Restrict WVA controller ClusterRole to only WVA ConfigMaps (#985)

* Add shuynh2017 to the OWNERS list

* restrict configmaps for cluster-scoped role

* revert changes in roles

* update resourcesNames

* address comments

Author: shuynh2017

Makefile

@@ -93,7 +93,7 @@ vet: ## Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet setup-envtest helm ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" PATH=$(LOCALBIN):$(PATH) go test $$(go list ./... | grep -v /e2e | grep -v /benchmark) -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" PATH="$(LOCALBIN):$(PATH)" go test $$(go list ./... | grep -v /e2e | grep -v /benchmark) -coverprofile cover.out
 
 # Creates a multi-node Kind cluster
 # Adds emulated GPU labels and capacities per node

charts/workload-variant-autoscaler/templates/rbac/leader_election_role.yaml

@@ -1,5 +1,7 @@
 {{- if .Values.controller.enabled }}
 # permissions to do leader election.
+# Leader election uses coordination.k8s.io/v1.Lease (default in controller-runtime v0.12+)
+# ConfigMap-based leader election permissions have been removed as they are no longer used.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -8,18 +10,6 @@ metadata:
   labels:
     {{- include "workload-variant-autoscaler.labels" . | nindent 4 }}
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
 - apiGroups:
   - coordination.k8s.io
   resources:

charts/workload-variant-autoscaler/templates/rbac/role.yaml

@@ -12,13 +12,25 @@ rules:
   resources:
   - configmaps
   verbs:
-  - get
   - list
-  - update
   - watch
   # Note: This broad permission is required for namespace-local ConfigMap overrides.
   # The controller filters by well-known names (wva-saturation-scaling-config, wva-model-scale-to-zero-config)
   # in its predicate logic, providing effective access control.
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  {{- if not .Values.wva.namespaceScoped }}
+  resourceNames:
+  - {{ include "workload-variant-autoscaler.fullname" . }}-variantautoscaling-config
+  - {{ include "workload-variant-autoscaler.fullname" . }}-wva-saturation-scaling-config
+  - wva-model-scale-to-zero-config
+  - wva-queueing-model-config
+{{- end }}
+  verbs:
+  - get
+  - update
 - apiGroups:
   - ""
   resources:

cmd/main.go

@@ -33,6 +33,7 @@ import (
 
 	"github.com/go-logr/logr"
 	flag "github.com/spf13/pflag"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/discovery"
@@ -41,6 +42,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	ctrlzap "sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -65,6 +67,7 @@ import (
 	promoperator "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	"github.com/prometheus/client_golang/api"
 	promv1 "github.com/prometheus/client_golang/api/prometheus/v1"
+	corev1 "k8s.io/api/core/v1"
 	crmetrics "sigs.k8s.io/controller-runtime/pkg/metrics"
 	inferencePoolV1 "sigs.k8s.io/gateway-api-inference-extension/api/v1"
 	inferencePoolV1alpha2 "sigs.k8s.io/gateway-api-inference-extension/apix/v1alpha2"
@@ -348,6 +351,27 @@ func main() {
 				watchNS: {},
 			},
 		}
+	} else {
+		// Multi-namespace mode: Use label selector to filter ConfigMaps in the cache
+		// This significantly reduces memory usage by only caching WVA-related configmaps
+		wvaConfigSelector := labels.SelectorFromSet(labels.Set{
+			"app.kubernetes.io/name": "workload-variant-autoscaler",
+		})
+
+		setupLog.Info("Configuring cache with label selector for ConfigMaps",
+			"labelSelector", wvaConfigSelector.String())
+
+		// Configure cache to only watch configmaps with the WVA labels
+		// Other resource types are cached normally without filtering
+		mgrOptions.Cache = cache.Options{
+			ByObject: map[client.Object]cache.ByObject{
+				&corev1.ConfigMap{}: {
+					// Empty map means cache all namespaces, but filter by label
+					Namespaces: map[string]cache.Config{},
+					Label:      wvaConfigSelector,
+				},
+			},
+		}
 	}
 
 	mgr, err := ctrl.NewManager(restConfig, mgrOptions)

config/rbac/leader_election_role.yaml

@@ -1,4 +1,6 @@
 # permissions to do leader election.
+# Leader election uses coordination.k8s.io/v1.Lease (default in controller-runtime v0.12+)
+# ConfigMap-based leader election permissions have been removed as they are no longer used.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -7,18 +9,6 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
   name: leader-election-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
 - apiGroups:
   - coordination.k8s.io
   resources:

config/samples/model-scale-to-zero-config.yaml

@@ -22,6 +22,8 @@ kind: ConfigMap
 metadata:
   name: wva-model-scale-to-zero-config
   namespace: workload-variant-autoscaler-system
+  labels:
+    app.kubernetes.io/name: workload-variant-autoscaler
 data:
   # Global defaults applied to all models unless overridden
   default: |

deploy/configmap-saturation-scaling.yaml

@@ -17,6 +17,9 @@ kind: ConfigMap
 metadata:
   name: wva-saturation-scaling-config
   namespace: workload-variant-autoscaler-system
+  labels:
+    app.kubernetes.io/name: workload-variant-autoscaler
+    app.kubernetes.io/managed-by: kustomize
 data:
   # Global defaults applied to all variants unless overridden
   default: |