Add reference documentation for built-in controllers #15374
Conversation
k8s-ci-robot
added
sig/apps
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/assign @zparnold |
|
@bradtopol I'd welcome your feedback on this. |
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit c96ed15 https://deploy-preview-15374--kubernetes-io-master-staging.netlify.com |
There was a problem hiding this comment.
Phew, this was a big one :)
Mostly awesome work on this @sftim. I have a number of inline suggestions, but the biggest ones are around separating out information that is implementation details about the controllers from information that is more end-user oriented that explains how to use the different objects like Job, Deployment, StatefulSet. I think that kind information -- the more end-user oriented -- best belongs in the concepts/workloads/ documentation.
Anyway, love to hear your thoughts on my comments.
Best,
-jay
| @@ -0,0 +1,39 @@ | |||
| --- | |||
There was a problem hiding this comment.
recommend naming the file volume-attach-detach.md instead of just attach-detach.md. You never know, we could get additional attaching-detaching controllers in the future. :)
There was a problem hiding this comment.
In that case, I should probably rename all the controller documents based on the subdirectory they're in in the kubernetes/kubernetes source code.
Which I will do.
There was a problem hiding this comment.
I have a better idea. I will rename them based on the names visible to cluster operators, as per --controllers in https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
(these must also be in the source code, so I'll see if I can spot how that's done)
| to detach it. | ||
|
|
||
| Different nodes might have different ways of attaching volumes, and different | ||
| Volumes can have different values for VolumeNodeAffinity, so the decision |
There was a problem hiding this comment.
Consider linking VolumeNodeAffinity to https://kubernetes.io/docs/concepts/storage/persistent-volumes/#node-affinity.
This sentence is hard for me to understand, though, in particular the part "so the decision around volume attachment happens after scheduling." What specifically are you conveying here? Are you trying to say that normally node affinity constraints are handled by the scheduler, but in some cases node affinity constraints are handled on the node instead?
|
|
||
| This controller limits the quantity of objects that can be created in a namespace | ||
| by object type, as well as the total amount of compute resources that may be | ||
| consumed by resources in that project. |
There was a problem hiding this comment.
"that project" is used, but there is no mention of "project" earlier in the paragraph. This is likely due to legacy Google-specific terminology? Probably best to rephrase it here.
| The controller constructs the pod name label valuebased on a pattern: | ||
| `$(statefulset name)-$(ordinal)`. | ||
|
|
||
| ### Storage |
There was a problem hiding this comment.
Similar to Deployment and Job, I think much of the remainder of this page should be in a concepts/workloads/statefulset.md document that is written from an end-user or object reference perspective. And leave this doc for implementation specifics about the controller itself.
| of expired Jobs can still happen, even if you requested a longer TTL | ||
| and you saw a successful API response to your update request. | ||
|
|
||
| ## Time skew |
There was a problem hiding this comment.
this probably belongs in this document since it's implementation details about the controller itself.
| its dependent objects together with it. Note that when the resource is deleted, | ||
| its lifecycle guarantees, such as finalizers, will be honored. | ||
|
|
||
| The TTL seconds can be set at any time. Here are some examples for setting the |
There was a problem hiding this comment.
From here down in this section kind of feels like it belongs in a concepts/workloads/job.md document that is more oriented to the end user than the person interested in how the controller works under the hood.
sftim
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
My last kubecon talk was almost exactly about this: https://youtu.be/zCXiXKMqnuE |
sftim
force-pushed
the
20190711_add_controller_reference_pages
branch
from
44a63a9 to
038645a
Compare
sftim
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
What do you reckon @jaypipes? How's this now? |
@lavalamp a good talk, too! Please do let me know if I've got any details wrong. |
|
|
||
| ### Namespace lifecycle controller {#controller-namespace} | ||
|
|
||
| When you (or any Kubernetes API client) remove a {{< glossary_tooltip term_id="namespace" >}}, |
|
|
||
| ### Taints and Tolerations | ||
|
|
||
| the controller automatically adds the following |
There was a problem hiding this comment.
nit: Capitalize "The controller"
sftim
force-pushed
the
20190711_add_controller_reference_pages
branch
2 times, most recently
from
d432671 to
7cf5a57
Compare
|
hello, @sftim. I am in the process of reading through the files 😄 . My initial impression is that this will serve as a nice resource. Since the list of controllers is long and you have categorized some of the controllers on the New Controllers root page preview |
|
|
||
| ## Resource management controllers {#controllers-resource-management} | ||
|
|
||
| * [Resource quota controller](/reference/access-authn-authz/admission-controllers/#resourcequota) |
There was a problem hiding this comment.
