operator: don't watch all namespaces

The operator should be watching only a specific set of namespaces, so that it didn't have access to
workload secrets

Author: vrutkovs

pkg/operator/connectivitycheckcontroller/connectivity_check_controller.go

@@ -36,6 +36,7 @@ func NewKubeAPIServerConnectivityCheckController(
 	operatorClient v1helpers.StaticPodOperatorClient,
 	apiextensionsClient *apiextensionsclient.Clientset,
 	kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces,
+	nodeLister corev1listers.NodeLister,
 	operatorcontrolplaneClient *operatorcontrolplaneclient.Clientset,
 	configInformers configinformers.SharedInformerFactory,
 	apiextensionsInformers apiextensionsinformers.SharedInformerFactory,
@@ -63,7 +64,7 @@ func NewKubeAPIServerConnectivityCheckController(
 		operatorClient:       operatorClient,
 		endpointsLister:      kubeInformersForNamespaces.InformersFor("openshift-apiserver").Core().V1().Endpoints().Lister(),
 		serviceLister:        kubeInformersForNamespaces.InformersFor("openshift-apiserver").Core().V1().Services().Lister(),
-		nodeLister:           kubeInformersForNamespaces.InformersFor("").Core().V1().Nodes().Lister(),
+		nodeLister:           nodeLister,
 		infrastructureLister: configInformers.Config().V1().Infrastructures().Lister(),
 	}
 	return c.WithPodNetworkConnectivityCheckFn(generator.generate)

pkg/operator/kubeletversionskewcontroller/kubelet_version_skew_controller.go

@@ -18,6 +18,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/util/runtime"
 	corev1listers "k8s.io/client-go/listers/core/v1"
+	cache "k8s.io/client-go/tools/cache"
 )
 
 const (
@@ -46,20 +47,22 @@ type KubeletVersionSkewController interface {
 func NewKubeletVersionSkewController(
 	operatorClient v1helpers.OperatorClient,
 	kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces,
+	nodeLister corev1listers.NodeLister,
+	nodeInformer cache.SharedIndexInformer,
 	recorder events.Recorder,
 ) *kubeletVersionSkewController {
 	openShiftVersion := semver.MustParse(status.VersionForOperatorFromEnv())
 	nextOpenShiftVersion := semver.Version{Major: openShiftVersion.Major, Minor: openShiftVersion.Minor + 1}
 	c := &kubeletVersionSkewController{
 		operatorClient:              operatorClient,
-		nodeLister:                  kubeInformersForNamespaces.InformersFor("").Core().V1().Nodes().Lister(),
+		nodeLister:                  nodeLister,
 		apiServerVersion:            semver.MustParse(status.VersionForOperandFromEnv()),
 		minSupportedSkew:            minSupportedKubeletSkewForOpenShiftVersion(openShiftVersion),
 		minSupportedSkewNextVersion: minSupportedKubeletSkewForOpenShiftVersion(nextOpenShiftVersion),
 	}
 	c.Controller = factory.New().
 		WithSync(c.sync).
-		WithInformers(kubeInformersForNamespaces.InformersFor("").Core().V1().Nodes().Informer()).
+		WithInformers(nodeInformer).
 		ToController("KubeletVersionSkewController", recorder.WithComponentSuffix("kubelet-version-skew-controller"))
 	return c
 }

pkg/operator/starter.go

@@ -121,7 +121,6 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 
 	kubeInformersForNamespaces := v1helpers.NewKubeInformersForNamespaces(
 		kubeClient,
-		"",
 		operatorclient.GlobalUserSpecifiedConfigNamespace,
 		operatorclient.GlobalMachineSpecifiedConfigNamespace,
 		operatorclient.TargetNamespace,
@@ -130,6 +129,8 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 		"openshift-etcd",
 		"openshift-apiserver",
 	)
+	clusterInformers := v1helpers.NewKubeInformersForNamespaces(kubeClient, "")
+
 	configInformers := configv1informers.NewSharedInformerFactory(configClient, 10*time.Minute)
 	operatorClient, dynamicInformersForAllNamespaces, err := genericoperatorclient.NewStaticPodOperatorClient(
 		controllerContext.Clock,
@@ -302,6 +303,7 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 		operatorClient,
 		apiextensionsClient,
 		kubeInformersForNamespaces,
+		clusterInformers.InformersFor("").Core().V1().Nodes().Lister(),
 		operatorcontrolplaneClient,
 		configInformers,
 		apiextensionsInformers,
@@ -319,7 +321,7 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 	}
 	versionRecorder.SetVersion("raw-internal", status.VersionForOperatorFromEnv())
 
-	staticPodControllers, err := staticpod.NewBuilder(operatorClient, kubeClient, kubeInformersForNamespaces, configInformers, controllerContext.Clock).
+	staticPodControllers, err := staticpod.NewBuilder(operatorClient, kubeClient, kubeInformersForNamespaces, clusterInformers.InformersFor(""), configInformers, controllerContext.Clock).
 		WithEvents(controllerContext.EventRecorder).
 		WithCustomInstaller([]string{"cluster-kube-apiserver-operator", "installer"}, installerErrorInjector(operatorClient)).
 		WithPruning([]string{"cluster-kube-apiserver-operator", "prune"}, "kube-apiserver-pod").
@@ -463,6 +465,8 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 	kubeletVersionSkewController := kubeletversionskewcontroller.NewKubeletVersionSkewController(
 		operatorClient,
 		kubeInformersForNamespaces,
+		clusterInformers.InformersFor("").Core().V1().Nodes().Lister(),
+		clusterInformers.InformersFor("").Core().V1().Nodes().Informer(),
 		controllerContext.EventRecorder,
 	)
 
@@ -482,7 +486,7 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 
 	webhookSupportabilityController := webhooksupportabilitycontroller.NewWebhookSupportabilityController(
 		operatorClient,
-		kubeInformersForNamespaces,
+		clusterInformers,
 		apiextensionsInformers,
 		controllerContext.EventRecorder,
 	)
@@ -509,6 +513,7 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 	configmetrics.Register(configInformers)
 
 	kubeInformersForNamespaces.Start(ctx.Done())
+	clusterInformers.Start(ctx.Done())
 	configInformers.Start(ctx.Done())
 	dynamicInformersForAllNamespaces.Start(ctx.Done())
 	dynamicInformersForTargetNamespace.Start(ctx.Done())