From 18cc99773dd14be2b838bb30a524ee32f59b8913 Mon Sep 17 00:00:00 2001 From: Hector Martinez Date: Thu, 10 Jul 2025 12:05:12 +0200 Subject: [PATCH 1/3] Add skip permissions option to ApiServerSource Signed-off-by: Hector Martinez --- config/nav.yml | 1 + .../sources/apiserversource/features.md | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 docs/eventing/sources/apiserversource/features.md diff --git a/config/nav.yml b/config/nav.yml index 8ac04c875e0..3cb61c029e9 100644 --- a/config/nav.yml +++ b/config/nav.yml @@ -226,6 +226,7 @@ nav: - About ApiServerSource: eventing/sources/apiserversource/README.md - Creating an ApiServerSource object: eventing/sources/apiserversource/getting-started.md - ApiServerSource reference: eventing/sources/apiserversource/reference.md + - ApiServerSource features: eventing/sources/apiserversource/features.md - Apache Kafka Source: eventing/sources/kafka-source/README.md - PingSource: - Creating a PingSource object: eventing/sources/ping-source/README.md diff --git a/docs/eventing/sources/apiserversource/features.md b/docs/eventing/sources/apiserversource/features.md new file mode 100644 index 00000000000..69415627f47 --- /dev/null +++ b/docs/eventing/sources/apiserversource/features.md @@ -0,0 +1,24 @@ +# ApiServerSource features + +ApiServerSource has features that can be added using annotations to the resource definition. + +## Skipping Permissions Check + +When the ApiServerSource resource is changed, Knative Eventing checks that it has the required +permissions for the resources and namespaces defined before updating the ApiServerSource Deployment. +On large clusters checking for permissions can put pressure on the Kubernetes API leading to +resource pressure. To make the ApiServerSource skip permissions set the following annotation: + +```yaml +apiVersion: sources.knative.dev/v1 +kind: ApiServerSource +metadata: + name: + namespace: + annotations: + features.knative.dev/apiserversource-skip-permissions: "true" +spec: + ... +``` + +This makes the ApiServerSource Deployment fail if any of the watches fails to start. From 92f660c5c65cb68430d754dd8567f651752b9cdb Mon Sep 17 00:00:00 2001 From: Hector Martinez Date: Mon, 21 Jul 2025 14:03:22 +0200 Subject: [PATCH 2/3] Rename annotation Signed-off-by: Hector Martinez --- docs/eventing/sources/apiserversource/features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/eventing/sources/apiserversource/features.md b/docs/eventing/sources/apiserversource/features.md index 69415627f47..87f81180d7d 100644 --- a/docs/eventing/sources/apiserversource/features.md +++ b/docs/eventing/sources/apiserversource/features.md @@ -16,7 +16,7 @@ metadata: name: namespace: annotations: - features.knative.dev/apiserversource-skip-permissions: "true" + features.knative.dev/apiserversource-skip-permissions-check: "true" spec: ... ``` From b91db0fb3db719300e54208a9222634796a4bc7b Mon Sep 17 00:00:00 2001 From: Hector Martinez Date: Tue, 22 Jul 2025 07:49:57 +0200 Subject: [PATCH 3/3] Move page to reference.md Signed-off-by: Hector Martinez --- config/nav.yml | 1 - .../sources/apiserversource/features.md | 24 --------------- .../sources/apiserversource/reference.md | 30 +++++++++++++++++++ 3 files changed, 30 insertions(+), 25 deletions(-) delete mode 100644 docs/eventing/sources/apiserversource/features.md diff --git a/config/nav.yml b/config/nav.yml index 3cb61c029e9..8ac04c875e0 100644 --- a/config/nav.yml +++ b/config/nav.yml @@ -226,7 +226,6 @@ nav: - About ApiServerSource: eventing/sources/apiserversource/README.md - Creating an ApiServerSource object: eventing/sources/apiserversource/getting-started.md - ApiServerSource reference: eventing/sources/apiserversource/reference.md - - ApiServerSource features: eventing/sources/apiserversource/features.md - Apache Kafka Source: eventing/sources/kafka-source/README.md - PingSource: - Creating a PingSource object: eventing/sources/ping-source/README.md diff --git a/docs/eventing/sources/apiserversource/features.md b/docs/eventing/sources/apiserversource/features.md deleted file mode 100644 index 87f81180d7d..00000000000 --- a/docs/eventing/sources/apiserversource/features.md +++ /dev/null @@ -1,24 +0,0 @@ -# ApiServerSource features - -ApiServerSource has features that can be added using annotations to the resource definition. - -## Skipping Permissions Check - -When the ApiServerSource resource is changed, Knative Eventing checks that it has the required -permissions for the resources and namespaces defined before updating the ApiServerSource Deployment. -On large clusters checking for permissions can put pressure on the Kubernetes API leading to -resource pressure. To make the ApiServerSource skip permissions set the following annotation: - -```yaml -apiVersion: sources.knative.dev/v1 -kind: ApiServerSource -metadata: - name: - namespace: - annotations: - features.knative.dev/apiserversource-skip-permissions-check: "true" -spec: - ... -``` - -This makes the ApiServerSource Deployment fail if any of the watches fails to start. diff --git a/docs/eventing/sources/apiserversource/reference.md b/docs/eventing/sources/apiserversource/reference.md index 89810e99b52..f398371bbc4 100644 --- a/docs/eventing/sources/apiserversource/reference.md +++ b/docs/eventing/sources/apiserversource/reference.md @@ -15,6 +15,7 @@ An ApiServerSource definition supports the following fields: | [`apiVersion`][kubernetes-overview] | Specifies the API version, for example `sources.knative.dev/v1`. | Required | | [`kind`][kubernetes-overview] | Identifies this resource object as an ApiServerSource object. | Required | | [`metadata`][kubernetes-overview] | Specifies metadata that uniquely identifies the ApiServerSource object. For example, a `name`. | Required | +| [`metadata.annotations`][#features] | Specifies metadata that enables certain features. See the related section. | Optional | | [`spec`][kubernetes-overview] | Specifies the configuration information for this ApiServerSource object. | Required | | [`spec.resources`](#resources-parameter) | The resources that the source tracks so it can send related lifecycle events from the Kubernetes ApiServer. Includes an optional label selector to help filter. | Required | | `spec.mode` | EventMode controls the format of the event. Set to `Reference` to send a `dataref` event type for the resource being watched. Only a reference to the resource is included in the event payload. Set to `Resource` to have the full resource lifecycle event in the payload. Defaults to `Reference`. | Optional | @@ -315,6 +316,35 @@ spec: { "extensions": { "extra": "this is an extra attribute", "additional": "42" } } ``` +### Features + +The ApiServerSource uses annotations to the enable certain features. + +#### Skipping Permissions Check + +This feature disables the RBAC permissions check done before creating +the Deployment. By default three SubjectAccessReview requests are +created per combination of resource and namespace tracked. + +When enabled, this feature removes the creation of SubjectAccessReview, +reducing the pressure to the Kubernetes API when a large number of +resources or namespaces are tracked by the ApiServerSource. In this +case the ApiServerSource Deployment does not retry watch connections. + +To enable it, set it to `"true"`: + +```yaml +apiVersion: sources.knative.dev/v1 +kind: ApiServerSource +metadata: + name: + namespace: + annotations: + features.knative.dev/apiserversource-skip-permissions-check: "true" +spec: + ... +``` + [kubernetes-overview]: https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields [kubernetes-kinds]: