Proposal: Break up large providers by service

[negz]

What problem are you facing?

Crossplane installs a lot of CRDs. More specifically, some of the most widely used Crossplane providers install a lot of CRDs. Upbound's Official AWS Provider for example currently installs almost 800 CRDs.

Per the CRD scaling one pager, Kubernetes and the tools in its ecosystem struggle when so many CRDs are installed. The API server uses a lot of memory (around 3MB per CRD). Many tools like kubectl and libraries like client-go are designed under the assumption that only 10s of CRDs will exist, and thus rely on inefficient queries. Crossplane maintainers and others (notably @jonnylangefeld and @apelisse) have made a lot of headway into improving this situation. Unfortunately it has become evident that we can't wait for the ecosystem to catch up to our scale. Despite there being a handful of performance improvements with each new Kubernetes release it may take years for everyone to be running versions of Kubernetes and Kubernetes tooling that handles hundreds or thousands of CRDs well.

In addition to the performance issues that come with loading a lot of CRDs, per #2869, some folks have expressed security concerns about having to deploy APIs and controllers that they don't plan to use. Others have stated they just plain don't like the "bloat" of knowing that there's a bunch of superfluous things installed.

• Add ability to disable certain CRDs on installation. #2869
• Instructions on how to compile a Crossplane Provider with just a subset of the available CRDs docs#336

Per the preceding issues, some folks have started rolling their own Crossplane providers that include only the types they need. These are typically large existing providers (like provider-aws) forked and with the superfluous controllers and types removed.

How could Crossplane help solve your problem?

I propose that we break up large providers by service. That is, instead of provider-aws we would have provider-aws-rds, provider-aws-eks, etc. The goal is to lower the ratio of installed-to-used CRDs, and intuitively doing that by service seems like about the right ratio to me. Thanks to the Crossplane package manager I believe it should be possible (perhaps with a few package manager tweaks) to make for example provider-aws a "meta-package" that pulled in all of the smaller providers for backward compatibility.

I like this approach because:

• It's opt-in, rather than opt-out. You install the things you do need, as opposed to turning off the things you don't need.
• No changes would be required to the many providers that already have a low installed-to-used CRD ratio. Providers like provider-terraform and provider-helm that only have 2-3 CRDs can stay as they are.
• It increases the granularity at which providers can be updated. For example if you had to stick with a certain version of provider-aws-rds you could still update provider-aws-eks to the latest version.
• It will likely increase the scalability of providers, by sharding work across multiple provider processes (i.e. Pods).

Some examples for context. Presuming that each provider mapped to an existing API group (e.g. provider-aws-rds mapped to rds.aws.upbound.io):

• provider-aws-rds would have ~22 CRDs.
• provider-aws-eks would have ~6 CRDs.
• provider-aws-s3 would have ~23 CRDs.
• provider-aws-iam would have ~22 CRDs.

[negz]

If we do take this approach, the questions that come to mind for me are:

• What do we do with ProviderConfig and ControllerConfig? The latter is deprecated and will eventually go away, but in the meantime would this result in an explosion of ProviderConfig and ControllerConfig instances? We try to avoid different controllers (i.e. providers) "sharing" and thus being coupled by an API type - would we have ProviderConfig.rds.aws.upbound.io, ProviderConfig.eks.aws.upbound.io, etc?

• Similarly, what about the explosion of provider processes (i.e. Pods)? Using 8-10 AWS services would mean having 8-10 provider Pods deployed. In a way this could be a good thing (more concurrency), but it also means more things to operate and more compute resources.

• What about Cross Resource References? Referencing (e.g.) a VPC from and RDS instance would be a reference across providers. These kinds of references are currently "hard coded" in that the referencer needs to have type definitions for the referenced type. We could potentially have (e.g.) provider-aws-rds have the Go type definitions for a VPC CRD linked in, but this would result in a tighter coupling between providers than might be ideal. (What if you update provider-aws-rds built with the types from provider-aws-ec2:v1.1.0, but you're still running provider-aws-ec2:v0.9.0?). I think under this model I'd prefer to move to Generic Cross-Resource References #1770.

[bobh66]

It would be nice to be able to maintain the ProviderConfigs at the cloud-provider level instead of the API grouping level. We have to maintain many different ProviderConfigs for different accounts, and duplicating those across the API-group-providers would not be pleasant. Can the API-group-providers be "children" of the larger "container" provider and inherit the ProviderConfigs associated with it?

The additional provider processes don't concern me as they will all use (small) fractions of the resources that the larger providers do now. If we manage the same number of cloud resources across a dozen API group providers there will be some additional overhead but not enough to be concerned about.

[negz]

We have to maintain many different ProviderConfigs for different accounts, and duplicating those across the API-group-providers would not be pleasant.

I agree. I'm open to suggestions here. I would love it if there was some way to solve this without coupling - e.g. without provider-aws-eks and provider-aws-rds needing to take a dependency on a type (CRD) that they didn't own.

I worry that if multiple providers share a type we'll face upgrade issues - for example let's say we kept ProviderConfig all-of-AWS-scoped. Perhaps it's installed by a provider-aws-providerconfig package that is depended on by provider-aws-eks and provider-aws-rds. What if we wanted to add a new field to the ProviderConfig? Would all service-scoped providers need to update at once to support the new field? Would it be confusing if some providers were supported to understand the new field but others weren't? What about a new field value (i.e. adding a new enum value). What would providers that didn't understand the new value do when they encountered it?

