feat: operator watch namespaces #6434
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lc525
reviewed
May 1, 2025
There was a problem hiding this comment.
There is an additional situation we will want to cover, but we might choose to reprioritise and deal with it in a separate PR:
-
clusterwide: True,watchNamespacesnot set -- watch all namespaces -
clusterwide: True,watchNamespacesis set and we allow the operator ClusterRole/ClusterRoleBinding permissions. Here, the operator only watches some namespaces but has the permissions to watch any namespace. In security-restricted environments, this is problematic. However, other operators like postgres or spark also only offer this option. -
clusterwide: False,watchNamespacesnot set -- only watch the namespace where the operator is installed -
clusterwide: False,watchNamespacesis set -- we only give permissions to the operator to watch the specific list of namespaces. The helm chart needs to create RoleBindings in each namespace in the list (or which matches a specific criteria) during the call tohelm installorhelm upgrade. These RoleBindings should give the operator’s service account the necessary privileges in the namespace.
|
Before we merge this, let's test for sane behaviour when instantiating two operators in |
In this case, although the scheduler seems to behave ok for model loading/unloading, there are some errors which pop up in the operator. When loading: When unloading: This is a faulty configuration anyways, and maybe we should address it in a future PR. |
lc525
reviewed
May 2, 2025
| @@ -183,7 +183,7 @@ rules: | |||
| - list | |||
| - watch | |||
| --- | |||
| {{- if .Values.controller.clusterwide -}} | |||
| {{- if and (not .Values.controller.skipClusterRoleCreation) (or .Values.controller.clusterwide .Values.controller.watchNamespaces) -}} | |||
There was a problem hiding this comment.
This is the cluster role specific to the operator. Perhaps we should reflect that in the value name? Something like skipOperatorClusterRoleCreation
lc525
approved these changes
May 2, 2025
jtayl222
pushed a commit
to jtayl222/seldon-core
that referenced
this pull request
Jul 20, 2025
* Modified helm-chart to watch for specific namespaces * Included watch-namespaces flag and validation of the flags * Removed extra indent * Fixed autogenerated charts * Added new line at the end of patch_controller.yaml * Refactored operator code so watchNamespaces if used in conjuction with clusterwide * Ensure the current namespace is included in the cache config and imporved parsing * Implemented the option to skip the creation of ClusterRole * Replaced Release.Name with Release.Namespace * Fixed rolebinding config * Remove namespace from the name of rolebind since it is not required * Improved flag description * Renamed skipClusterRoleCreation to skipOperatorClusterRoleCreation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
This PR implements the option to configure the operator to watch specific namespaces.
To install the operator to watch specific namespaces, run:
helm upgrade seldon-core-v2-setup ./seldon-core-v2-setup/ --namespace seldon-mesh --set "controller.watchNamespaces={seldon-mesh,seldon-mesh-2}" --set controller.clusterwide=false --installIn the example above, the operator will watch only
seldon-meshandseldon-mesh-2namespaces.Configuration details:
clusterwideflag is set totrueandwatchNamespaceis not set, then all the namespaces will be watchedclusterwideflag is set totrueandwatchNamespacesis set, then the operator will watch the namespaces specifiedclusterwideflag is set tofalse, then the operator will watch thePOD_NAMESPACEwhich is the same as the release namespace.Additionally, if a user wants to have a controller in
ns1watching theseldon-mesh-1, and another controller inns2watchingseldon-mesh-2, they can use--set controller.skipClusterRoleCreationto overcome the error from recreating the same cluster role twice.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: