-
Notifications
You must be signed in to change notification settings - Fork 262
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Promote VisibilityOnDemand to Beta #2973
Comments
From the graduation criteria:
This is the objective of the change.
I'm not aware of users' feedback to justify the effort. We can move it to GA criteria.
Similar, I'm not aware of the feedback to justify the effort, I would suggest moving it to criteria for GA. There were also ideas for new endpoints like #2145, but it is not clear they are needed for now. I think we should be ok to graduate the API we have. We should be good to still add the new endpoints while in Beta if needed. |
An important question when graduating is whether we want to include |
/assign |
I see no downsides, so I would embed it for simplicity of deployment. |
@mimowo @alculquicondor What about QueueVisibility? Should we graduate it too? |
No, we aim to deprecate it, and remove in the long run. |
Shouldn't we add some guard that we planned in the design phase? IIUC, the current visibility endpoint, is not guarded by any mechanism. So, at least, I think it would be better to provide APF configurations, and it would be nice to have a throttling mechanism. |
If we do not provide any guards for the kube-apiserver, I guess that the internet-exposed kube-apiserver faces some dangers. Indeed, if we want to use the MultiKueue, we need to create a public k8s cluster, not a supported private cluster, right? |
I think there is a basic protection mechanism by APF, assigning one unit (seat) to every request. This may not be very accurate as listing workload may take proportionally more time.
I'm not sure how MultiKueue changes that. The single regular clusters might be public, but there is authentication which would prevent external actors. |
But I agree it requires some extra research. In particular, I it would be good to refresh the knowledge on the default protection mechanism, and see how much effort there is to provide a dedicated FlowSchema. So, I would suggest to record the findings in the KEP first before the code PR. |
I guess that it would be better to provide the kueue-sysytem namespace dedicated FlowSchema so that we can prevent the kueue-manager occupies the kube-apiserver seats when the visibility endpoints are attacked by malicious people.
Yes, that's right. But, even if the malicious people do not have the credentials to access the kube-apiserver, they can give high load to kube-apiserver via visibility endpoints. |
@mbobrovskyi is investigating this, and will summarize the findings, but from what we see the default
I don't think you can query the visibility endpoints without credentials, I would assume this would be bad and is not allowed. However, we may do an experiment on a life cluster to confirm. EDIT: note that the custom endpoints are exposed by the kube-apiserver via the aggregation layer, not directly, so the authentication & authorization mechanism is in place, similarly as the P&F. |
Anyway, we can discuss this after the summary is made public. |
I have confirmed that on GKE (and @mbobrovskyi checked on Kind) that the requests to the custom endpoint are authorized. In particular, I run:
returns me results, while if I remove the
I get the analogous error for other built-in endpoints, such as |
Yes, the Visibility API endpoints are protected by default with
I found it when I tried executing a large number of parallel requests to The |
The
The This is an example that what I have:
And also the
Possible rejection:
|
I think you right, it should help. We will have different queues that allow us to do not block Just a question. Should we have dedicated |
If we can configure the FlowScheme only for the visibility endpoint, it would be great since we want to continue the Kueue operation when the visibility endpoints are attacked by malicious people. Is it possible to configure the FliowScheme only for visibility endpoints? |
The main problem is that the visibility endpoints use the global-defaults FlowScheme since most of the controllers and workloads belong to the global defaults. So, when the global-defaults are occupied by the visibility endpoints, the cluster admin and batch users will lose way to operate cluster and themselves Jobs. |
Yes, we can configure for |
Thank you for letting me know. Could you wait for a while? Actually, we are investigating the cloud provider specifications for FlowScheme. After we resolve some questions, @mimowo will comment here or KEP PR. |
Let's continue the discussion at #3032 (comment). |
We still have a pending discussion about including P&F config: #3043 (comment). I think we may need to rework the PR to put it in docs, and update the KEP. |
What would you like to be added:
Promote the VisibilityOnDemand to Beta.
Why is this needed:
kueuectl list workload
commandCompletion requirements:
This enhancement requires the following artifacts:
The artifacts should be linked in subsequent comments.
The text was updated successfully, but these errors were encountered: