Update apiserver federation doc #261
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
On my tomorrow list. |
| admin to use it without any change to the core kubernetes repository, we | ||
| unblock these APIs. | ||
| * Place for staging experimental APIs: New APIs can remain in separate | ||
| aggregated servers until they become stable, at which point, they can be moved |
There was a problem hiding this comment.
I'm not a fan of moving APIs. I'd rather see us bless some APIs (maybe a "recommended addons" list or something?), but I don't think we should be in the business of taking people's APIs and of growing our surface area further.
| 1. In test or single-user mode. An individual developer who wants to test | ||
| their own apiserver could run their own private copy of `kube-aggregator`, | ||
| configured such that only they can interact with it. This allows for testing | ||
| both `kube-aggregator` and any custom apiservers without the potential for |
There was a problem hiding this comment.
Note that the single user mode will not proxy requests. A single user can't proxy the request because it can't terminate authentication for client certificates and then act as a front proxy (no front proxy client cert), so the functionality is reduced due to lack of knowledge.
| configured such that only they can interact with it. This allows for testing | ||
| both `kube-aggregator` and any custom apiservers without the potential for | ||
| causing any collateral damage in the rest of the cluster. | ||
| 2. In gateway mode. Each cluster should run kube-aggregator as the official |
There was a problem hiding this comment.
Can we add wording that this is the recommended cluster topology?
|
|
||
| ### Constraints | ||
|
|
||
| * Unique API groups across servers: Each API server (and groups of servers, in HA) |
There was a problem hiding this comment.
With API registration, this restriction no longer exists.
There was a problem hiding this comment.
it's by group version, updating.
| (list the suported groupVersions at `/apis` and list the supported resources | ||
| at `/apis/<groupVersion>/`) | ||
| * No bootstrap problem: The core kubernetes server should not depend on any | ||
| other aggregated server to come up. Other servers can only depend on the core |
There was a problem hiding this comment.
"other servers can only depend on the core kubernetes server" seems overly strict. They can only be guaranteed that the core kube server exists, but finding and using others doesn't seem like abuse as long as their absence is tolerated.
|
|
||
| Nothing below the `kubernetes-aggregator` can rely on the aggregator or proxy being present. | ||
| `kubernetes-aggregator` should be runnable as a pod backing a service in a well-known location. | ||
| Something like `api.kube-public.svc` or similar seems appropriate since we'll want to allow |
There was a problem hiding this comment.
I put this name in here. I like it, but I want to be sure that @lavalamp noticed it.
There was a problem hiding this comment.
I'm not in love with it but I did notice and don't have a better suggestion right now.
| `kubernetes-aggregator` should be runnable as a pod backing a service in a well-known location. | ||
| Something like `api.kube-public.svc` or similar seems appropriate since we'll want to allow | ||
| network traffic to it from every other namespace in the cluster. We could also choose to put | ||
| it in a dedicated namespace. Compromise of that namespace will expose the entire cluster since |
There was a problem hiding this comment.
Important detail here. There's no logical way around this one, but its worth pointing out.
There was a problem hiding this comment.
And to clarify, any authenticating proxy would have this issue. Given current GKE token restrictions, any aggregation API server not accepting front proxy user information for tokens won't work.
There was a problem hiding this comment.
I think I'll modify to just recommend a dedicated namespace.
|
A few comments reading through, nothing major. lgtm overall. |
Some wording stolen from @deads2k PR in the old location.
|
Updated, PTAL |
|
lgtm |
Update apiserver federation doc
Rename to aggregation.
In two commits to get the github UI to show a diff.