Dynamic registration prototype

[caesarxuchao]

Implementing the api proposed in kubernetes/community#611.
Wiring the code to serve the api via apiserver.

Adding admissionregistration API group which enables dynamic registration of initializers and external admission webhooks. It is an alpha feature.

[caesarxuchao]

The registry needs Registry, Scheme, Codecs etc. Because we are in k8s.io/apiserver, we cannot import k8s.io/kubernetes/pkg/api, so i have to create this package.

[caesarxuchao]

We need to register the unversioned types to the Scheme, otherwise the API discovery endpoints won't work.

[caesarxuchao]

I think we can deprecate this field.

Without commenting it out, the API installation of apisever/v1alpha1 will fail with "no type ExportOptions is registered for v1". This error doesn't occur when installing other k8s APIs because their registry use the k8s.io/kubernetes/pkg/api.Scheme, which installs these metav1 types to all versions, including "v1".

[smarterclayton]

Hrm - we will need this in the future - it's intended to control what version of generic APIs are defaulted by the server, like the forthcoming Table.

Meta types should be registered in your group for now - is there a reason you don't want to?

[caesarxuchao]

Shall we call it Verbs or Operations? rbac calls is Verbs, and the authorizer interface call it Verbs, but the admission interface calls it Operations

[caesarxuchao]

@whitlockjc and I lean towards Operations.

[whitlockjc]

I agree.

[lavalamp]

Wow I really object to having a specific API type living in the generic apiserver's registry package. @deads2k did you really want this? ...

[lavalamp]

OK, Chao is going to move these registry classes into the main repo.

[deads2k]

Wow I really object to having a specific API type living in the generic apiserver's registry package. @deads2k did you really want this? ..

I really want to have separate buckets for "generic API server types" and "kube-apiserver types". The types are two distinct buckets. It's easy to have separate buckets and later move them around. It's really hard to put it all into one bucket and then later try to separate some stuff that was mixed in the bucket. Because of that, putting them here is much easier to change than putting them in the main repo.

The first thing you're going to do is claim that the apiserver needs them and so you'll group them in a k8s.io/apis bucket.

[deads2k]

What about an alternative where we actually model it as a separate API server that is added to the filter chain like we've done with kube-apiextensions-server? The integration ends up clean and these stay out of kube-apiserver. Until we get the third bucket, the types can live here to avoid a cyclical dependency, but my concerns about "making mud" in the shared API would be ameliorated and you'd have a clear delineation for a proper move once the cycle was resolved.

[lavalamp]

These are not generic apiserver types, though. The registration api is only going to be hosted by the main apiserver.

[deads2k]

But are not the same category of thing as the bucket you are going to place them into for the sake of expedience and I sincerely doubt that any separation will ever be made, so this would live forever alongside jobs, hpas, pod disruption budgets, and a host of other APIs it doesn't belong with.

I think its a real shame to do this, you can't easily unmake soup, but ultimately I'm not willing to sacrifice the feature to keep separate things separate.

[caesarxuchao]

These are not generic apiserver types, though. The registration api is only going to be hosted by the main apiserver.

[edit] I think this is a strong argument to not put the api in k8s.io/apiserver

[caesarxuchao]

this would live forever alongside jobs, hpas, pod disruption budgets,

I agree. Admission configuration doesn't blend with jobs, hpa, etc. But currently we don't have another place to put API that is served by the apiserver.

[deads2k]

I agree. Admission configuration doesn't blend with jobs, hpa, etc. But currently we don't have another place to put API that is served by the apiserver.

I'd prefer to see that place built for something net-new than continue a pattern of placing largely unrelated APIs into the same bucket. It's net new, so no one is going to complain that their cheese moved. If we can't make "the right" place, keeping it logically separate in a less than ideal location (here), makes it possible to move this later with minimal complaint. If we go in the other direction (put it into k8s.io/kubernetes/pkg/apis), then we are extremely unlikely to correct it later.

[lavalamp]

new place would be best, but we don't have time to build a new place IMO. As long as it's in its own group...

IMO this is a level 2 code separation concern, and we still haven't finished the level 1 code separation.

[caesarxuchao]

defaulter-gen never worked for any staging repo... if we decided to keep the api in k8s.io/apiserver, we'll need to update k8s.io/gengo, and then vendor it back.

[caesarxuchao]

Can I get some reviews for the "api" commit?

Other commits will change if we decide to move the api to k8s.io/kubernetes.

[smarterclayton]

Put this in doc.go

[smarterclayton]

typo

[smarterclayton]

Comment that operations must match admission.Attributes?

[lavalamp]

comments on validation

[lavalamp]

update what about it?

[caesarxuchao]

@deads2k the code history is lost during the move to staging. It looks like we used to have a completely different criteria on QualifiedName. Shall I create my own function?

[caesarxuchao]

Fixed.

[lavalamp]

please implement this todo

[lavalamp]

why not? do we really need to distinguish between empty and nil?

[lavalamp]

why not?

[lavalamp]

(maybe 'empty or nil'?)

[caesarxuchao]

yeah, should be empty or nil. Done.

[caesarxuchao]

Addressed @lavalamp and @smarterclayton's comments in the last two commits. PTAL.

The remaining disagreement is on where to put the API group: #46294 (comment).

[caesarxuchao]

Tests should be fixed. Adding back the lgtm label.

[caesarxuchao]

Rebased.

[k8s-ci-robot]

@caesarxuchao: The following test(s) failed:

Test name	Commit	Details	Rerun command
pull-kubernetes-federation-e2e-gce	89e506c	link	@k8s-bot pull-kubernetes-federation-e2e-gce test this
pull-kubernetes-cross	89e506c	link	@k8s-bot pull-kubernetes-cross test this

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[caesarxuchao]

@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this

[lavalamp]

I0526 00:56:10.391] # k8s.io/kubernetes/test/e2e_node
I0526 00:56:10.391] test/e2e_node/summary_test.go:138: constant 100000000000 overflows int

[smarterclayton]

Hahahaha

…

On Fri, May 26, 2017 at 3:40 PM, Daniel Smith ***@***.***> wrote: I0526 00:56:10.391] # k8s.io/kubernetes/test/e2e_node I0526 00:56:10.391] test/e2e_node/summary_test.go:138: constant 100000000000 overflows int — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#46294 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_pxLdV-T45w5ODgqITbamrN1FZZxaks5r9yqvgaJpZM4NkCBS> .

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 46383, 45645, 45923, 44884, 46294)

[smarterclayton]

Generated client has namespace generation, but should be non-namespaced.

[caesarxuchao]

Eh, right. Will send a fix tonight.

[smarterclayton]

Doesn't block me, so not critical tonight.

[caesarxuchao]

Sent #46668.