Add new sections for CRD storageversion updates

[richabanker]

• One-line PR description: Add an 'Agreements' section for CRD storageversion updates

• Issue link: StorageVersion API for HA API servers  #2339

[richabanker]

cc @roycaihw

[richabanker]

cc @alexzielenski

[richabanker]

cc @jpbetz

[roycaihw]

IIUC you mean SV updates are triggered at CRD create/update watch events.

[Edited on 3/22]: To clarify, I assumed that the proposal here was also "Storageversion updates will not be triggered by CR write requests"-- which is something the old PR does. Please let me know if I misunderstood.

[roycaihw]

How do we clean up SV if a CRD is deleted?

[jpbetz]

I agree this we want to reconcile SV with CRDs.

We should be careful how we word this. I'd like to make sure we always reconcile SVs. If we take a purely edge triggered approach then if the apiserver (in a single control plane node configuration) crashes, it could miss the event. So we should perform reconciliation fully (i.e. take a level triggered approach). It's quite possible that during a relist we'll find that a SV is not reconciled with CRDs, we should update it at that time..

[richabanker]

IIUC you mean SV updates are triggered at CRD create/update watch events.

That's right. Updated to reflect the same.

[richabanker]

How do we clean up SV if a CRD is deleted?

Yeah been thinking about that. We need to introduce a delete capability. There was probably no need for a delete SV behavior for built-in resources so I guess we dont have a deleteSV() in staging/src/k8s.io/apiserver/pkg/storageversion as of now?

[roycaihw]

We need to introduce a delete capability

Agreed. Let's make sure we have a cleanup strategy

[logicalhan]

How do we clean up SV if a CRD is deleted?

Why do we need to clean up SVs when a CRD is deleted?

If a CRD is deleted, it should trigger garbage collection, which means individual CRs (of that CRD) get deleted, which means we have no corresponding entry in etcd for individual objects (of that CRD).

[richabanker]

That's a fair point. For all SV objects we make their owner ref to be the respective CRDs. So once the CRDs go away, so should the SV objects. @roycaihw WDYT?

[richabanker]

[Edited on 3/22]: To clarify, I assumed that the proposal here was also "Storageversion updates will not be triggered by CR write requests"-- which is something the old PR does. Please let me know if I misunderstood.

Yes, this is correct. I have now clearly laid out the 2 scenarios where we will be triggering SV udpates: 1. when a CRD create/update watch event is received and 2. when the apiserver is started.

[richabanker]

I'd like to make sure we always reconcile SVs. If we take a purely edge triggered approach then if the apiserver (in a single control plane node configuration) crashes, it could miss the event. So we should perform reconciliation fully (i.e. take a level triggered approach)

@jpbetz fully agreed, thanks for raising this. I have updated the KEP to reflect that we will perform SV updates in 2 scenarios:

1. edge triggered scenario: when a CRD is created/updated
2. level triggered scenario: when the apiserver starts

[roycaihw]

If a CRD is being updated to store v2 instead of v1, and two requests come in at the same time:

1. Create a new CR
2. Update the CRD to store v3 instead of v2

Which one is the latest storageversion here? v2 or v3?

[jpbetz]

For "at the same time": without a happens-before constraint, I don't think we should define the behavior.

Our guarantee should be that once a response to the CRD Update is sent, a happens-before is established, and all future CR creates store v3 (because clients can observe this ordering). After the CRD update is received and before the response is sent, storage at either version is possible.

[richabanker]

Depends on which request will be processed by the apiserver first. Following scenarios are possible:

1. CR request is received first: it will wait for the v2 update to finish.

   1a. If no new CRD update is received yet, storageversion is successfully updated to v2, and the CR is written in the latest storageversion at this point which is v2. Now the CRD update to v3 is received, and the storageversion is updated to v3.

   1b. If a new CRD update to v3 is received at this time, our async SV update loop will switch to processing the latest storageversion - v3, and will never process the v2 update. CR writes waiting for v2 update to finish will time out.