@sftim don't you need a /docs too ?
|
|
||
| When kubelet is setting up on a new node, kubelet will generate a CSR and submit it | ||
| to the Kubernetes API server using its | ||
| [bootstrap](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) |
There was a problem hiding this comment.
@sftim pls use the relative url so it does work for localization too ;)
| all the pods from the node (using graceful termination) if the node continues | ||
| to be unreachable. (The default timeouts are 40s to start reporting | ||
| ConditionUnknown and 5m after that to start evicting pods.) The node controller | ||
| checks the state of each node every `--node-monitor-period` seconds. |
There was a problem hiding this comment.
@sftim imo i'd turn into a number list the first, second and third roles, easy to read
|
|
||
| In most cases, node controller limits the eviction rate to | ||
| `--node-eviction-rate` (default 0.1) per second, meaning it won't evict pods | ||
| from more than 1 node per 10 seconds. |
There was a problem hiding this comment.
@sftim imo i find that we could maybe reword it a bit like
won't evict pods from more than 1 node during 10 seconds window
| of the the DaemonSet the Pod belongs to. | ||
|
|
||
| If it's managing a Pod on a Node that no longer matches the DaemonSet, | ||
| or where the Node no longer exists, the controller will remove that Pod. |
| {{% /capture %}} | ||
|
|
||
| {{% capture body %}} | ||
|
|
There was a problem hiding this comment.
General comment for all pages:
Can you add a ## Controller behavior section so that the content is consistent with the other pages?
| {{% capture overview %}} | ||
|
|
||
| One of a pair of controllers for the {{< glossary_tooltip text="ServiceAccount" term_id="service-account" >}} | ||
| resource. |
There was a problem hiding this comment.
remove resource?
A ServiceAccount Token Controller generates and assigns API access tokens for a ServiceAccount.
sftim
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
This should help a little with (closed) issue #10160, about documenting NodeLease. |
sftim
force-pushed
the
20190711_add_controller_reference_pages
branch
2 times, most recently
from
2ef10d7 to
f884084
Compare
| runs separately from the kube-controller-manager. This separation helps | ||
| with control plane performance. | ||
|
|
||
| The controllers that run inside kube-controller-manager are: |
There was a problem hiding this comment.
The transition on the page from "The controllers that run inside kube-controller-manager are:" to then going to a bold heading of "Controllers for running workloads on Kubernetes" looks really weird. Check out https://kubernetes.io/docs/setup/ which shows a nice transition from a list of topics (Learning Environment, Production environment) to their sections below the introductory paragraph. The https://kubernetes.io/docs/concepts/ also as some nice examples of how to do this as well
There was a problem hiding this comment.
Thanks for your feedback on this.
sftim
force-pushed
the
20190711_add_controller_reference_pages
branch
from
f884084 to
bab6332
Compare
|
Something that occurred to me a little while ago: possibly, this documentation could live as reference documentation in kubernetes/kubernetes I'll continue with this approach for now, if people reading this like the above idea though I can look into taking a different tack. |
|
Didn't get round to this yet. I still plan to! |
sftim
force-pushed
the
20190711_add_controller_reference_pages
branch
from
bab6332 to
c96ed15
Compare
|
@sftim Please feel free to reopen this when you're ready! /close |
|
@zacharysarah: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retitle Add reference documentation for built-in controllers |
k8s-ci-robot
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Rebased & tweaked |
|
@sftim: Failed to re-open PR: state cannot be changed. The 20190711_add_controller_reference_pages branch was force-pushed or recreated. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Relevant to issue #4135.
Add a reference section that lists the built-in controllers and explains what each of them does.
This change fits in with an idea I have to restructure https://kubernetes.io/docs/concepts/workloads/
People developing things to deploy on Kubernetes need to understand that there is (eg) a Deployment resource; it doesn't matter as much how the Deployment resource gets translated into API actions like creating or removing ReplicaSet objects. Some resources happen to involve more than one controller (eg Job with the Job controller and the TTL-after-finished controller).
If you are interested in looking behind the scenes, I think it helps to have all kube-controller-manager controllers listed in one place, no matter what kind of resource they interact with (Endpoint? ReplicaSet? Namespace?)
/sig apps
You can see this change in broader context by viewing the deployment preview for PR #15373 (or looking at the list of files changed there, etc).
Credit to @lavalamp for the excellent Kubecon talk that helped me a lot with drafting these documents.