-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-4764: Kubectl supports WatchList to list resources #4767
base: master
Are you sure you want to change the base?
Conversation
xuzhenglun
commented
Jul 18, 2024
- One-line PR description: kubectl supports WatchList to list resources
- Issue link: kubectl supports WatchList to list resources #4764
- Other comments:
/hold I just found that But there is a problem(see kubernetes/kubernetes#126206) with the current implementation, that is, when ServerPrint is enabled, the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Here are some suggestions for the text.
I've matched the style guide we use for documentation; our logical API verbs, such as watch, are usually written in lowercase bold.
(the HTTP-level verbs, such as HEAD or POST, or GET at HTTP level, are written uppercase without bold)
--> | ||
|
||
###### Will enabling / using this feature result in any new API calls? | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💭 Is there a way for the denial of the watch to include a hint that a list would also fail;
for example, this hint could be included whenever sendInitialEvents
is set and the API server is able to dry-run
check the equivalent list verb.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't quite understand what you mean by hint?
When watchlist failed, we can give a warning message and then fallback to list. And When rolling back to list, the behavior of kubectl should be consistent with the existing behavior, that is, the results of list are returned. I'm not sure about what this hint used to tell user?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh I see the point now. you mean when the watchlist fails, the error is returned with a hint, to tell the client list would also fail. so it's unnecessary for client to try list again. Did I understand correctly?
I don't believe that we have a easy solution for this. As in my understand, this case can only happen when user have no permission to list resource. however, URL query parameters are decoded in the Handler
, but authz happens before that, in the Filters
.
A simpler and feasible solution is to initiate a SubjectAccessReview
during watchlist and return the result as Hint. However, this will bring additional consumption to all watchlist, and it seems to be not much different from the client re-initiating the list request. After all, if the failure is caused by authz, the list has not actually started processing at this time, and it will not consume too many resources.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or we can consider the watch permission as a superset of the list permission. After all, users with the watch permission actually already have the list permission. In this case, as long as the user can pass the watch authz, they will be able to perform subsequent list operations for sure.
However, this is an incompatible change. I am not sure it is appropriate to discuss it in this KEP.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kind of. WatchList
is a client method not a logical API verb, though (so WatchList
calls either watch or list).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's resolve this. I used the 💭 emoji in #4767 (comment) to try to imply that this was an aside, rather than any kind of blocking feedback.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, I see. thanks for your explanation. 😊
What do you think that if the API server only initiates "SubjectAccessReview" when "WatchList" is disabled or permission is denied? this could minimize the extra authz query.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's how I'd imagined it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I will update KEP later to describe this. But let's focus this the basic feature in alpha, and make sure finish this enhancement this before Beta? After all, I think this feature needs to be in alpha for at least several versions. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What we discussed earlier have been updated into the KEP. PTAL
001c1be
to
7ada715
Compare
<<[UNRESOLVED Will **watchlist** replace **list** completely]>> | ||
**watchlist** was first released in version 1.27 and is still in the alpha stage, with continuous improvements | ||
over the subsequent releases. For a feature in such an early stage, it is too soon to say whether we will fully | ||
rely on it without other fallback mechanisms. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kube-apiserver will support LIST requests forever for backward compatibility reasons.
But we expect that most clients (and libraries) will actually evolve towards using watchlist once this is graduated to GA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand that API server will support List forever, but I'm not sure should we use List
in client-side forever? or in far far future, client-go
and kubectl
will not send List
to API Server, but only Watch
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes - I think the things like kubectl
should eventually migrate to WatchList
objects changed events. A special `BOOKMARK` event with annotation `k8s.io/initial-events-end=true` will be sent | ||
at the end to indicate the completion of the initial object push. | ||
|
||
Therefore, where kubectl originally performed a **list** operation using `List`, we can implement a new |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of managing the appropriate parameters in kubectl, you should rely on internal client-go implementation that can decide itself whether watchlist can be usef for a given request.
And you achieve it effectively by setting client-go feature gate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with that we should rely on internal client-go
implementation to decide. However, due to current implementation issue, kubectl cannot directly use this feature-gate, which is what this KEP attempts to solve.
as we can see https://github.com/kubernetes/kubernetes/blob/fe3772890f650f9bcf020b43dc5a51fab0fa17f4/staging/src/k8s.io/cli-runtime/pkg/resource/helper.go#L108, kubectl use Do
and Get
method to list resource, not List
. so the auto switch mechanism in client-go
seems will not work here.
I described the introduction of a new environment variable earlier because I thought kubectl needed an independent switch to control it. If this is not necessary, I completely agree to reuse the environment variable switch in client-go
to achieve this purpose. I will update KEP soon later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just updated the KEP to clarify this part. PTAL
/cc @p0lyn0mial @deads2k |
at the end to indicate the completion of the initial object push. | ||
|
||
This mechanism has been integrated into `client-go` in 1.31, and users who use typed or dynamic client can get | ||
this for free by setting env `KUBE_FEATURE_WatchListClient=true`. But unfortunately, in current implementation, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does kubectl
have a concept of feature gates ?
would it be more practical to set an env var or a command line option to disable a faulty feature ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, It has its own env feature-gate mechanism. But the basic idea is the same, relying on an env vairble to decide which code path to run. so in my understand, the key point is what the env name we should use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I user of kubectl
how do I disable faulty KUBE_FEATURE_WatchListClient
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In alpha
stage, this feature is disabled by default. User who want to enable it need to set env variable KUBE_FEATURE_WatchListClient=true
to enable this feature.
In the future, when it enables by default in beta
stage, user can disable this feature by set env variable KUBE_FEATURE_WatchListClient=false
explicitly.
|
||
This mechanism has been integrated into `client-go` in 1.31, and users who use typed or dynamic client can get | ||
this for free by setting env `KUBE_FEATURE_WatchListClient=true`. But unfortunately, in current implementation, | ||
`kubectl` doesn't not use dynamic or typed client to list resource, it use raw `rest` client. So the auto switching |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could kubectl
actually use client-go
instead of the raw rest client ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wish it could, but in my understanding, there is no easy way to do so. kubectl
uses resource names instead of kinds to fetch resources. Even if it's possible, it will still be a big change.
660fe1f
to
2e78692
Compare
@wojtek-t @p0lyn0mial @deads2k @sftim Hi 👋 , Any suggestion I will be really appreciate. |
/reopen |
@xuzhenglun: Failed to re-open PR: state cannot be changed. There are no new commits on the xuzhenglun:master branch. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/reopen |
@xuzhenglun: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: xuzhenglun The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
1 similar comment
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: xuzhenglun The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
sorry for the noise of closing and reopening, there was a slight problem when I was doing rebase. I was thinking about the environment variable naming thing. As a PTAL is there anything need to do, I really want to make this happen in the next release cycle. |
@xuzhenglun Hey, I think we should hold off on this KEP until the streaming feature graduates to Beta. There are still things that need to be fixed, which might slightly change the code, especially on the client side. For the streaming API, we are targeting 1.32. |
sure, as the conclusion in the last sig-cli meeting, this KEP will not merge any code only until watchlist is promoted into beta.
https://docs.google.com/document/u/0/d/1I1UFGHMDO7mMbDbioQp52DEJXEhk1qymch3qL5-EN10/mobilebasic
Please take your time to deal with that, and I will continue this enhancement once it’s resolved. Thank you.
|
hi @soltysh, |
I'll try to find some time in the next weeks, but most likely after KubeCon NA. |
hi @soltysh, |
Hi, @soltysh could you please take a look this if possiable? or does some else could help to review this enhancement? |