fix: use non-caching client to get pod in getPodPrivateIP in ENI co…

…ntroller (#21) This removes the requirement to have list/watch permissions on pods (was missing in the ClusterRole in the Helm chart) and it doesn't cache all pods in the cluster anymore (should reduce memory usage).
goto-opensource · Jul 1, 2024 · 317b48e · 317b48e
1 parent 3a8013a
commit 317b48e
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 8 deletions.
diff --git a/controllers/eni_controller.go b/controllers/eni_controller.go
@@ -38,8 +38,9 @@ import (
 // ENIReconciler reconciles a ENI object
 type ENIReconciler struct {
 	client.Client
-	Log logr.Logger
-	EC2 *ec2.EC2
+	NonCachingClient client.Client
+	Log              logr.Logger
+	EC2              *ec2.EC2
 }
 
 // +kubebuilder:rbac:groups=aws.k8s.logmein.com,resources=enis,verbs=get;list;watch;create;update;patch;delete
@@ -278,7 +279,8 @@ func (r *ENIReconciler) getSecurityGroupIDs(securityGroups []string) ([]*string,
 
 func (r *ENIReconciler) getPodPrivateIP(namespace, podName string) (string, error) {
 	pod := &corev1.Pod{}
-	if err := r.Client.Get(context.Background(), client.ObjectKey{
+	// we use a non-caching client here as otherwise we would need to cache all pods (would increase memory usage) in the cluster and require list/watch permissions
+	if err := r.NonCachingClient.Get(context.Background(), client.ObjectKey{
 		Namespace: namespace,
 		Name:      podName,
 	}, pod); err != nil {
@@ -291,7 +293,7 @@ func (r *ENIReconciler) getPodPrivateIP(namespace, podName string) (string, erro
 func (r *ENIReconciler) findENI(privateIP string) (*ec2.NetworkInterface, error) {
 	if resp, err := r.EC2.DescribeNetworkInterfaces(&ec2.DescribeNetworkInterfacesInput{
 		Filters: []*ec2.Filter{
-			&ec2.Filter{
+			{
 				Name: aws.String("addresses.private-ip-address"),
 				Values: []*string{
 					aws.String(privateIP),

diff --git a/main.go b/main.go
@@ -28,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	// +kubebuilder:scaffold:imports
 )
@@ -82,8 +83,15 @@ func main() {
 		os.Exit(1)
 	}
 
+	cachingClient := mgr.GetClient()
+	nonCachingClient, err := client.New(mgr.GetConfig(), client.Options{Scheme: mgr.GetScheme(), Mapper: mgr.GetRESTMapper()})
+	if err != nil {
+		setupLog.Error(err, "unable to get non-caching client")
+		os.Exit(1)
+	}
+
 	err = (&controllers.EIPReconciler{
-		Client: mgr.GetClient(),
+		Client: cachingClient,
 		Log:    ctrl.Log.WithName("controllers").WithName("EIP"),
 		EC2:    ec2,
 	}).SetupWithManager(mgr)
@@ -92,9 +100,10 @@ func main() {
 		os.Exit(1)
 	}
 	err = (&controllers.ENIReconciler{
-		Client: mgr.GetClient(),
-		Log:    ctrl.Log.WithName("controllers").WithName("ENI"),
-		EC2:    ec2,
+		Client:           cachingClient,
+		NonCachingClient: nonCachingClient,
+		Log:              ctrl.Log.WithName("controllers").WithName("ENI"),
+		EC2:              ec2,
 	}).SetupWithManager(mgr)
 	if err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ENI")