mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-03-11 11:00:57 -04:00
8188c3cca4
Automatic merge from submit-queue (batch tested with PRs 40796, 40878, 36033, 40838, 41210) Implement TTL controller and use the ttl annotation attached to node in secret manager For every secret attached to a pod as volume, Kubelet is trying to refresh it every sync period. Currently Kubelet has a ttl-cache of secrets of its pods and the ttl is set to 1 minute. That means that in large clusters we are targetting (5k nodes, 30pods/node), given that each pod has a secret associated with ServiceAccount from its namespaces, and with large enough number of namespaces (where on each node (almost) every pod is from a different namespace), that resource in ~30 GETs to refresh all secrets every minute from one node, which gives ~2500QPS for GET secrets to apiserver. Apiserver cannot keep up with it very easily. Desired solution would be to watch for secret changes, but because of security we don't want a node watching for all secrets, and it is not possible for now to watch only for secrets attached to pods from my node. So as a temporary solution, we are introducing an annotation that would be a suggestion for kubelet for the TTL of secrets in the cache and a very simple controller that would be setting this annotation based on the cluster size (the large cluster is, the bigger ttl is). That workaround mean that only very local changes are needed in Kubelet, we are creating a well separated very simple controller, and once watching "my secrets" will be possible it will be easy to remove it and switch to that. And it will allow us to reach scalability goals. @dchen1107 @thockin @liggitt |
||
|---|---|---|
| .. | ||
| certificates | ||
| cloud | ||
| cronjob | ||
| daemon | ||
| deployment | ||
| disruption | ||
| endpoint | ||
| garbagecollector | ||
| informers | ||
| job | ||
| namespace | ||
| node | ||
| podautoscaler | ||
| podgc | ||
| replicaset | ||
| replication | ||
| resourcequota | ||
| route | ||
| service | ||
| serviceaccount | ||
| statefulset | ||
| ttl | ||
| volume | ||
| .import-restrictions | ||
| BUILD | ||
| client_builder.go | ||
| controller_ref_manager.go | ||
| controller_utils.go | ||
| controller_utils_test.go | ||
| doc.go | ||
| lookup_cache.go | ||
| OWNERS | ||