Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[KEP] Adding ResourceID to the discovery API #656

Merged
merged 1 commit into from
Jan 10, 2019

Conversation

caesarxuchao
Copy link
Member

@caesarxuchao caesarxuchao commented Dec 17, 2018

Proposing adding a resourceID field to every resource's discovery doc. If two resource endpoints refer the same set of objects, their resourceIDs are the same. This enables clients to detect if two resource endpoints are referring the same set of objects.

Moved from kubernetes/community#2805.

@caesarxuchao caesarxuchao self-assigned this Dec 17, 2018
@k8s-ci-robot k8s-ci-robot added kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/pm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Dec 17, 2018
@caesarxuchao
Copy link
Member Author

/assign deads2k
/unassign

cc @lavalamp @yliaog

lavalamp had approved the idea in the original PR. @deads2k could you also take a look? Thanks.

@k8s-ci-robot k8s-ci-robot assigned deads2k and unassigned caesarxuchao Dec 18, 2018
@caesarxuchao
Copy link
Member Author

cc @liggitt

@caesarxuchao caesarxuchao changed the title [KEP] Expanding the discovery API to tell if two resource endpoints are referring the same set of objects [KEP] Adding ResourceID to the discovery API Jan 4, 2019
```

If in a future Kubernetes release, replicasets are accessible via
`fancy-apps/v1` as well, requests sent to `fancy-apps/v1` will be left
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This admission webhook case is new since we last spoke about this issue and somewhat compelling.

What would the server do with this knowledge? Check for other registrations and send fancy-app/v1 requests through conversion and then to the extistant webhooks? Do something else?

Copy link
Member Author

@caesarxuchao caesarxuchao Jan 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's what I expect. The apiserver should send the converted requests to the webhooks. Defaults have already been applied to the objects before they reach the admission stage, so conversion should be possible.

[edit] Do you want me to further expand on this webhook design in this KEP?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that since the webhook controller is part of the apiserver, so it doesn't need to go through the discovery doc to detect aliases, unless we encourage aggregated apiservers to provide aliasing endpoints for resources hosted by other apiservers.

admins of the admission webhooks, so it is not always possible to coordinate
cluster upgrades with webhook configuration upgrades.

#### Inaccurate resource quota counting
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm less worried about this one. It hasn't practically come up very often.

multiple endpoints.

[garbage collector]:https://github.com/kubernetes/kubernetes/tree/master/pkg/controller/garbagecollector
[storage migrator]:https://github.com/kubernetes-sigs/kube-storage-version-migrator
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not very worried about this. A few extra migrate calls (which are infrequent to begin with) isn't that big a deal.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree.

migrator][] migrates the same objects multiple times if they are served via
multiple endpoints.

[garbage collector]:https://github.com/kubernetes/kubernetes/tree/master/pkg/controller/garbagecollector
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GC today doesn't even collapse versions of the same groupresource, does it? If you're worried, you could get a lot of improvement just with that.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed this example. GC's internal graph is keyed by UIDs, so it is collapsed already.

Network bandwidth is not a concern today either, because GC is using the shared informer, unless we want to cut GC into its own binary in the future.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can revisit the GC case if we decide to pursue kubernetes/kubernetes#72192 (comment).

@deads2k
Copy link
Contributor

deads2k commented Jan 4, 2019

I think the admission webhook case is the most compelling to me. What would do with this information in that case?

Once we sort that out, I find the hash to be a reasonable implementation would would prevent abuse and avoids trying to build multi-way links.

I remember @liggitt was interested in this too. It's an unversioned API, so it's hard to take a choice back.

@caesarxuchao caesarxuchao force-pushed the storage-hash branch 3 times, most recently from c35da90 to 7aeca92 Compare January 5, 2019 00:02
@caesarxuchao
Copy link
Member Author

Thanks, @deads2k. I pushed another commit to improve the motivation section. Let me know if you think I should add more details to the webhook issue.

@deads2k
Copy link
Contributor

deads2k commented Jan 7, 2019

You'll still need to pass API review when it comes, but this works for me.

/lgtm
/hold

holding for other reviewers (no other lgtm in here yet)

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Jan 7, 2019
For aggregated resources, because their discovery doc is fully controlled
by the aggregated apiserver, the kube-apiserver has no means to validate their
`resourceID`. If the server is implemented with the generic apiserver library,
the `resourceID` will be `SHA256(<etcd key prefix>)`.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We chatted last time about adding some checks to avoid conflicts of core resources' resourceId from those aggregated resources.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lavalamp suggested that it's valid for aggregated apiservers to point to the core etcd. See kubernetes/community#2805 (comment).

## Graduation Criteria

Because the discovery API is a GA feature, to add the `resourceID` field, it
needs to be of GA quality.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

similar to the StorageVersionHash, it would go through alpha/beta before GA, right? would you document it in the documentation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Added. PTAL. Thanks.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 7, 2019
@yliaog
Copy link

yliaog commented Jan 7, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 7, 2019
@caesarxuchao
Copy link
Member Author

Thanks @yliaog, @deads2k.

@deads2k, @yliaog had lgtm'ed, and @lavalamp only had "minor comments" with this KEP, so I'll remove the hold.

/hold cancel

@calebamiles can you help approve? Thanks.

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 7, 2019
@caesarxuchao
Copy link
Member Author

@idvoretskyi @mattfarina could you help approve? Thank you.

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Jan 10, 2019
@caesarxuchao
Copy link
Member Author

Caleb told me to remove the KEP number to reduce the approvals required. KEP number is deprecated. @yliaog could you re-apply the lgtm? Thanks.

@yliaog
Copy link

yliaog commented Jan 10, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 10, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: caesarxuchao, deads2k, yliaog

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 0d6823f into kubernetes:master Jan 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants