feat: disable caching for v1.secrets, avoid listing secrets cluster wide (#217)

Co-authored-by: Barahona José Luis (IT-PTR-BDE16) <[email protected]>

Author: jolbax

config/rbac/role.yaml

@@ -19,8 +19,6 @@ rules:
   - secrets
   verbs:
   - get
-  - list
-  - watch
 - apiGroups:
   - redhatcop.redhat.io
   resources:

controllers/groupsync_controller.go

@@ -51,7 +51,7 @@ type GroupSyncReconciler struct {
 // +kubebuilder:rbac:groups=redhatcop.redhat.io,resources=groupsyncs,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=redhatcop.redhat.io,resources=groupsyncs/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=user.openshift.io,resources=groups,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch
 
 func (r *GroupSyncReconciler) Reconcile(context context.Context, req ctrl.Request) (ctrl.Result, error) {

main.go

@@ -18,7 +18,9 @@ package main
 
 import (
 	"flag"
+	v1 "k8s.io/api/core/v1"
 	"os"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"time"
 
 	userv1 "github.com/openshift/api/user/v1"
@@ -86,6 +88,7 @@ func main() {
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                     scheme,
+		ClientDisableCacheFor:      []client.Object{&v1.Secret{}},
 		MetricsBindAddress:         metricsAddr,
 		Port:                       9443,
 		HealthProbeBindAddress:     probeAddr,