Add docs for ApplySet-based pruning in kubectl apply #39818
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
the
size/S
k8s-ci-robot
added
the
area/blog
k8s-ci-robot
added
language/en
k8s-ci-robot
added
size/M
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/cc @justinsb |
|
|
||
| **Authors:** Katrina Verey (Shopify) and Justin Santa Barbara (Google) | ||
|
|
||
| PLACEHOLDER: blog post for KEP http://git.k8s.io/enhancements/keps/sig-cli/3659-kubectl-apply-prune |
There was a problem hiding this comment.
@justinsb assuming we do want to propose a blog post, should we do it later? If I've understood correctly, the main feature docs are due next Tuesday (Mar 21), but blog posts are due April 4.
There was a problem hiding this comment.
Due date for blog placeholders was the 8th of March - see https://github.com/kubernetes/sig-release/tree/master/releases/release-1.27
KnVerey
changed the title
|
/retitle Add blog article to announce ApplySet-based pruning in kubectl apply |
k8s-ci-robot
changed the title
content/en/blog/_posts/2023-04-11-introducing-applyset-pruning.md
Outdated
Show resolved
Hide resolved
sftim
changed the title
|
/hold The blog article should be a separate PR so that we can review it in isolation (and can ship v1.27 regardless of progress on post-release blogs). OK to unhold once the blog part is gone from this PR. |
k8s-ci-robot
added
the
do-not-merge/hold
There was a problem hiding this comment.
My biggest concern is wrt to documenting alpha labels, I'd probably pull them together with the rest of the description, so it's clear they are part of alpha or skip it for now.
Alternative, we need an alpha tag next to the labels, so it's clear they should not be relied on, yet, since based on the warning they might change.
| {{< feature-state for_k8s_version="v1.27" state="alpha" >}} | ||
|
|
||
| {{< warning >}} | ||
| `kubectl apply --prune --applyset` is in alpha, and backwards incompatible |
There was a problem hiding this comment.
This warning is why I'd probably not document the labels in the other file, not yet. If we decide to go with a resource, rather than label it'll be confusing and we'll have users relying on alpha feature, which is not plainly obvious in that other file.
There was a problem hiding this comment.
I'm fine documenting it here, under the alpha tag, if there's a desire.
There was a problem hiding this comment.
We register labels or annotation as soon as released code might either set them or heed them.
If someone sees a label set on an object and we've not documented that label, it doesn't leave as good an impression.
There's another aspect too: keys are “insta-durable” in as much as the first use we make of them, we're on the hook forever to explain what that label does or did mean. Plenty of the well-known labels are documented as deprecated, but a bit like with stable APIs, once they're registered we never delete the registration.
If it's helpful to, we can:
-### applyset.k8s.io/tooling
+### applyset.k8s.io/tooling (alpha) {#applyset-k8s-io-tooling}and similar, to mark that the key is alpha. No problem there. Notice how I overrode the fragment identifier so that bookmarks etc still work after graduation to beta or stable.
content/en/docs/tasks/manage-kubernetes-objects/declarative-config.md
Outdated
Show resolved
Hide resolved
|
|
||
| {{< warning >}} | ||
| You must be careful when using this command, so that you | ||
| do not delete objects unintentionally. | ||
| Only use this if you know what you are doing. You must be careful when using this command, so that you do not delete objects unintentionally. For more information on the problems with this command, see the [Current Implementation](git.k8s.io/enhancements/keps/sig-cli/3659-kubectl-apply-prune#current-implementation) section of the ApplySet KEP. |
There was a problem hiding this comment.
| Only use this if you know what you are doing. You must be careful when using this command, so that you do not delete objects unintentionally. For more information on the problems with this command, see the [Current Implementation](git.k8s.io/enhancements/keps/sig-cli/3659-kubectl-apply-prune#current-implementation) section of the ApplySet KEP. | |
| Take care when using `--prune` with `kubectl apply` in allow list mode. The kubectl command must dynamically discover | |
| and infer which objects should be removed as part of the prune operation, and the heuristics for this | |
| can sometimes mean that kubectl deletes objects that did not require pruning. |
There was a problem hiding this comment.
The reverse is also true--it can orphan objects that should have been pruned. And user choices regarding the allowlist and labels flags can also cause and/or exacerbate either issue.
content/en/docs/tasks/manage-kubernetes-objects/declarative-config.md
Outdated
Show resolved
Hide resolved
|
|
||
| ```shell | ||
| kubectl apply -f <directory/> --prune -l <labels> | ||
| kubectl apply -f <directory/> --prune -l <labels> --prune-allowlist=<gvk-list> | ||
| ``` | ||
|
|
||
| {{< warning >}} | ||
| Apply with prune should only be run against the root directory | ||
| containing the object configuration files. Running against sub-directories |
There was a problem hiding this comment.
Optional extra fix:
containing the object manifests. Running against sub-directories
|
|
||
| {{< feature-state for_k8s_version="v1.27" state="alpha" >}} | ||
|
|
||
| {{< warning >}} |
There was a problem hiding this comment.
Use a note or a caution here. Warning is for “this could break your cluster if you don't get it right”; if that's really the casefor apply set pruning, I think we should probably revert it until we're more confident.
There was a problem hiding this comment.
