v2 API proposal "desired vs actual"

[thockin]

This has come up a bunch in a lot of small ways, and my mind keeps coming back to this idea, so I want to write it down.

In early early kube API we had desired and actual (or something like that) structs. Since they were the same struct there were a bunch of things in the struct that were things we didn't want users to set (which eventually became status) and other problems. As we changed to spec+status, we lost the concept of "actual" and just folded it into spec.

This conflates a couple of ideas and makes it hard to distinguish what the user actually asked for from what was assigned to them. I am proposing we reinstate that distinction.

I propose that every top-level object (all of them, not just the ones that make sense RIGHT NOW) holds 4 fields (plus ObjectMeta):

• metadata - same meaning as today
• spec - what the user asked for, with API-defined defaults applied AND NOTHING ELSE. Every field is available to users.
• actual - the exact same structure as spec, but with other fields populated by the system (e.g. nodeName when scheduled, clusterIP when auto-assigned, and so on)
• status - same meaning as today

If a user wants to save a pod and move it to another cluster, spec is what they want. If a piece of software wants to know how a pod is operating, actual and status are what they want.

I chose this layout (which changes the meaning of spec because I figured it makes it easier on users to change over, while making it harder for system components (change to actual). This may be wrong, but it's not obvious. An alternative would be that spec means "actual" and request means "what the user asked for"; users write request and the system writes spec. This has the advantage of software that observes state being easier to change over, but means that users have more pain. But it is perhaps better to break users, who actually SEE error messages. Sometimes bigger changes are better because the need to something is obvious (see the bugs people hit with some really subtle v1beta1 -> v1 changes).

It would be nice to make one field writable ONLY by users (create/update) and one field writable only by the system. We've used binding for scheduling, but there are other things (like clusterIP) that are written directly in-process.

We could make this round-trippable by embedding request under status in v1 or even as a new top-level object + sub-resources.

Lastly, there's some question about preserving exactly what the user asked for WITHOUT defaults applied, but I am less sure that is needed or particularly useful.

@bgrant0607 @smarterclayton @lavalamp

[lavalamp]

I have been thinking for a while that a "one writer" policy (at some TBD level of granularity) would be a good thing.

For comparison, why not annotate (comment/struct tag) every field that the system writes and forbid the user from setting it. This seems less invasive. (If the user is allowed to make a request, add a "BlahRequest" block or some such.)

With the system in the OP, it looks to me like there is a big new class of bugs when the user updates the spec.

• How does that get translated to "actual"
• Components I guess should always watch actual and not spec? Watching the wrong thing will be mostly correct and therefore hard to notice.

Additionally, doesn't this still have the original problem that caused us to split the types? There'd be fields in 'spec' that the user shouldn't set.

kubectl apply already stores the original request in an annotation.

You can never unapply defaults with this system (also with our current system). It's unclear to me if this is a bug or a feature.

[bgrant0607]

See also #1178

[thockin]

I have been thinking for a while that a "one writer" policy (at some TBD level of granularity) would be a good thing.

For comparison, why not annotate (comment/struct tag) every field that the system writes and forbid the user from setting it. This seems less invasive. (If the user is allowed to make a request, add a "BlahRequest" block or some such.)

This is basically what we do with spec and status. There should be
nothing in spec that a user can't set. But frequently (nodeName)
they won't make a choice and the system will do it for them. We could
reflect that in status but then status becomes an ad hoc mess of
random fields, and components end up watching some fields in both.

I much prefer to have a source of "combined desired truth" in a single
structure.

With the system in the OP, it looks to me like there is a big new class of bugs when the user updates the spec.

How does that get translated to "actual"

Writes to spec are reflected into actual. Its seems to be the
same logic we have for create/update today.

Components I guess should always watch actual and not spec? Watching the wrong thing will be mostly correct and therefore hard to notice.

Correct. I also do not like this. This is why we should consider
names and semantics carefully :)

Additionally, doesn't this still have the original problem that caused us to split the types? There'd be fields in 'spec' that the user shouldn't set.

Without fully analyzing EVERY field of every struct: No, everything in
spec is user-writeable. actual is where we write things like
bindings and assignments, etc.

kubectl apply already stores the original request in an annotation.

It's not very usable, and it is becoming a problem, as I understand it.

You can never unapply defaults with this system (also with our current system). It's unclear to me if this is a bug or a feature.

This was my last point. My feeling is that it's not that important to
get back "what I asked for" independent of API version. I could be
wrong.

[bgrant0607]

Also relevant: #13038, #16543, #8190

[lavalamp]

Writes to spec are reflected into actual. Its seems to be the same logic we have for create/update today.

I think it requires an entirely new process? User writes an update to spec; then some mystery code runs in the server, and afterwards both spec and actual will have been updated.

That mystery code will involve a bunch of boilerplate (probably under-tested and bug ridden), or it will involve another invocation of the conversion stuff (complex, still under-tested, but probably fewer bugs).

This is basically what we do with spec and status. ...

