by one goroutine at a time | ||
| mu.Lock() |
There was a problem hiding this comment.
Please keep the mutex only for clusterinterceptorbinding operation only
There was a problem hiding this comment.
Removed mutex since the code is refactored to update clusterrolebinding finally for all namespaces
| updatedNS.SetLabels(nsLabels) | ||
|
|
||
| // Update the namespace with set labels | ||
| if _, err = r.kubeClientSet.CoreV1().Namespaces().Update(ctx, updatedNS, metav1.UpdateOptions{}); err != nil { |
There was a problem hiding this comment.
Just update the Ns, no need for unreconciledNamespaces, especially we are using the same mutex for different operation, so better avoid this
There was a problem hiding this comment.
removed all references to unreconciledNamespaces and used Patch instead of Update
anithapriyanatarajan
force-pushed
the
openshift-rbac-concurrent-ns-reconcilation
branch
from
836f97a to
397b47a
Compare
|
|
||
| // Locking section to ensure clusterRoleBinding is updated by one goroutine at a time | ||
| mu.Lock() | ||
| if err := r.ensureClusterRoleBindings(ctx, sa); err != nil { |
There was a problem hiding this comment.
Won't this generate a lot of API calls (possibly, on get and one update or create) where we could gather the namespaces and update the ClusterRoleBinding at the end (no matter if some namespaces failed — we would only use the ones that didn't faiil)
There was a problem hiding this comment.
Revised the code to address the comment by collecting all subjects and making a single call to update the ClusterRoleBinding, rather than performing a read/update for each subject on per namespace basis.
TOBE.pdf
AS_IS_Flow.pdf
anithapriyanatarajan
force-pushed
the
openshift-rbac-concurrent-ns-reconcilation
branch
from
397b47a to
1007e40
Compare
tekton-robot
added
size/XL
|
The following is the coverage report on the affected files.
|
Changes
During upgrade of pipelines in OpenShift cluster there are additional rbac related reconciliation to be done across all namespaces in the cluster. Right now the namespace reconciliation happens one at a time in a for loop. This results in longer upgrade time. This PR improvises this by
Patchin place ofUpdateSubmitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
make test lintbefore submitting a PRSee the contribution guide for more details.
Release Notes