This is just intended as a standard alpha warning, so I'll switch it to caution I guess? This feature is more dangerous than others not because it is incomplete or particularly immature or anything like that; simply because its purpose is to perform destructive actions (deletions), which makes misunderstandings/misuse more consequential. Our unit test coverage is very good (MUCH better than what's there for allowlist-based pruning), and we have a basic multi-step e2e in place as well.
| {{< feature-state for_k8s_version="v1.27" state="alpha" >}} | ||
|
|
||
| {{< warning >}} | ||
| `kubectl apply --prune --applyset` is in alpha, and backwards incompatible |
There was a problem hiding this comment.
We register labels or annotation as soon as released code might either set them or heed them.
If someone sees a label set on an object and we've not documented that label, it doesn't leave as good an impression.
There's another aspect too: keys are “insta-durable” in as much as the first use we make of them, we're on the hook forever to explain what that label does or did mean. Plenty of the well-known labels are documented as deprecated, but a bit like with stable APIs, once they're registered we never delete the registration.
If it's helpful to, we can:
-### applyset.k8s.io/tooling
+### applyset.k8s.io/tooling (alpha) {#applyset-k8s-io-tooling}and similar, to mark that the key is alpha. No problem there. Notice how I overrode the fragment identifier so that bookmarks etc still work after graduation to beta or stable.
Co-authored-by: Tim Bannister <[email protected]>
KnVerey
requested review from
sftim
and removed request for
justinsb,
onlydole,
nate-double-u and
shannonxtreme
|
Updated with the standard prefix since kubernetes/kubernetes#116780 is fully approved for merge into 1.27. |
| Used on: Objects being used as ApplySet parents. | ||
|
|
||
| Use of this annotation is alpha. | ||
| For Kubernetes version {{< skew currentVersion >}}, you can use this annotation on Secrets, ConfigMaps, or custom resources if the {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinition" >}} defining them has the `applyset.kubernetes.io/is-parent-type` label. |
There was a problem hiding this comment.
Please help wrap the long lines for the benefits of downstream localization teams.
For example:
| For Kubernetes version {{< skew currentVersion >}}, you can use this annotation on Secrets, ConfigMaps, or custom resources if the {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinition" >}} defining them has the `applyset.kubernetes.io/is-parent-type` label. | |
| For Kubernetes version {{< skew currentVersion >}}, you can use this annotation on | |
| Secrets, ConfigMaps, or custom resources if the | |
| {{< glossary_tooltip term_id="CustomResourceDefinition" text="CustomResourceDefinition" >}} | |
| defining them has the `applyset.kubernetes.io/is-parent-type` label. |
There was a problem hiding this comment.
Is there an explanation of what the desired wrapping is, or perhaps automation (like a make task) that can take care of the toil if this is required? I'm also curious why that helps localization.
There was a problem hiding this comment.
We have a script that identifies lines that have changed. Long lines don't work well with that.
It'd be nice to see this wrapped (eg at around 100 characters). Can happen after this merges.
|
|
||
| Part of the specification used to implement [ApplySet-based pruning in kubectl](/docs/tasks/manage-kubernetes-objects/declarative-config/#alternative-kubectl-apply-f-directory-prune). This annotation is applied to the parent object used to track an ApplySet to extend the scope of the ApplySet beyond the parent object's own namespace (if any). The value is a comma-separated list of the names of namespaces other than the parent's namespace in which objects are found. | ||
|
|
||
| ### applyset.kubernetes.io/contains-group-resources (alpha) {#applyset-kubernetes-io-contains-group-resources} |
There was a problem hiding this comment.
Maybe a shorter anchor is good enough?
| ### applyset.kubernetes.io/contains-group-resources (alpha) {#applyset-kubernetes-io-contains-group-resources} | |
| ### applyset.kubernetes.io/contains-group-resources (alpha) {#applyset-contains-group-resources} |
There was a problem hiding this comment.
These aren't priced by the byte, you know. The fragment identifies in this page are typically quite long. I think it's OK. The important bit is that they're stable.
|
Hello, Comms Shadow for the 1.27 release here. This feature blog is tracked for release, the deadline for submitting the draft is 4th of April- the sooner the better since there's still editing to be done afterwards 😃 Any doubt, the Comms team is here to help. CC @harshitasao |
|
@Nancy-Chauhan I originally included the blog post placeholder on this PR by mistake, but it is now in #40070. This PR is just the docs. /remove-area blog |
k8s-ci-robot
removed
the
area/blog
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: b0f6052c4ff05be02f412272023c98322c3d0edc
|
|
I previewed this locally. It builds OK. /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
* Documentation for ApplySet-based pruning (KEP3659) * Apply suggestions from code review Co-authored-by: Tim Bannister <[email protected]> * Add ApplySet labels and annotations to well-known list * Minor fixups * Address feedback on label/annotation listing * Apply suggestions from code review Co-authored-by: Tim Bannister <[email protected]> * fix label vs annotation copy-paste errors * Update prefix to kubernetes.io --------- Co-authored-by: Tim Bannister <[email protected]>
Docs for KEP 3659: https://git.k8s.io/enhancements/keps/sig-cli/3659-kubectl-apply-prune.
KEP issue: kubernetes/enhancements#3659
Screenshots as of Mar 21, commit 07b2089: