docs: add declarative validation patterns for feature-gates.md#8907
docs: add declarative validation patterns for feature-gates.md#8907yongruilin wants to merge 1 commit intokubernetes:mainfrom
Conversation
k8s-ci-robot
added
area/developer-guide
|
/assign @thockin |
| When a feature gate is disabled, the system should behave as if the API fields | ||
| do not exist. API operations which try to use the field are expected to proceed | ||
| as if the field was unknown and the "extra" data was discarded. |
There was a problem hiding this comment.
This documentation is surprising. While we do wipe the field for purposes of create. We continue to respect the field once it is "in use". I think we should update this paragraph and a paragraph about "in-use".
Take for example pod.spec.initContainer.resetPolicy. If this field is set when creating a pod, it creates a pod with a sidecar container. Ignoring or unsetting the field results in a pod that will treat the sidecar container as a normal init container, which is almost certainly going to break the workload.
Some other examples: InPlacePodVerticalScaling, HPAConfigurableTolerance, PreferSameTrafficDistribution, RecursiveReadOnlyMounts, ContainerStopSignals.
In all these examples, once a field is set, even after the FG is disabled, it continue to remain set AND remain mutable.
There was a problem hiding this comment.
Yes, the current wording implies fields are always discarded when the gate is off, but in practice most dropDisabled* functions follow a !Enabled(featureX) && !fieldInUse(old). (Though not consistent — some cases drop unconditionally without an in-use check)
This also carries into validation - when gates off, some keeps validating when the fields is "in-use", while some directly forbid any update.
I think a feature gate should control the entrypoint, not the lifecycle of existing data:
- Create / not in use: drop the field — no new adoption of a disabled feature.
- In use: preserve the field, keep it mutable, and validate normally — data integrity matters, and freezing the field prevents users from fixing bad values when the gate was disabled precisely because something went wrong.
@thockin since you authored this section, thoughts?
There was a problem hiding this comment.
IIRC this was the result of considering all of the options, where none of them are good. The lesser evil.
If we were to auto-wipe the data, we will cause havoc with apply-loops and saved state (e.g. cgroup config).
If we tell people to keep handling a feature, even when the gate is disabled, the worst case is that they are triggering a bug which crashes components making the cluster unusable.
If we tell them to mostly ignore the feature, the worst case is that some things misbehave, but the feature is neutralized and less likely to cause damage.
None of these are clearly correct.
This is a very unlikely scenario, either way, so (again, IIRC) we just decided to do the least-worst thing.
| When a feature gate is disabled, the system should behave as if the API fields | ||
| do not exist. API operations which try to use the field are expected to proceed | ||
| as if the field was unknown and the "extra" data was discarded. |
There was a problem hiding this comment.
IIRC this was the result of considering all of the options, where none of them are good. The lesser evil.
If we were to auto-wipe the data, we will cause havoc with apply-loops and saved state (e.g. cgroup config).
If we tell people to keep handling a feature, even when the gate is disabled, the worst case is that they are triggering a bug which crashes components making the cluster unusable.
If we tell them to mostly ignore the feature, the worst case is that some things misbehave, but the feature is neutralized and less likely to cause damage.
None of these are clearly correct.
This is a very unlikely scenario, either way, so (again, IIRC) we just decided to do the least-worst thing.
yongruilin
force-pushed
the
dv-featuregate
branch
from
d766831 to
642ef2d
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: yongruilin The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
4 participants
Documents declarative validation (DV) patterns for interacting with feature gates using
+k8s:ifEnabledand+k8s:ifDisabledtags. The existing doc only covered handwritten validation patterns. As Kubernetes migrates todeclarative validation, feature authors need guidance on:
+k8s:forbidden++k8s:ifEnabledfor feature-gated new API fields+k8s:ifEnabled/+k8s:ifDisabledfor conditional field constraints and enum valuesrest.WithOptionsAlso clarifies existing validation subsections as "Handwritten validation" to disambiguate from the DV approach.
Which issue(s) this PR fixes:
Fixes #