How can the CRDs offer more flexibility/control for the pod template spec? #4691
Description
We get regular requests from users to add more fields to the Prometheus, Alertmanager and Thanos Ruler CRDs. The situation is particularly acute for fields that exist in the statefulset's pod template spec.
As of today, the following pod template's fields are exposed by the CRDs:
- affinity
- containers (via strategic merge patch)
- hostNetwork
- imagePullSecrets
- initContainers (via strategic merge patch)
- nodeSelector
- priorityClassName
- securityContext
- serviceAccountName
- tolerations
- topologySpreadConstraints
- volumes
- dnsConfig
- dnsPolicy
- schedulerName
- hostAliases
- enableServiceLinks
The following fields are controlled by the operator and their values are hardcoded:
- automountServiceAccountToken (always true)
- dnsPolicy (when hostNetwork is true)
- terminationGracePeriodSeconds (600s)
The following fields are not exposed by the CRD and not controlled by the operator:
- activeDeadlineSeconds
- ephemeralContainers
- hostIPC
- hostPID
- hostname
- nodeName
- overhead
- preemptionPolicy
- priority (priorityClassName instead)
- readinessGates
- restartPolicy
- runtimeClassName
- setHostnameAsFQDN
- shareProcessNamespace
- subdomain
As we can see, we've got requests for customizing a few fields but not the majority of them.
We've discussed possible options to circumvent the problem:
- Add new fields to the Prometheus, Alertmanager and Thanos Ruler CRDs on a case-by-case basis (e.g. the demand is backed by a legitimate scenario and no workaround exists).
- Pros
- First-class support by the project.
- Easy to use and document.
- Cons
- Users have to convince the maintainers that the addition is worthwhile.
- Additional burden on the maintainers who aren't necessary familiar with the details of how the field is going to be used.
- Pros
- Offer a mechanism where users could patch the template generated by the operator. This would be similar to the
initContainersandcontainersfields but for the pod template.- Pros
- Total flexibility.
- One-time operation.
- Cons
- Easier for users to get things wrong. It requires deeper knowledge of the operator and it may trigger more support requests.
- The size of the CRDs increases by a lot.
- No guarantee that it won't break you in the future (this would be marked as experimental).
- Redundancy with the
initContainersandcontainersfields.
- Pros
- Use the server-side apply pattern
- Pros
- Aligned with the latest Kubernetes practices.
- Cons
- If/when the statefulset is recreated, the user changes are lost and need to be reconciled again.
- Pros
cc @prometheus-operator/prometheus-operator-reviewers