-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP 2527: Clarify meaning of status
#2537
KEP 2527: Clarify meaning of status
#2537
Conversation
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Outdated
Show resolved
Hide resolved
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Outdated
Show resolved
Hide resolved
Since I'm (currently) in the "option 1" camp I was wondering if we could use |
@embano1 In general we try avoid enshrining non-primitive APIs as annotations. It just offloads the problem of decoding onto users. In this case, I don't think it helps because annotations are not RBAC'ed individually. A user could set "sensitive" values. |
c34280c
to
d9eff94
Compare
status
Hi all. I made some minor updates to this, but there has not been much feedback so far. Would love to hear more thoughts. |
d9eff94
to
59f9b7f
Compare
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Show resolved
Hide resolved
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Show resolved
Hide resolved
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Show resolved
Hide resolved
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Show resolved
Hide resolved
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Outdated
Show resolved
Hide resolved
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Outdated
Show resolved
Hide resolved
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Outdated
Show resolved
Hide resolved
da506cb
to
ac119ef
Compare
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Show resolved
Hide resolved
keps/sig-architecture/2527-clarify-status-observations-vs-rbac/README.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this makes sense... I don't think this scuttles any future plans to routinely discard status
subtrees of objects or anything.
I expect some people have been writing controllers that operate as one-way "take observed state and update status" because of this guidance will now feel free to branch out into more creative/complex paths (spec → status pre-write → other object → status post-write, etc).
As we relax this, it would be good to give pretty crisp examples/guidance/patterns for writing state to status
to help those folks stay re-entrant and robust in the face of conflicts/errors.
ac119ef
to
e4c2311
Compare
I fixed the small nit. I think the text you want actually goes in the impl, not the KEP? As such, PTAL at this. |
I'm happy with the direction, and the details can fall in the actual docs PR. I do think it's worth at least mentioning in this KEP the risks that working from status as a data source introduces, even if the detailed recommendations / best practices / examples are in the docs PR. |
Since basically the beginning of Kubernetes, we've had this sort of "litmus test" for status fields: "If I erased the whole status struct, would everything in it be reconstructed (or at least be reconstructible) from observation?". The goal was to ensure that the delineation between "what I asked for" and "what it actually is" was clear and to encourage active reconciliation of state. Many of our APIs pass this test (sometimes we fudge it and say yes "in theory"), but not all of them do. This KEP proposes to clarify or remove this guidance, especially as it pertains to state that is not derived from observation. One of the emergent uses of the spec/status split is access control. It is assumed that, for most resources, users own (can write to) all of spec and controllers own all of status, and not the reverse. This allows patterns like Services which set `spec.type: LoadBalancer`, where the controller writes the LB's IP address to status, and kube-proxy can trust that IP address (because it came from a controller, not a user). Compare that with Services which use `spec.externalIPs`. The behavior is kube-proxy is roughly the same, but because non-trusted users can write to `spec.externalIPs` and that does not require a trusted controller to ACK, that behavior was declared a CVE. This KEP further proposes to add guidance for APIs that want to implement an "allocation" or "binding" pattern which requires trusted ACK.
e4c2311
to
771e7ad
Compare
Added, stole some of your words. |
/lgtm |
@derekwaynecarr @johnbelamaric @dims - you all are listed as sig-arch leads - please approve? |
/approve thanks for doing this! +1 to tune our guidance based on what we are observing in the field. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims, liggitt, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Since basically the beginning of Kubernetes, we've had this sort of "litmus test" for status fields: "If I erased the whole status struct, would everything in it be reconstructed (or at least be reconstructible) from observation?". The goal was to ensure that the delineation between "what I asked for" and "what it actually is" was clear and to encourage active reconciliation of state. Many of our APIs pass this test (sometimes we fudge it and say yes "in theory"), but not all of them do. This KEP proposes to clarify or remove this guidance, especially as it pertains to state that is not derived from observation. One of the emergent uses of the spec/status split is access control. It is assumed that, for most resources, users own (can write to) all of spec and controllers own all of status, and not the reverse. This allows patterns like Services which set `spec.type: LoadBalancer`, where the controller writes the LB's IP address to status, and kube-proxy can trust that IP address (because it came from a controller, not a user). Compare that with Services which use `spec.externalIPs`. The behavior is kube-proxy is roughly the same, but because non-trusted users can write to `spec.externalIPs` and that does not require a trusted controller to ACK, that behavior was declared a CVE. This KEP further proposes to add guidance for APIs that want to implement an "allocation" or "binding" pattern which requires trusted ACK.
Since basically the beginning of Kubernetes, we've had this sort of "litmus
test" for status fields: "If I erased the whole status struct, would everything
in it be reconstructed (or at least be reconstructible) from observation?". The
goal was to ensure that the delineation between "what I asked for" and "what it
actually is" was clear and to encourage active reconciliation of state.
Many of our APIs pass this test (sometimes we fudge it and say yes "in
theory"), but not all of them do. This KEP proposes to clarify or remove this
guidance, especially as it pertains to state that is not derived from
observation.
One of the emergent uses of the spec/status split is access control. It is
assumed that, for most resources, users own (can write to) all of spec and
controllers own all of status, and not the reverse. This allows patterns like
Services which set
spec.type: LoadBalancer
, where the controller writes theLB's IP address to status, and kube-proxy can trust that IP address (because it
came from a controller, not a user). Compare that with Services which use
spec.externalIPs
. The behavior is kube-proxy is roughly the same, butbecause non-trusted users can write to
spec.externalIPs
and that does notrequire a trusted controller to ACK, that behavior was declared a CVE.
This KEP further proposes to add guidance for APIs that want to implement an
"allocation" or "binding" pattern which requires trusted ACK.
KEP: #2527