Remove update/delete access to ConfigMaps

This is no longer required with a lease-based Leader Election Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
openfaas · Oct 19, 2023 · fffebc2 · fffebc2
1 parent 88017a9
commit fffebc2
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 14 deletions.
diff --git a/chart/openfaas/templates/operator-rbac.yaml b/chart/openfaas/templates/operator-rbac.yaml
@@ -41,11 +41,6 @@ rules:
 - apiGroups: [""]
   resources: ["configmaps"]
   verbs: ["get",  "create"]
-{{- if .Values.operator.leaderElection.enabled }}
-- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: [ "update", "patch", "delete", "watch"]
-{{- end }}
 - apiGroups: ["apps", "extensions"]
   resources: ["deployments"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
@@ -58,9 +53,11 @@ rules:
   verbs: ["get", "list", "watch"]
 # AE: For leader election
 # PATCH may not be required?
+{{- if .Values.operator.leaderElection.enabled }}
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -158,11 +155,6 @@ rules:
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get",  "create"]
-{{- if .Values.operator.leaderElection.enabled }}
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: [ "update", "patch", "delete", "watch"]
-{{- end }}
 # TODO: AE - remove endpoints from RBAC now that operator uses EndpointSlices
   - apiGroups: [""]
     resources: ["pods", "pods/log", "namespaces", "endpoints"]
@@ -176,9 +168,12 @@ rules:
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 # AE: For leader election
 # PATCH may not be required?
+{{- if .Values.operator.leaderElection.enabled }}
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+{{- end }}
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/chart/openfaas/values.yaml b/chart/openfaas/values.yaml
@@ -94,15 +94,18 @@ gateway:
 operator:
   image: ghcr.io/openfaasltd/faas-netes:0.5.0
   create: false
-  # Unnecessary when running a single replica of the gateway
-  leaderElection:
-    enabled: true
-  reconcileWorkers: 2
   resources:
     requests:
       memory: "120Mi"
       cpu: "50m"
 
+  # For when you are running more than one replica of the gateway
+  leaderElection:
+    enabled: false
+
+  # Set to 2 for large amounts of functions
+  reconcileWorkers: 1
+
   # For OpenFaaS for Enterprises, these numbers can be set higher,
   # if experiencing rate limiting due to a large number of functions
   # within the cluster