Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-37581

Cluster RBAC performance issues due Console user settings, missing option to save user settings in localStorage

XMLWordPrintable

    • None
    • Yes
    • ODC Sprint 3262, ODC Sprint 3263, ODC Sprint 3264, ODC Sprint 3265, ODC Sprint 3266
    • 5
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:
      Console user settings are saved in a ConfigMap for each user in the namespace openshift-console-user-settings.

      The console frontend uses the k8s API to read and write that ConfigMap. The console backend creates a ConfigMap with a Role and RoleBinding for each user, giving that single user read and write access to his/her own ConfigMap.

      The number of Role and RoleBindings might decrease a cluster performance. This has happened in the past, esp. on the Developer Sandbox, where a long-living cluster creates new users that is then automatically removed after a month. Keeping the Role and RoleBinding results in performance issues.

      The resources had an ownerReference before 4.15 so that the 3 resources (1 ConfigMap, 1 Role, 1 RoleBinding) was automatically removed when the User resource was deleted. This ownerReference was removed with 4.15 to support external OIDC providers.

      Issue OCPBUGS-37560 is about to restore that feature for the OpenShift auth provider.

      This ticket here is about adding a feature-flag to switch from ConfigMap user settings (default) to in browser/localSorage user settings (opt-out). This will allow cluster admins with tausends of console users to disable user settings if it negatively affects cluster performance.

      History:

      • User setting feature was introduced 2020 with 4.7 (ODC-4370) without a ownerReference for these resources.
      • After noticing performance issues on Dev Sandbox 2022 (BZ 2019564) we added an ownerReference in 4.11 (PR 11130) and backported this change 4.10 and 4.9.
      • The ownerReference was removed in 4.15 with CONSOLE-3829/OCPBUGS-16814/PR 13321. This is a regression.

      See also:

      Version-Release number of selected component (if applicable):
      4.15+

      How reproducible:
      Always

      Steps to Reproduce:

      1. Create a new user
      2. Login into the console
      3. Check for the user settings ConfigMap, Role and RoleBinding for that deleted user.
      4. Delete the user
      5. The resources should now be removed...

      Actual results:
      The three resources weren't deleted after the user was deleted.

      Expected results:
      The three resources should be deleted after the user is deleted.

      Additional info:

              avik6028 Avik Kundu
              cjerolim Christoph Jerolimov
              Sanket Pathak Sanket Pathak
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: