Add skip permissions option to ApiServerSource (#6288)

* Add skip permissions option to ApiServerSource Signed-off-by: Hector Martinez <hemartin@redhat.com> * Rename annotation Signed-off-by: Hector Martinez <hemartin@redhat.com> * Move page to reference.md Signed-off-by: Hector Martinez <hemartin@redhat.com> --------- Signed-off-by: Hector Martinez <hemartin@redhat.com>
2025-07-22 07:58:07 +02:00 · 2025-07-22 07:58:07 +02:00 · 59fd9a068e
parent 4b84e8d825
commit 59fd9a068e
1 changed files with 30 additions and 0 deletions
--- a/docs/eventing/sources/apiserversource/reference.md
+++ b/docs/eventing/sources/apiserversource/reference.md
@ -15,6 +15,7 @@ An ApiServerSource definition supports the following fields:
 | [`apiVersion`][kubernetes-overview] | Specifies the API version, for example `sources.knative.dev/v1`. | Required |
 | [`kind`][kubernetes-overview] | Identifies this resource object as an ApiServerSource object. | Required |
 | [`metadata`][kubernetes-overview] | Specifies metadata that uniquely identifies the ApiServerSource object. For example, a `name`. | Required |
+| [`metadata.annotations`][#features] | Specifies metadata that enables certain features. See the related section. | Optional |
 | [`spec`][kubernetes-overview] | Specifies the configuration information for this ApiServerSource object. | Required |
 | [`spec.resources`](#resources-parameter) | The resources that the source tracks so it can send related lifecycle events from the Kubernetes ApiServer. Includes an optional label selector to help filter. | Required |
 | `spec.mode` | EventMode controls the format of the event. Set to `Reference` to send a `dataref` event type for the resource being watched. Only a reference to the resource is included in the event payload. Set to `Resource` to have the full resource lifecycle event in the payload. Defaults to `Reference`. | Optional |
@ -315,6 +316,35 @@ spec:
 { "extensions": { "extra": "this is an extra attribute", "additional": "42" } }
 ```

+### Features
+
+The ApiServerSource uses annotations to the enable certain features.
+
+#### Skipping Permissions Check
+
+This feature disables the RBAC permissions check done before creating
+the Deployment. By default three SubjectAccessReview requests are
+created per combination of resource and namespace tracked.
+
+When enabled, this feature removes the creation of SubjectAccessReview,
+reducing the pressure to the Kubernetes API when a large number of
+resources or namespaces are tracked by the ApiServerSource. In this
+case the ApiServerSource Deployment does not retry watch connections.
+
+To enable it, set it to `"true"`:
+
+```yaml
+apiVersion: sources.knative.dev/v1
+kind: ApiServerSource
+metadata:
+  name: <apiserversource>
+  namespace: <namespace>
+  annotations:
+    features.knative.dev/apiserversource-skip-permissions-check: "true"
+spec:
+  ...
+```
+
 [kubernetes-overview]:
  https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields
 [kubernetes-kinds]: