Description of problem: Most of the memory for assited-service is being used by the controllers and, most of that memory seems to be allocated by the kube client's cache. From a recent investigation, after a 1k deployemnt and when assisted-service was idle, there were ~350Mb allocated only by Secret objects. It seems like we are watching the Secrets in the clusterdeployment controller I'm looking to see if there's a way for us to not do this, or to optimize it so that we only watch for the secrets we care about (by using some predicates and custom cache instance). Few ideas here: * It looks like not watching the secret is not an option. Is this assumption correct? * Would it be possible to require the secret needed by ClusterDeployment (I believe it's just the pull-secret) to be annotated/labeled? * If we don't want the user to annotate/label the secret, could we annotate the secret automatically in the reconcile loop? An early discussion on the above resulted in folks aligning on the idea of using labels and assigning them automatically to the Secrets so that a more restricted cache can be implemented.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759