[jonnylangefeld]

I agree that from a user perspective it would be nicer to just deal with one provider-aws (that is one ProviderConfig to install and ideally stay with one pod per provider, as there will be more idling resources 'wasted' if we run one pod per cloud service).

But that made me think: can't we make the on/off switches for services via changes in the already existing APIs?
I'm thinking of the Provider resource.
When you install a provider (even via CLI I believe) this resource is created and the crossplane core controller decides which CRDs to install and which Deployment (further configured by the ControllerConfig) to create.

So in the Provider resource there could be a new service field that allows to filter the services that should be installed. This field should be optional to not influence providers that don't need service filtering (like the helm and terraform providers) and also to maintain backwards compatibility.

This service field could be used by the crossplane core controller to only install a subset of the CRDs in the package. It would also need to pass this information onto the actual provider Deployment, as the actual provider binary would need to be configured to watch only a subset of service resources. This could be done either via env vars or binary flags passed onto the Deployment.

I think overall this approach would cover all the positive aspects that you mentioned initially, but also wouldn't let the amount of providers explode. The marked place would stay more lean (still one provider per cloud) and services could be switched on and off more easily by the user (just add/remove to/from the list rather than installing a new 'provider').
This is probably besides the point, but the current terminology 'provider' just fits better describing the whole cloud provider. But I think it makes total sense to have a separation by service inside that resource.

[negz]

can't we make the on/off switches for services via changes in the already existing APIs?

We could, and I think this would in many ways be the path of least resistance. I don't believe it's the best path though.

Given how popular the demand to filter/reduce the number of CRDs we install is, I'm operating under the assumption that the vast majority of folks would choose to filter what CRDs a sufficiently large provider installs.

I can think of a handful of ways to support filtering:

1. Everything is on by default, opt-out of the things you don't want.
2. Everything is off by default, opt-in to the things you do want (closest to the break up providers approach, UX wise).
3. We pick some set of the most popular services to be on by default, you tweak that list at install time.

All of these options seem to change the UX from "install the providers you need", to "install the providers you need, and if any of them are 'too big' remember to configure what parts you do or don't need to support". I can see that this is perhaps a subtle difference, but it does seem more cognitively complex to me.

The mental mapping from installed provider to documentation seems similarly more complex. Take Upbound Marketplace for example, today if I'm writing a new Composition and I know I'm running provider-aws:v0.29.0 I can go to the Marketplace and see what types (CRDs) are available to me to use in my Composition. With filtering support, I also need to check (perhaps by running kubectl describe provider.pkg?) what types my deployment supports, and mentally filter out any types from the Marketplace that aren't installed. Again, this is arguably a subtle difference vs "figure out what providers are installed", but it does seem more complicated to explain to someone.

Another perhaps more concrete concern is around dependency. Today a Configuration package can depend on a Provider package and know that all of that Provider's CRDs will be installed if the Provider itself is installed. If we make it possible to install a subset of a Provider's CRDs we break that contract. We've toyed with the idea of depending on specific versions of specific types in the past - i.e. having a Configuration depend on DatabaseInstance in rds.aws.upbound.io/v1beta1 specifically. I think we'd need to build that to make filtering work.

the current terminology 'provider' just fits better describing the whole cloud provider

I actually think this correlation is a little unfortunate - we have providers for plenty of things that aren't a cloud provider. For example provider-terraform, provider-helm, provider-kubernetes, provider-github, etc. I don't think we should factor in the fact that our providers sound like "a cloud provider" in this decision.

[uvegla]

Naively and from user experience perspective, I would say having a single provider with the ability to control CRDs - and so the resources to watch in the controller - via an allow list - default to * to keep backward compatibility - feels the most ideal. Controlling even to the specific CRD level would be nice like: buckets.s3.aws.upbound.io or to get a whole group say *.s3.aws.upbound.io. Managing providers from e.g. Flux it would be nice this way to simply extend / control what we use in given clusters by Crossplane adding the new CRDs and the new provider deployment starts watching them. One drawback here I could think of is removing a CRD / group from the allow list that actually cannot be removed, because let's say it is being used and then should the provider deployment stop managing that? Might not be very difficult to - tho possibly resource intensive - validate the allow list from an admission controller.

Introducing a bunch of version / package management could possibly lead to more overhead, incompatibility and hard to debug issues. A lot of new deployments / pods for sub-providers means harder to track / correlate what is going on based on the logs.

[piontec]

It would be nice to be able to maintain the ProviderConfigs at the cloud-provider level instead of the API grouping level.

Fully agree. I can easily imagine a use case where we need a dozen of AWS providers (iam, s3, ec2, sqs, rds - plus some monitoring around that and you're easily at 10) and having to manage ProviderConfig for each of them, with exactly the same access permissions, would be bad already. Combine that with different access permissions sets (IAM roles) on AWS side and you have naghtmare to manage. So, ideally, let's keep a single operator pod per provider, single ProviderConfig, but configurable CRD management, like @uvegla mentioned above.

[nstogner]

Greatly prefer the route of filtering installed CRDs along with enabling reconcilers within a single binary.

The ACK project went the route of 1:1 AWS-Service-to-Kubernetes-Controller-Process and IMO it has bloated the resource utilization of the system as a whole. Controller-based infrastructure systems already suffer from greater overhead when compared to point-in-time systems like terraform. This would further that divide.

IMO, following the model of the Kubernetes controller-manager with its bundled reconcilers leads a simpler and more efficient system.

[nstogner]

Consider a company that has gone all-in on using crossplane for managing infrastructure. The micro-controller based approach would lead to a very large system footprint if that company were to use multiple cloud (and ...other...) crossplane providers.