-
Notifications
You must be signed in to change notification settings - Fork 394
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Upsync Endpoints of synced services #2829
✨ Upsync Endpoints of synced services #2829
Conversation
6f1613f
to
36ba9f4
Compare
36ba9f4
to
43b3f9d
Compare
e8b928f
to
1e39201
Compare
3396666
to
0138f52
Compare
Signed-off-by: David Festal <[email protected]>
Signed-off-by: David Festal <[email protected]>
Signed-off-by: David Festal <[email protected]>
Signed-off-by: David Festal <[email protected]>
Signed-off-by: David Festal <[email protected]>
0138f52
to
3616df8
Compare
... on the service from which the Endpoints resource is derived. Signed-off-by: David Festal <[email protected]>
53d0d13
to
8afbaa2
Compare
pkg/apis/workload/v1alpha1/types.go
Outdated
// | ||
// For now, only endpoints can be upsynced on demand by the syncer with this mechanism, | ||
// but the list of such resources will increase in the future. | ||
UpsyncDerivedResourcesAnnotationKey = "workload.kcp.io/upsync-derived-resources" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this experimental and going to move into the SyncTarget spec?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and is this annotation user-facing in the first place? Who should be able to change it? (now it is protected through admission).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No it's not experimental.
And it's not expected to be added to the SyncTarget (obviously it is a copy/paste erorr in the comment).
The real comment should be:
// UpsyncDerivedResourcesAnnotationKey is an annotation set on synced resources that contains a
// command-separated list of stringified GroupResource (<resource>.<group>) for the derived resources
// that are expected to be upsynced.
// To allow upsyncing an Endpoints resource related to a synced service, the Service instance should be annotated with:
//
// workload.kcp.io/upsync-derived-resources: endpoints
//
// For now, only endpoints can be upsynced on demand by the syncer with this mechanism,
// but the list of such resources will increase in the future
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I fixed the comment in commit 5ba3c35
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and is this annotation user-facing in the first place? Who should be able to change it?
Yes, it is user-facing. For now the use should be able to change it. Mid-term it could be done by a dedicated coordination controller.
(now it is protected through admission).
Are all the workload.kcp.io/xxx
annotation protected ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are all the workload.kcp.io/xxx annotation protected ?
yes. You have to opt-out in the admission plugin for that.
Yes, it is user-facing. For now the use should be able to change it. Mid-term it could be done by a dedicated coordination controller.
So it is experimental?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't it a security problem? I can steal objects from the compute cluster, e.g. a service account.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The presence of this annotation isn't sufficient to trigger the Upsync, but it will be used as an additional condition by the logic that exists downstream and that marks resources for Upsync (by setting the RequestState
label to Upsync
).
In the case of Endpoints, the controller in the Syncer implements the logic that identifies which Endpoints should be Upsynced, and part of this logic is to look at this annotation on the related Service.
In any case, there is also a protection on the Upsyncer virtual workspace side + Syncer about the resource types that can be upsynced: for now the list is fixed: only PVs, Pods and Endpoints can be upsynced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Finally made the annotation experimental and added more comments on the annotation definition.
@@ -11,6 +11,7 @@ spec: | |||
- v124.services.core | |||
- v124.deployments.apps | |||
- v124.pods.core | |||
- v124.endpoints.core |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about EndpointSlices? Does one need them? Does one need both or do endpoints always exist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now we didn't have any use-case requiring upsyncing the EndpointSlice
s.
This PR tackles minimal requirements spotted by the KNative support scenario.
Additional resources will be added in the future as required.
It would still be possible to import EndpointSlice
s from the physical cluster if needed, and sync them as any other resource if necessary.
/test e2e-sharded |
Signed-off-by: David Festal <[email protected]>
5ba3c35
to
ed66b88
Compare
... and complete comments Signed-off-by: David Festal <[email protected]>
9991773
to
0def090
Compare
@sttts Is it OK for you now with the annotation made |
// It is experimental since the provided user-experience is unsatisfactory, | ||
// and further work should be done to define such (up)syncing strategies at a more appropriate level | ||
// (SyncTarget, KCP namespace, KCP workspace ?). | ||
ExperimentalUpsyncDerivedResourcesAnnotationKey = "experimental.workload.kcp.io/upsync-derived-resources" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
better 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would you approve ? ;-)
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Summary
Upsync Endpoints of synced services, so that controllers that rely of their existence to check application readiness (like KNative does) can work.
Related issue(s)
Fixes #2817