That's not really what I had in mind at all. I was saying, individually per-field in spec, have a comment marker/struct field tag called e.g. set-by-system; if that's on the field, then only a system component may write to the field.

[thockin]

Writes to spec are reflected into actual. Its seems to be the same logic we have for create/update today.

I think it requires an entirely new process? User writes an update to spec; then some mystery code runs in the server, and afterwards both spec and actual will have been updated.

User POSTs to spec. Per-resource logic copies that do actual and
then does all the stuff we do today.

User PUTs to spec. Per-resource logic merges that with actual.

I'm hand-waving, obviously it's a little tricky and we'll need to
define the semantics we actually want to see and that we can plausibly
implement.

That mystery code will involve a bunch of boilerplate (probably under-tested and bug ridden), or it will involve another invocation of the conversion stuff (complex, still under-tested, but probably fewer bugs).

yeah, we can code-gen a lot of this.

This is basically what we do with spec and status. ...

That's not really what I had in mind at all. I was saying, individually per-field in spec, have a comment marker/struct field tag called e.g. set-by-system; if that's on the field, then only a system component may write to the field.

I think it's a little gross, but I guess it could work. We could
maybe be clever and store dual-source fields in a special type so that
depending on which sub-resource you access, get a different view of
the object.

e.g.

User POSTs {"kind": "Frobber", "spec": { "byUser": 123 }} to /api/v2/.../name.

System writes .spec.bySystem = 456

GET of /api/v2/.../name yields {"kind": "Frobber", "spec": { "byUser": 123, bySystem: 456 }, "status": {}}

GET of /api/v2/.../name/orig yields {"kind": "Frobber", "spec": { "byUser": 123 }, "status": {}}

Internally bySystem is held in a struct that knows which plane the
value exists on.

[smarterclayton]

I'm in favor of this, at the risk of having even larger API objects than we
do now. I agree with Brian that separation between user's desired intent
and the reactive elements of the cluster (actual) is much better expressed
with a new field.

If you think about what most automated elements of the cluster are doing,
they're applying override / field mutations on specific entities. Maybe we
should have an "overrides" endpoint that takes patches (or something less
than a full object) and adds them to the resource. Most users can't see
the patches, but they can see "actual". A machine can clear overrides by
DELETEing /overrides. Storing the delta changes may make more sense in
some cases - especially if they contain source annotations about who is
applying them.

user POST {spec: {something: bar}}
user GET {spec: {something: bar}, actual: {something: bar}}
machine PUT /overrides "patch format, change spec.something to 5 by
'machine1'"
user GET {spec: {something: bar}, actual: {something: 5}}
machine GET /overrides "sees list of 1 patch format, including machine1"

Both admission control and initializers could set overrides.

On Mon, Nov 16, 2015 at 8:22 PM, Tim Hockin notifications@github.com
wrote:

Writes to spec are reflected into actual. Its seems to be the same
logic we have for create/update today.

I think it requires an entirely new process? User writes an update to
spec; then some mystery code runs in the server, and afterwards both spec
and actual will have been updated.

User POSTs to spec. Per-resource logic copies that do actual and
then does all the stuff we do today.

User PUTs to spec. Per-resource logic merges that with actual.

I'm hand-waving, obviously it's a little tricky and we'll need to
define the semantics we actually want to see and that we can plausibly
implement.

That mystery code will involve a bunch of boilerplate (probably
under-tested and bug ridden), or it will involve another invocation of the
conversion stuff (complex, still under-tested, but probably fewer bugs).

yeah, we can code-gen a lot of this.

This is basically what we do with spec and status. ...

That's not really what I had in mind at all. I was saying, individually
per-field in spec, have a comment marker/struct field tag called e.g.
set-by-system; if that's on the field, then only a system component may
write to the field.

I think it's a little gross, but I guess it could work. We could
maybe be clever and store dual-source fields in a special type so that
depending on which sub-resource you access, get a different view of
the object.

e.g.

User POSTs {"kind": "Frobber", "spec": { "byUser": 123 }} to
/api/v2/.../name.

System writes .spec.bySystem = 456

GET of /api/v2/.../name yields {"kind": "Frobber", "spec": { "byUser": 123, bySystem: 456 }, "status": {}}

GET of /api/v2/.../name/orig yields {"kind": "Frobber", "spec": { "byUser": 123 }, "status": {}}

Internally bySystem is held in a struct that knows which plane the
value exists on.

—
Reply to this email directly or view it on GitHub
#17333 (comment)
.

[bgrant0607]

@lavalamp @thockin
Quick comment regarding: "That's not really what I had in mind at all. I was saying, individually per-field in spec, have a comment marker/struct field tag called e.g. set-by-system; if that's on the field, then only a system component may write to the field."

This cannot work and I'm opposed to it on principle. There is deliberately no hard line between what can be set by the user and what can be set automatically. One example of many: vertical auto-scaling. For more examples, see #17097.

[bgrant0607]

@smarterclayton My original proposal in #1178 was that automated components set "underrides" -- everything the user specifies takes precedence over automatically set values.