Use filtered informer to watch OIDC service accounts

[creydr]

Currently we're watching all service accounts in the cluster for changes and reenque the objects which have an OIDC service account assigned if something changes. e.g.:

eventing/pkg/reconciler/broker/trigger/controller.go

Lines 114 to 118 in ba02f4a

	// Reconciler Trigger when the OIDC service account changes
	serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
	FilterFunc: controller.FilterController(&eventing.Trigger{}),
	Handler: controller.HandleAll(impl.EnqueueControllerOf),
	})

Instead we should label the OIDC service accounts and use a filtered serviceaccount informer based on that label/selector.

Additional information:

• unfiltered service account informers for OIDC service accounts are currently used in multiple places. Most of the fixed Support auto generation of XYZ identity service account and expose in AuthStatus issues in Eventing Sender Identity (view) will probably use it
• filtered service account informer: https://github.com/knative/pkg/blob/main/client/injection/kube/informers/core/v1/serviceaccount/filtered/serviceaccount.go
• function to setup OIDC service accounts:

  eventing/pkg/auth/serviceaccount.go

  Lines 45 to 65 in ba02f4a

  	func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) *v1.ServiceAccount {
  	return &v1.ServiceAccount{
  	ObjectMeta: metav1.ObjectMeta{
  	Name: GetOIDCServiceAccountNameForResource(gvk, objectMeta),
  	Namespace: objectMeta.GetNamespace(),
  	OwnerReferences: []metav1.OwnerReference{
  	{
  	APIVersion: gvk.GroupKind().Group + "/" + gvk.GroupVersion().Version,
  	Kind: gvk.GroupKind().Kind,
  	Name: objectMeta.GetName(),
  	UID: objectMeta.GetUID(),
  	Controller: ptr.Bool(true),
  	BlockOwnerDeletion: ptr.Bool(false),
  	},
  	},
  	Annotations: map[string]string{
  	"description": fmt.Sprintf("Service Account for OIDC Authentication for %s %q", gvk.GroupKind().Kind, objectMeta.Name),
  	},
  	},
  	}
  	}

• Example of filtered informer use: https://github.com/knative/serving/blob/main/cmd/autoscaler/main.go

[yijie-04]

/assign

[yijie-04]

@creydr Hey Christoph, since we are already using FilterController as a filter function in controller.go, I'm just wondering if you could explain more about the differences between this and the actual filtered informer, as well as how and where I should use the filtered informer/label. Thanks!

[creydr]

Hey @yijie-04,
the usual informers watch any of their resources in the cluster. So the serviceaccountInformer in the controller.go for example still watches all service accounts (and the controller.FilterController() is only for the event handler, while serviceaccountInformer still has all SAs).
So we want the serviceaccountInformer being setup as a filtered informer, only watching the OIDC service accounts (e.g. identified by a certain label).

Does this make it clearer?

[creydr]

Hello @yijie-04,
did the provided information help? Are you still working on this?

[yijie-04]

Hi @creydr, yes it made sense, thank you! Sorry I've not been too active recently as I'm in my finals season. Is it ok if I work on this a bit later (in a week or so)?

[creydr]

Sure. Good luck with your exams.
Just to provide some additional information: @Leo6Leo did something similar in #7452 where he added a filtered informer for a role & rolebinding (see discussions at #7452 (comment))

[Leo6Leo]

@yijie-04 hey yijie, feel free to ping me here or on CNCF slack if you need any help

[yijie-04]

@creydr @Leo6Leo Got it, thank you!