Implement ExecutionHook CRDs API Types

[ashish-amarnath]

Implement ExecutionHook CRDs API Types

KEP is at https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/20190120-execution-hook-design.md

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
• Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[xing-yang]

/assign @xing-yang

[prydonius]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ashish-amarnath, prydonius
To complete the pull request process, please assign xing-yang
You can assign the PR to them by writing /assign @xing-yang in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xing-yang]

I'm checking whether it should be apps.k8s.io or app.k8s.io to be consistent with other CRDs.

[ashish-amarnath]

Sure. Quick pointer, the KEP also referred to this as apiVersion: apps.k8s.io/v1alpha1.

[xing-yang]

Yeah, apps.k8s.io looks right. Just want to double check as I found "app.k8s.io" is used for other CRDs.

[xing-yang]

It is "app.k8s.io" here: https://github.com/kubernetes-sigs/application/blob/master/pkg/apis/app/v1beta1/register.go#L34.

[ashish-amarnath]

is apps.k8s.io correct or should we change to app.k8s.io?

[xing-yang]

Maybe that's why "app.k8s.io" is used for "Application" CRD, not "apps.k8s.io"? I don't know the reason, hence raising the question. Since this ExecutionHook repo belongs to sig-apps, I thought it would be better to stay in app.k8s.io for consistency.

[lavalamp]

Yes, perhaps. Note that a SIG can and should have more than one API group, API groups are more fine grained than SIGs.

Are you sure apps is the right SIG for this and not node? This seems more connected to me with pods and runtimes than with replicasets and deployments. The existing exec feature is SIG node.

[xing-yang]

Yes, this is under sig-apps: https://github.com/kubernetes/community/blob/master/sigs.yaml#L194. The KEP was initially done in sig-storage. @saad-ali suggested that this should be in sig-apps because we need application specific knowledge to use the execution hooks to quiesce and unquiesce an application. Of course we should get input from sig-node as well. I believe there was someone from sig-node who reviewed the KEP.

[lavalamp]

Great, just checking. lifecycle.apps.k8s.io might be a good group name.

[xing-yang]

sounds good!

[xing-yang]

Add protobuf part

[ashish-amarnath]

For Kubernetes clients for CRDs, the protbuf serialization tags are not used. Protobuf encoding are used in kubernetes only for internal types, mainly for efficiency. This is not extended for CRDs. For that reason, I have removed all protobuf tags.

Also See: kubernetes/kubernetes#55541

[liggitt]

/assign @thockin @lavalamp
as active API reviewers on the design in kubernetes/enhancements#705

[lavalamp]

This doesn't make a lot of sense to me, if your selector identifies e.g. all pods in a replica set, this still makes you specify each one by name (since the name has a random suffix).

[xing-yang]

Only one of "PodContainerNames" and "PodContainerSelector" will be specified but not both. So if the selector identifies all pods in the PodContainerSelector, this PodContainerNames won't be used. We need to add validation to make sure only one is specified.

[lavalamp]

I didn't realize that KEP got to the implementable stage. I recall having made significant feedback on it and I don't think I re-reviewed the changes.

[lavalamp]

The PR merging the KEP & setting it to implementable has this comment specifically calling out the API as still needing to be nailed down: kubernetes/enhancements#705 (review)

[xing-yang]

The PR merging the KEP & setting it to implementable has this comment specifically calling out the API as still needing to be nailed down: kubernetes/enhancements#705 (review)

Hi @lavalamp , @thockin has approved the KEP for alpha. Before moving to Beta, we'll evaluate whether to move it to kubelet. See here: https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/20190120-execution-hook-design.md#risks-and-mitigations

[lavalamp]

It is more or less up to you when you get an API review. If you get it for the alpha -> beta transition, fixing whatever comes up may involve a lot more work than if you get it now and address prior to implementation. I don't actually have time to do an API review right now, maybe @thockin does.

Anyway, I just want to be clear that the KEP went to implementable with a significant caveat (which may not have been the right thing to do, I don't know, it's hard to change now either way), and just to budget time for api review and whatever work that implies to make changes.

Since I'm not sure everyone is on the same page when it comes to API reviews, I'll add: the thing I try to do during API review is to make sure the feature's expression in the API composes well with the rest of the API surface area. This sometimes generates more and larger AI's than e.g. just asking for unions where there should be unions.

[xing-yang]

It is more or less up to you when you get an API review. If you get it for the alpha -> beta transition, fixing whatever comes up may involve a lot more work than if you get it now and address prior to implementation. I don't actually have time to do an API review right now, maybe @thockin does.

Anyway, I just want to be clear that the KEP went to implementable with a significant caveat (which may not have been the right thing to do, I don't know, it's hard to change now either way), and just to budget time for api review and whatever work that implies to make changes.

