Adding beta requirements for EndpointSlice API

[robscott]

This PR updates the EndpointSlice KEP to reflect the work necessary for a beta release in 1.17. A significant portion of the changes represent updates that were made as part of the initial alpha API PR but had not yet been reflected here.

This also includes an upgrade plan for adding a new label to indicate which controller is managing an EndpointSlice. Additionally I've outlined the rationale for not choosing a CRD for EndpointSlices.

Enhancement Issue: #752

[k8s-ci-robot]

Welcome @robscott!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[robscott]

/cc @freehan

[robscott]

/cc @thockin

[thockin]

We'll need a bit more spec on what value that should take. Labels are pretty limited in what they can contain as values.

Another approach might be to add a per-owner label so the key becomes significant. E.g. endpointslice.kubernetes.io/controller-managed: "true"

This allows multiple controllers to think they own a slice, but I am not sure that will be a problem in practice.

[robscott]

Yeah it's hard to come up with the right label(s) here. Would an EndpointSlice ever become managed by a different resource? I think that's unlikely, but if it happened it would involve controllers changing labels that weren't managed by them (or like you mentioned, just letting multiple controllers try to manage a slice).

If we were to switch the important information from the value to the label (endpointslice.kubernetes.io/controller-managed: "true"), what would other related labels look like? As an example, I think kube-apiserver would be a value for endpointslice.kubernetes.io/managed-by for the initial EndpointSlice created/managed by the apiserver, would we want a separate label for that?

Assuming this is all to support additional controllers managing EndpointSlices, I think the controller-managed name might become confusing as it might seem to indicate the difference between an EndpointSlice being managed by any controller vs being created manually.

[thockin]

If I had a 3rd party controller it might be example.com/tims-cool-controller: "true"

re apiserver: whether we use label keys or values, it seems appropriate to denote that the apiserver controls its own endpoints.

By now you should know not to let me name things. endpointslice.kubernetes.io/managed-by-endpointslice-controller: "true" is just as fine. No humans will type this.

My main problem with the simpler proposal is that nothing prevents me from accidentally writing a controller called "cool-controller" and you from doing the exact same.

[thockin]

need to spec this carefully for extension

[robscott]

Should we validate this to only include a set of allowed protocols?

[howardjohn]

I don't see a need. There are an endless number of "application protocols" that we cannot really capture all of them, so we would likely just see users requesting new protocols added to the set constantly, or force to do other hacks to specify protocol as done today.

[thockin]

My thinking was that either we specify a known list and everything else is "x-whatever" or we use a label-prefix style name (my company.com/foo) or something.

It's ugly wrt conventions around naming (HTTP all caps vs company.com/name all lowercase).

Don't need to solve it here, do need to solve it I'm the API specs. One valid answer is "allow anything" (or a specific character set) and don't validate beyond that.

[thockin]

My thinking was that either we specify a known list and everything else is "x-whatever" or we use a label-prefix style name (my company.com/foo) or something.

It's ugly wrt conventions around naming (HTTP all caps vs company.com/name all lowercase).

Don't need to solve it here, do need to solve it I'm the API specs. One valid answer is "allow anything" (or a specific character set) and don't validate beyond that.

[thockin]

@wojtek-t FYI

This is unfortunate. I was hoping we could force this to embrace CRD.

[thockin]

@lavalamp @erictune @apelisse and all other CRD-ish folks.

IMO it should be possible to statically express more validation for CRDs - common types like "IP address" and "DNS subdomain" should get distinct validation and error messages.

Cross-field validation is more complex, but I'd like to make a case for simple forms of this to be statically expressed too. e.g. if("X", IPAddress, DNSDomain)

[apelisse]

cc @DirectXMan12

[DirectXMan12]

There's two angles for the "types like IP addresses" -- we can support more "format" values (used in OpenAPI to express complex built-in validation) in kube-apiserver, and some of this can be validated with regexes like:

// this is not correct, but gets the point across
// +kubebuilder:validation:Pattern=`\d{3}\.\d{3}\.\d{3}\.\d{3}`
type IPAddress string

// this would be nice if we could do it
// +kubebuilder:validation:Format=ip-address
type IPAddress string

As for dependent cross field validation, IIRC some of that was explicitly rejected, but it might be worth re-evaluating.

cc @sttts as well

[erictune]

@thockin

would rather make it easier to write validation webhooks than to try to extend OpenAPI to do cross-field validation.

[DirectXMan12]

cross-field valdiation is decently rare too, from what I've seen. Common validation for IP addresses and DNS names would be useful though.

[thockin]

Yeah, ok. I'd still like to break this but maybe not yet.

[freehan]

Using CRD sort of required a certain bootstrap sequence:

1. CRD ensured
2. controller startup.

For CRD consumers, there is no good way to wait for a CRD to showed up. Most implementations just die and wait for the restart to try again.

[thockin]

we have to address this in general, anyway

[robscott]

@thockin @dcbw @caseydavenport Can you take a look at this today? The KEP deadline for v1.17 is the end of the day, and it sounds like this graduation criteria should make it in if we want EndpointSlices to graduate to beta.

[thockin]

/lgtm
/Approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: robscott, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• keps/sig-network/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[thockin]

I think that having a robust suite of builtin validations is valuable. Yes, webhooks are pretty easy, but static will always be easier. In my mind, something like "IP address" is so commonly useful as to warrant this, but I admit I don't know exactly what the principle should be.

…

On Tue, Nov 5, 2019 at 4:00 PM Solly Ross ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In keps/sig-network/20190603-EndpointSlice-API.md <#1286 (comment)> : > @@ -372,6 +430,32 @@ Based on the data collected from user clusters, vast majority (> 99%) of the k8s The current Endpoints API only includes a boolean state (Ready vs. NotReady) on individual endpoint. However, according to pod life cycle, there are more states (e.g. Graceful Termination, ContainerReary). In order to represent additional states other than Ready/NotReady, a status structure is included for each endpoint. More condition types can be added in the future without compatibility disruptions. As more conditions are added, different consumer (e.g. different kube-proxy implementations) will have the option to evaluate the additional conditions. +- #### Why not use a CRD? + +**1. Protobuf is more efficient** Currently CRDs don't support protobuf. In our +testing, a protobuf watch is approximately 5x faster than a JSON watch. We used +pprof to profile 2 versions of kube-proxy using EndpointSlices and running on 2 +different nodes in a 150 node cluster as it scaled up to 15k endpoints. Over the +15 minute window, kube-proxy with JSON used 17% more CPU time, with the +difference in `StreamWatcher.receive` accounting for all of that. With protobuf +enabled, that function took 1/5th the time of the JSON implementation. + +**2. Validation is too complex** Validation of addresses relies on addressType, cross-field valdiation is decently rare too, from what I've seen. Common validation for IP addresses and DNS names would be useful though. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1286?email_source=notifications&email_token=ABKWAVAPS7XTCKME2PNX7CLQSICLNA5CNFSM4I6JJHLKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCKNJ27Q#discussion_r342859180>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABKWAVEYNQZHCR3LGGKU6JTQSICLNANCNFSM4I6JJHLA> .

[DirectXMan12]

I think "stuff that's pretty common for all the kubernetes components" meets the bill. IP addresses, DNS names, and such appear everywhere in kubernetes and are so common in running any system that it'd be hard to argue (IMO) that they were niche. Things that are used in stable APIs that have simple representations but complex validation (e.g. Quantity) are also go candidates, IMO.

[DirectXMan12]

(and yes, I realize that's not a hard policy, but it's probably a decent starting point for "what's fairly easy to agree on)