Kubernetes SIG API Machinery 20241030
Вставка
- Опубліковано 10 лют 2025
- Topic 1: [AndrewSirenko@] (Slack: "Drew Sirenko") Would someone help unblock VolumeAttributesClass by taking a look at Issue#124436: Quota scopes cannot handle the transition case from one scope to another when the target object is updated.
KEP 3751’s VolumeAttributesClass feature/resource went into beta in K8s 1.31, which allows users to modify parameters of their volumes (e.g. provisioned IO)
As part of KEP 3751: VolumeAttributesClass, we want to add VAC quota restrictions for volume attributes that allow administrators to restrict the maximum number of volumes that can be created with a specific volume attribute class.
When originally adding VAC API, deads2k@ suggested using quota scope/scopeSelector to implement this feature.
However, when using the `scopeSelector` to implement this feature, there are some problems that carlory@ could solve. Specifically a bug in the implementation of the `scopeSelector` feature.
The quota PR is blocked by this bug github.com/kub..., so the new e2e test for this feature is not passed.
We left quota out of the initial push to beta, because SIG API-Machinery was busy with scalability efforts, but is there someone who can help solve the bug ahead of k8s 1.32 so we can unblock VAC? There are some discussions about this feature in the following slack thread: kubernetes.sla...
Carlory and I are hesitant to propose solution to issue because there are scalability implications and we are not subject matter experts, but Carlory left a detailed reproduction example, root cause, and related k/k code in issue.
Next Step:
Federico attempts to find an owner for the bug by Nov 1.
Deads2k: Not relying on scopeselector to implement the quota-style feature is a non-starter. Let’s fix this (tricky but solvable) bug.
Topic 2: InPlacePodVerticalScaling API review adds a /resize subresource
Difficulties encountered during API review:
GetResetFields() must be set for all subresources that interact with root resource, but requires defining a mask of fields not modifiable via the subresource…
The subresource bypasses admission on the primary pod resource (just like all other subresource writes, see github.com/kub...)
Should we introduce a way for admission to opt-in to validating/mutating a subresources IF it's the kind as the root resource to prevent bypass? This is loosely related to matchPolicy: Equivalent, which prevents new versions from bypassing admission
Need feedback on how to improve contributor docs: github.com/kub...
Topic 3: Gateway API Versioning, discussed on #sig-api-machinery
[Flynn] This doc discusses difficulties that Gateway API has run into with trying to simultaneously allow rapid design iteration of a CRD API, driven by real user feedback that may require breaking changes, with the strong desire to avoid the operational complexity of conversion webhooks. We’d be interested in talking through the difficulties and seeing about possibilities to make it easier to manage CRD APIs.
[rob] Different API group for experimental and standard channels:
github.com/kub...
github.com/kub...
Action item:Gateway API to write out user stories demonstrating the paths we’re most concerned about for future discussion