Since I'm not sure everyone is on the same page when it comes to API reviews, I'll add: the thing I try to do during API review is to make sure the feature's expression in the API composes well with the rest of the API surface area. This sometimes generates more and larger AI's than e.g. just asking for unions where there should be unions.

Hi @lavalamp, if I remember correctly, I think Alternative option 1b has incorporated your suggestions during the reviews: https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/20190120-execution-hook-design.md#alternative-option-1b. There were many rounds of discussions on whether to do it in kubelet or use a CRD during the design. Eventually we decided to go with a CRD (the current main proposal) for alpha version, implement it and see how it works. Then evaluate it and move it to Kubelet when going from alpha to beta.

So if it is okay with you and @thockin, we'd like to stay with this plan. Thanks!

[lavalamp]

@xing-yang as long as we all have the same expectation of a somewhat arduous step in the future, that's all that I'm trying to accomplish here :)

[xing-yang]

@xing-yang as long as we all have the same expectation of a somewhat arduous step in the future, that's all that I'm trying to accomplish here :)

Understood:).

[thockin]

To prep for this, I pulled up the KEP, and (surprise) I agree with my own comments there. I will try to make a quick pass on this, but I think what I was really hoping for was revisions to the KEP to nail down the API.

[thockin]

probably want to remove meta-comments?

[thockin]

This basically copies the type contents into a comment. Don't list the fields here. Just say that this struct represents a one-of, and define the defaults.

One-of types really want a discriminator field, e.g. "type=Selector"

[thockin]

This should be called "PodAction" or maybe just "Action" or "Notification"

[thockin]

I think I disagree with this structure. I said something about this in the KEP. Here's my thinking.

Ideally (IMO) HookAction eventually becomes a field inside each Pod.spec.containers[] - it defines what to do when that action is triggered. Likewise, this type (ExecutionHook) should be called PodAction or similar. It triggers an action on a set of Pods. It should not be spelling out which container because the action definition itself will be attached to a container.

If/when we carry this into Beta, you'll have to change all of this to a simple pod selector. Better to change it now. This can simply be selector and be a normal pod selector. I'm not convinced we need specific pod names?

Once this is integrated to Pod, triggering an action "foo" can mean "all action specs named foo on any containers in the pod"

[xing-yang]

We did have this proposed as part of the LifeCycle struct inside a container as described in alternative option 1a and 1b in the KEP. That was actually the main proposal when the KEP was initially submitted. https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/20190120-execution-hook-design.md#alternative-option-1a

We also talked about the pros and cons of having kubelet or an external controller take care of these hooks:
https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/20190120-execution-hook-design.md#controller-handlings-for-option-1a-and-1b

If we decided to go with alternative 1a/1b or some variation of those, then I don't think we need this execution-hook repo as the handling of the hooks will be either in kubelet and/or in the application snapshot controller (when that's available).

After numerous discussions, however, the decision was to start with an alpha implementation with a hook CRD and an external controller to manage the hooks. This allows us to explore other features such as application snapshot which will use this hook for quiescing. We have stated in the KEP that we'll look at doing it in kubelet before moving to beta.
https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/20190120-execution-hook-design.md#risks-and-mitigations
"The security concern is that ExecutionHook controller has the authority to execute commands in any pods. For alpha and proof of concept, we propose to use external controller to handle executionhooks. But to move to beta and graduate as GA, we will evaluate it and move it to kubelet which already has the privilege to execute commands in pod/containers."

[thockin]

success

[thockin]

What does this actually mean? What guarantees can I infer from it?

What happens if I retry the action? Under what circumstances would a retry happen?

[thockin]

Do we want to know how long an action took from trigger to completion? I think we would..

[thockin]

Is this the result from the action (e.g. exec stderr)? Or is it fixed from the controller?

[thockin]

If any of this comes from user pod (e.g. stderr) it should be size-bounded and specified.

[thockin]

Is there any way to control how fast this happens across a set of pods? E.g. I have a deployment and I want this to wait 10 seconds between each pod?

[thockin]

Talk about guarantees of execution (at-least-once vs exactly-once) and retries, timeouts, idempotency, etc?

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[ashish-amarnath]

/lifecycle frozen

[k8s-triage-robot]

The lifecycle/frozen label can not be applied to PRs.

This bot removes lifecycle/frozen from PRs because:

• Commenting /lifecycle frozen on a PR has not worked since March 2021
• PRs that remain open for >150 days are unlikely to be easily rebased

You can:

• Rebase this PR and attempt to get it merged
• Close this PR with /close

Please send feedback to sig-contributor-experience at kubernetes/community.

/remove-lifecycle frozen

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.