-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[KEP] Adding ResourceID to the discovery API #656
Conversation
5467bcf
to
4693052
Compare
cc @liggitt |
``` | ||
|
||
If in a future Kubernetes release, replicasets are accessible via | ||
`fancy-apps/v1` as well, requests sent to `fancy-apps/v1` will be left |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This admission webhook case is new since we last spoke about this issue and somewhat compelling.
What would the server do with this knowledge? Check for other registrations and send fancy-app/v1 requests through conversion and then to the extistant webhooks? Do something else?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's what I expect. The apiserver should send the converted requests to the webhooks. Defaults have already been applied to the objects before they reach the admission stage, so conversion should be possible.
[edit] Do you want me to further expand on this webhook design in this KEP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that since the webhook controller is part of the apiserver, so it doesn't need to go through the discovery doc to detect aliases, unless we encourage aggregated apiservers to provide aliasing endpoints for resources hosted by other apiservers.
admins of the admission webhooks, so it is not always possible to coordinate | ||
cluster upgrades with webhook configuration upgrades. | ||
|
||
#### Inaccurate resource quota counting |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm less worried about this one. It hasn't practically come up very often.
multiple endpoints. | ||
|
||
[garbage collector]:https://github.com/kubernetes/kubernetes/tree/master/pkg/controller/garbagecollector | ||
[storage migrator]:https://github.com/kubernetes-sigs/kube-storage-version-migrator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not very worried about this. A few extra migrate calls (which are infrequent to begin with) isn't that big a deal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree.
migrator][] migrates the same objects multiple times if they are served via | ||
multiple endpoints. | ||
|
||
[garbage collector]:https://github.com/kubernetes/kubernetes/tree/master/pkg/controller/garbagecollector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GC today doesn't even collapse versions of the same groupresource, does it? If you're worried, you could get a lot of improvement just with that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed this example. GC's internal graph is keyed by UIDs, so it is collapsed already.
Network bandwidth is not a concern today either, because GC is using the shared informer, unless we want to cut GC into its own binary in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can revisit the GC case if we decide to pursue kubernetes/kubernetes#72192 (comment).
I think the admission webhook case is the most compelling to me. What would do with this information in that case? Once we sort that out, I find the hash to be a reasonable implementation would would prevent abuse and avoids trying to build multi-way links. I remember @liggitt was interested in this too. It's an unversioned API, so it's hard to take a choice back. |
c35da90
to
7aeca92
Compare
Thanks, @deads2k. I pushed another commit to improve the |
7aeca92
to
a302735
Compare
You'll still need to pass API review when it comes, but this works for me. /lgtm holding for other reviewers (no other lgtm in here yet) |
For aggregated resources, because their discovery doc is fully controlled | ||
by the aggregated apiserver, the kube-apiserver has no means to validate their | ||
`resourceID`. If the server is implemented with the generic apiserver library, | ||
the `resourceID` will be `SHA256(<etcd key prefix>)`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We chatted last time about adding some checks to avoid conflicts of core resources' resourceId from those aggregated resources.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lavalamp suggested that it's valid for aggregated apiservers to point to the core etcd. See kubernetes/community#2805 (comment).
## Graduation Criteria | ||
|
||
Because the discovery API is a GA feature, to add the `resourceID` field, it | ||
needs to be of GA quality. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
similar to the StorageVersionHash, it would go through alpha/beta before GA, right? would you document it in the documentation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Added. PTAL. Thanks.
a302735
to
c1b2f8b
Compare
/lgtm |
@deads2k, @yliaog had lgtm'ed, and @lavalamp only had "minor comments" with this KEP, so I'll remove the hold. /hold cancel @calebamiles can you help approve? Thanks. |
@idvoretskyi @mattfarina could you help approve? Thank you. |
c1b2f8b
to
d6a9c14
Compare
Caleb told me to remove the KEP number to reduce the approvals required. KEP number is deprecated. @yliaog could you re-apply the lgtm? Thanks. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: caesarxuchao, deads2k, yliaog The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Proposing adding a
resourceID
field to every resource's discovery doc. If two resource endpoints refer the same set of objects, theirresourceID
s are the same. This enables clients to detect if two resource endpoints are referring the same set of objects.Moved from kubernetes/community#2805.