Kubelet to understand pods, and to be able to pull from apiserver

[erictune]

Several inter-related goals:

1. Kubelet continues to be usable in isolation, as well as in a Kubernetes cluster. (composability)
2. Config defined in terms of Pods should work both with an apiserver, and directly with Kubelets (bootstraping, debugging, composability)
3. Kubelet's can only see pods that they need to see (security)
4. Don't create more apiserver API objects than necessary (ease of understanding)
5. Node etcd need not be connected to master etcd. (security, isolation, scalability)
6. Not have clients (be they kubectl, or kubelets or whatever) depend on the storage layer of the apiserver. (abstraction, allowing multiple implementations of the API)

Current state:

1. Kubelet can read container manifest from a local file. Or from an URL. Used by Google ContainerVM.
2. Kubelets can read boundPods from their local etcd, which is connected to the master machine's etcd.
3. Kubelets can talk to the apiserver, and do write /events. They don't read /pods or /boundPods.

Suggested changes:

1. Kubelet learns the definition of type Pods.
2. Kubelet can read json pod definitions from local files or URLs.
   • It also still supports containerManifests for the foreseeable future, with some way for it to determine which type to expect from a source.
3. In a "typical" Kubernetes cluster, a Kubelet watches /api/v1beta3/pods for what pods it should run.
4. Get rid of BoundPod and BoundPods since nothing reads them anymore.
5. Add a Host field to the PodStatus (but not PodSpec).
6. When scheduler writes a Binding, the PodStatus.Host is be set and resourceVersion is updated.
7. A cluster is bootstrapped by first starting one or more VMs with,

Concerns that may be raised and responses:

Q1: Are changes to the set of pods bound made by the scheduler machine atomic or eventually consistent?

A1: It could work either way. If we want atomic behavior, we could implement that in apiserver more readily that we could when we directly expose our storage via etcd.

Q2: Should the kubelet be allowed to see CurrentState (now PodStatus in v1beta3)? It generates (some of) the status, so why let it see that?

A2: We could implement this if it is important. Kubelet would watch pods with a selector that matches only pods with PodStatus.Host == kubelets hostname, and could use a field selector so that only PodSpec and not PodStatus is returned.

Q3: How do we prevent Kubelets from seeing other node's pods.
A3: There are a couple of ways I can think to do this with small changes to our current authorization policy.

1. One way is to have a distinguished "kubelet" user and special case its authorization.
2. Another is to create a new policy as each "kubelet" is added which matches on the SourceIP of the request, and requires a selector to be part of the request which selects on "PodStatus.Host=$SourceIP". This may make some assumptions about the network security of the cluster, but seems like it could work.
3. A variation on the previous is to only have one line of policy for all kubelets, but have a "condition" field in the policy that checks that PodStatus.Host matches SourceIP.
4. Another variation is to have a different token for each kubelet and a separate policy for each.

[erictune]

@a-robinson @roberthbailey
I think both of you were interested in how to remove the dependency between master etcd and kubelet. This proposal, if implemented, would answer that question.

[erictune]

@thockin
I know you had some opinions about BoundPods. But, since we last discussed that, there have been changes to authorization, kubelet-to-apiserver communication (events), and the restructuring of desiredState/currentState to PodSpec/PodStatus (v1beta3).

[lavalamp]

1. In a "typical" Kubernetes cluster, a Kubelet watches /api/v1beta3/pods for what pods it should run.
2. Get rid of BoundPod and BoundPods since nothing reads them anymore.

This is going to be controversial. For expediency's sake, I would like to start out with kubelet watching /api/v1beta3/boundPods. The boundPods/pods argument can be had later.

[erictune]

Filed #2484 @lavalamp

[thockin]

The goal of BoundPods was to simplify Kubelet and the kubelet experience by
having it only understand what it needs to know in order to do its job.

I'm not against teaching Kubelet about Pods instead of BoundPods, but a
number of questions (as you called out) remain.

Whatever watch the kubelet does probably has to be scalable - we don't want
it waking up every time any pod in a cluster is created/destroyed/updated.

I dislike the magic that happens between scheduler and apiserver with
Bindings - it is a pet belief of mine (in fact I satrted fiddling with it
on the plane) that the REST objects should be less entangled than they are.

On Wed, Nov 19, 2014 at 5:30 PM, Eric Tune notifications@github.com wrote:

Filed #2484
#2484 @lavalamp
https://github.com/lavalamp

Reply to this email directly or view it on GitHub
#2483 (comment)
.

[erictune]

The selector on the watch which I described should prevent excessive kubelet wakeups.

An improvement over the current situation with Bindings might be to replace:

POST 
/api/v1beta3/bindings 
{ ...
"podID": "...",
"host": "....",
}

with a body-less POST to a special verb, like this:

POST
/api/v1beta3/bind/pods/mypod?host="...."

That would mean we could delete type Bindings from pkg/api/types.go, which seems like it would address your concern about entangled REST objects.

[lavalamp]

with a body-less POST to a special verb

That's much harder to change in the future if we want to, say, add a field. (Imagine the scheduler wanting to claim ssd0 for the pod or something.)

[erictune]

@thockin points out that I need to change kube-proxy to watch /endpoints.

[erictune]

Just realized that this is a dup of #860

[erictune]

Related discussion happening on #846

[erictune]

More motivation for this change: #2715