Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid stressing memory by watching arbitrary secrets on the cluster #151

Closed
kwiatekus opened this issue Dec 18, 2023 · 4 comments
Closed

Avoid stressing memory by watching arbitrary secrets on the cluster #151

kwiatekus opened this issue Dec 18, 2023 · 4 comments
Assignees
@dbadura
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Milestone
0.12.0

Comments

@kwiatekus
Copy link
Collaborator

Description

Exclude secrets and config maps from being auto-loaded to controllers cache

Reasons

Controller's cache can take huge amount of memory (causing exceeded limit and OOM killing by k8s control-plane) in case there is a vast amount of secrets/ config maps in the cluster.

Attachments

    mgr, err := manager.New(ctrl.GetConfigOrDie(), manager.Options{
  	  Scheme: s,
  	  Client: client.Options{
  		  Cache: &client.CacheOptions{
  			  Unstructured: false,
  			   DisableFor: []client.Object{
  			   	&corev1.Secret{},
  			   },
  		  },
  	  },
    })
@kwiatekus kwiatekus added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 18, 2023
@MichalKalke MichalKalke self-assigned this Jan 4, 2024
@MichalKalke MichalKalke mentioned this issue Jan 4, 2024
Merged
@kwiatekus kwiatekus added this to the 0.10.0 milestone Jan 11, 2024
@kwiatekus kwiatekus reopened this Jan 18, 2024
@kwiatekus
Copy link
Collaborator Author

The fix didnt help.
Warden admission is still OOMKilled on clusters with ~7k secrets

@pPrecel
Copy link
Collaborator

pPrecel commented Jan 19, 2024

The warden admission problem is caused by the Watch operation on secrets in the webhook SetupResourcesController method here. After removing these lines problem disappeared. It needs a more advanced investigation because I guess removing the secret watcher is not a solution.

To test it I've used such script:

#!/bin/bash

kyma provision k3d

kubectl create namespace kyma-system
operatorManifest=$(helm upgrade --install --wait --set global.config.data.logging.level=debug --set admission.enabled=true --dry-run=server -o yaml  warden ./charts/warden/)

# create 2k secrets with huge data
x=1
secretData="${operatorManifest}${operatorManifest}${operatorManifest}${operatorManifest}${operatorManifest}${operatorManifest}${operatorManifest}${operatorManifest}${operatorManifest}${operatorManifest}${operatorManifest}${operatorManifest}"
while [ $x -le 2000 ]; do 
    kubectl create secret generic secret-$x --from-literal data="${secretData}"
    x=$(( $x + 1 ))
done

# install warden
helm upgrade --install --wait --set global.config.data.logging.level=debug --set admission.enabled=true warden ./charts/warden/

To test it without the Watch function I removed it, built and push a new image using the:

docker build -t pprecel/admission:0.1 -f docker/admission/Dockerfile .
docker push pprecel/admission:0.1

and replaced the admissions image in the values.yaml

@kwiatekus kwiatekus changed the title Configure exclusions for secrets and configmaps in controller's cache Avoid stressing memory by watching arbitrary secrets on he cluster Jan 22, 2024
@kwiatekus kwiatekus changed the title Avoid stressing memory by watching arbitrary secrets on he cluster Avoid stressing memory by watching arbitrary secrets on the cluster Jan 22, 2024
@halamix2 halamix2 self-assigned this Jan 29, 2024
This was referenced Jan 30, 2024
Closed
Closed
@halamix2
Copy link
Member

halamix2 commented Feb 2, 2024

Setting predicates to turn off all processing doesn't help

	if err := c.Watch(&source.Kind{
		Type: &corev1.Secret{}},
		&handler.EnqueueRequestForObject{},
		predicate.Funcs{
			CreateFunc:  func(e event.CreateEvent) bool { return false },
			DeleteFunc:  func(e event.DeleteEvent) bool { return false },
			UpdateFunc:  func(e event.UpdateEvent) bool { return false },
			GenericFunc: func(e event.GenericEvent) bool { return false },
		},

I think the sceret watcher is used to await changes just in the webhook secret. if we could watch just one secret it would be great

@dbadura dbadura assigned dbadura and unassigned halamix2 Feb 2, 2024
@dbadura dbadura mentioned this issue Feb 2, 2024
Merged
@halamix2
Copy link
Member

halamix2 commented Feb 9, 2024

Fixed in #188, OOMkilled issue no longer appears

@kwiatekus kwiatekus modified the milestones: 0.10.0, 0.12.0 Feb 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dbadura dbadura

Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
0.12.0
Development

No branches or pull requests
5 participants
@halamix2 @kwiatekus @pPrecel @dbadura @MichalKalke