2. CRD request is received first: our async SV update loop switches to processing the v3 update. IF now a CR request is received, it will wait for v3 update to finish and will be served in the latest storageversion at this point, v3.

[jpbetz]

I agree this we want to reconcile SV with CRDs.

We should be careful how we word this. I'd like to make sure we always reconcile SVs. If we take a purely edge triggered approach then if the apiserver (in a single control plane node configuration) crashes, it could miss the event. So we should perform reconciliation fully (i.e. take a level triggered approach). It's quite possible that during a relist we'll find that a SV is not reconciled with CRDs, we should update it at that time..

[jpbetz]

For "at the same time": without a happens-before constraint, I don't think we should define the behavior.

Our guarantee should be that once a response to the CRD Update is sent, a happens-before is established, and all future CR creates store v3 (because clients can observe this ordering). After the CRD update is received and before the response is sent, storage at either version is possible.

[jpbetz]

I don't think it's possible to always avoid this situation. I do think it's possible to always update the CRD handler before SV updates, but I don't think we can guarantee atomicity of the CRD handler update and SV update (consider network partitions or process crashes happening at inconvenient times). So while it seems nice to try to get the storageversion upgraded in the happy path, I think we need to also to tolerate the skew.

[jpbetz]

IF we wan't to hold all writes indefinitely until SV is updated, we should spell out the requirements carefully. What happens on apiserver startup when a CRD has been updated to a new storage version but the SV hasn't been updated yet. What happens when updating the SV and the request times out?

In both cases, my understanding is that we loose some form of availability of the CRD until the SV update completes. we should call that out in the limitations and say exactly what is unavailable (CR writes only?).

[richabanker]

What happens on apiserver startup when a CRD has been updated to a new storage version but the SV hasn't been updated yet. What happens when updating the SV and the request times out?

As discussed on chat, we will ensure that SVs are always reconciled when the server is started/restarted before we serve any CR writes.
I have updated this part to explicitly state the 2 scenarios where we will take an outage on CR write requests.

About the SV update timing out, I have included a line saying we will reattempt the update a certain number of times before failing the SV udpate and consequently the dependent CR writes. Does this look ok?

[Jefftree]

This is slightly different than built-ins right? Built-in blocking can only occur once on apiserver startup while CR writes can be blocked every time a CRD is updated? Nothing wrong with maintaining the same approach, just something to consider.

[richabanker]

That's right, for CRDs - we will always block new CR writes until the latest SV update is finished. Allowing CR writes while the SV update is pending can cause problems like the old handler not being able to understand the new CRD version that may be persisted in etcd by another server.

[richabanker]

cc @deads2k @liggitt for their thoughts

[jpbetz]

/lgtm

Looks like all my concerns are addressed. I think this reflects my understanding of how it should work.

[alexzielenski]

Curious about the meaning of "published" in this context. Does this imply that any future reads of the StorageVersion resource are guaranteed to reflect the update? (asking as I am not sure myself about what guarantee the apiserver itself provides when it responds to the UPDATE request)

[richabanker]

Does this imply that any future reads of the StorageVersion resource are guaranteed to reflect the update?

yes, this was the intention for this statement. That once a CRD update happens, and its storageversion has been updated(or published to the SV API) only then will we unblock the CR writes.

[sftim]

What's an “agreement” in this context?

[richabanker]

Like a contract/principles that we propose to use while processing CR / CRD requests that may need to interact with the possible storageversion updates (for the same CRD) happening in parallel.

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: richabanker
Once this PR has been reviewed and has the lgtm label, please ask for approval from jpbetz. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-api-machinery/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deads2k]

it's pretty detailed and I'm open to change as we go, but it seems like a reasonable place to start.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle rotten
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Reopen this PR with /reopen
• Mark this PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Reopen this PR with /reopen
• Mark this PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.