Enable k8s client cache for Secrets and ConfigMaps in the single namespace mode #3825
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tfujiwar
requested review from
a team,
mumoshu,
rentziass and
toast-gear
as code owners
4 tasks
tfujiwar
changed the title
tfujiwar
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR enables caching of Secrets and ConfigMaps in the Kubernetes API client when the controller operates in single namespace mode, improving performance by reducing reconciliation latency for EphemeralRunners.
Key Changes:
- Conditionally enables client cache for Secrets/ConfigMaps based on watch mode
- Adds list/watch permissions for Secrets and ConfigMaps in single namespace RBAC roles
- Updates test assertions to reflect the additional RBAC rules
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| main.go | Moves cache disable configuration into a conditional block that only applies when not in single namespace mode |
| charts/gha-runner-scale-set-controller/tests/template_test.go | Updates expected rule counts to account for new Secret and ConfigMap permissions |
| charts/gha-runner-scale-set-controller/templates/manager_single_namespace_watch_role.yaml | Adds list/watch permissions for Secrets and ConfigMaps in the watched namespace |
| charts/gha-runner-scale-set-controller/templates/manager_single_namespace_controller_role.yaml | Adds list/watch permissions for Secrets and ConfigMaps in the controller namespace |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WHAT
WHY
To reduce latency of runner pod creation (#3276).
The EphemeralRunnerReconciler retrieves a JITConfig Secret for every reconciliation once the Secret is created. It can be a performance bottleneck because the k8s API client cache is disabled for Secrets.
The cache has been disabled for Secrets because it requires cluster-wide list/watch permissions in the default mode. But in the single namespace mode, we can narrow down the permissions only to the single namespace and the controller namespace, which would be acceptable.
This change is aligned with ADR 2023-04-11: Limit Permissions for Service Accounts in Actions-Runner-Controller.
TESTING
We have tested the change with a controller that manages 300-400 EphemeralRunners at peak times. We confirmed that the duration of getting k8s Secrets from the EphemeralRunnerReconciler has decreased due to the caching.
We also confirmed that the number of Pending EphemeralRunners has decreased because they are reconciled faster.
Before
After