Design: Dynamic registration of admission controllers and initializers #611
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,9 +14,13 @@ details. | |
|
|
||
| ## Goals | ||
|
|
||
| * Admin is able to predict what initializers/webhooks will be applied to newly | ||
| created objects. | ||
|
|
||
| * Admin needs to be able to ensure initializers/webhooks config will be applied within some bound | ||
|
|
||
| * As a fallback, admin can always restart an apiserver and guarantee it sees the latest config | ||
|
|
||
| * Do not block the entire cluster if the intializers/webhooks are not ready | ||
| after registration. | ||
|
|
||
|
|
@@ -112,29 +116,82 @@ const ( | |
| // AdmissionHookClientConfig contains the information to make a TLS | ||
| // connection with the webhook | ||
| type AdmissionHookClientConfig struct { | ||
| // Service is a reference to the service for this webhook. It must communicate | ||
| // on port 443 | ||
| Service ServiceReference | ||
| // CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate. | ||
| CABundle []byte | ||
| } | ||
|
|
||
| // ServiceReference holds a reference to Service.legacy.k8s.io | ||
| type ServiceReference struct { | ||
| // Namespace is the namespace of the service | ||
| Namespace string | ||
| // Name is the name of the service | ||
| Name string | ||
| } | ||
| ``` | ||
|
|
||
| ## Synchronization of AdmissionControlConfiguration | ||
|
|
||
| If the `initializer admission controller` and the `generic webhook admission | ||
| controller` watch the `AdmissionControlConfiguration` and act upon deltas, their | ||
| cached version of the configuration might be arbitrarily delayed. This makes it | ||
| impossible to predict what initializer/hooks will be applied to newly created | ||
| objects. | ||
|
|
||
| We propose two ways to make the behavior of the `initializer admission | ||
| controller` and the `generic webhook admission controller` predictable. | ||
|
|
||
| #### 1. Do consistent read of AdmissionControlConfiguration periodically | ||
|
There was a problem hiding this comment. @wojtek-t how do you like this approach suggested by @smarterclayton ? It should be much lighter. There was a problem hiding this comment. Let's start out with this option. Seems way easier. It is not super important that these things get applied instantly. There was a problem hiding this comment. @caesarxuchao - I'm completely fine with this option.
1qps will not be visible and this will give us some tolerance on unsuccessful reads (which may happen from time to time). WDYT? There was a problem hiding this comment. @wojtek-t it sounds good. I'll incorporate it to the doc. |
||
|
|
||
| The `initializer admission controller` and the `generic webhook admission | ||
| controller` do a consistent read of the AdmissionControlConfiguration either 30s | ||
| after the last read, or when there is a request that needs the two controllers to | ||
| apply the configuration, whichever comes later. | ||
|
|
||
| If the read fails, the two admission controllers block all incoming request. | ||
|
|
||
| #### 2. Always do a consistent read of a smaller object | ||
|
|
||
| A consistent read of the AdmissionControlConfiguration object is expensive, we | ||
| cannot do it for every incoming request. | ||
|
|
||
| Alternatively, we record the resource version of the AdmissionControlConfiguration | ||
| in a configmap. The apiserver that handles an update of the AdmissionControlConfiguration | ||
| updates the configmap with the updated resource version. In the HA setup, there | ||
| are multiple apiservers that update this configmap, they should only | ||
| update if the recorded resource version is lower than the local one. | ||
|
|
||
| The `initializer admission controller` and the `generic webhook admission | ||
| controller` do a consistent read of the configmap *everytime* before applying | ||
| the configuration to an incoming request. If the configmap has changed, then | ||
| they do a consistent read of the `AdmissionControlConfiguration`. | ||
|
|
||
| ## What if an initializer controller/webhook is not ready after registered? (**optional for alpha implement**) | ||
|
There was a problem hiding this comment. this is unclear to me-- is the first step going to create things fail-open or fail-closed? (I think we should do fail-open for 1.7 and add fail-closed behavior later when this feature grows up) There was a problem hiding this comment. As long as it is explicitly specified that it is fail open |
||
|
|
||
| This will block the entire cluster. We have a few options: | ||
|
|
||
| 1. only allow initializers/webhooks to be created as "fail open". This could be | ||
| enforced via validation. They can upgrade themselves to "fail closed" via the | ||
| normal Update operation. A human can also update them to "fail closed" later. | ||
|
|
||
| 2. less preferred: add readiness check to initializer and webhooks, `initializer | ||
| admission controller` and `generic webhook admission controller` only apply | ||
| those have passed readiness check. Specifically, we add `readiness` fields to | ||
| `AdmissionControllerConfiguration`; then we either create yet another | ||
| controller to probe for the readiness and update the | ||
| `AdmissionControllerConfiguration`, or ask each initializer/webhook to update | ||
| their readiness in the `AdmissionControllerConfigure`. The former is complex. | ||
| The latter is essentially the same as the first approach, except that we need | ||
| to introduce the additional concept of "readiness". | ||
|
|
||
|
|
||
| ## Considered bug REJECTED synchronization mechinism: | ||
|
|
||
|
|
||
| #### Rejected 1. Always do consistent read | ||
|
|
||
| Rejected because of inefficiency. | ||
|
|
||
| The `initializer admission controller` and the `generic webhook admission | ||
| controller` always do consistent read of the `AdmissionControlConfiguration` | ||
|
|
@@ -143,16 +200,10 @@ every CREATE request. Because the two admission controllers are in the same | |
| process as the apiserver, the latency mainly consists of the consistent read | ||
| latency of the backend storage (etcd), and the proto unmarshalling. | ||
|
There was a problem hiding this comment. Fairly expensive today. Thinking about this... watch from within the same etcd server is effectively free. We need to guarantee that the clock time for any given ACC is within some bound (because an admission controller can be arbitrarily delayed between when the data is read from etcd and when it applies the rules, so a hard boundary is probably too hard). The scenario of greatest concern is when an apiservers watch client is delayed relative to the mutation operations being executed, perhaps due to a network hang. If we had a single etcd watch on a set of key ranges, our minimum bound is:
That can degrade to just performing a consistent read from each api server every X seconds and delaying / rejecting requests until the read returns. There was a problem hiding this comment. Said another way, our etcd client simply has to ensure that the open watch channel from the server that also watches ACC has delivered ANY event within the time window we care about. There was a problem hiding this comment. I don't know if the etcd client and server preserve the guarantee that would be necessary for the optimization there though. The client has to construct a watch, and the etcd server has to guarantee a "delivered before" behavior over the connection (event on ACC key has to be delivered before another key with higher index). gRPC substreams (one for each watch) might not support that if two watches are in different sub streams because the packets for the one stream can be delayed. There was a problem hiding this comment. Or the api server write to the endpoints object has to track the member observed high etcd index and delay writes if other members of the cluster have higher observed indices (if the watch cache value is higher than the read value of the GET on endpoints) There was a problem hiding this comment. I kind of like the upper bound and the degrading thing. Will make e2e tests slow though. There was a problem hiding this comment. So from first principles:
Those are good goals for an alpha api. To just do 3, could we:
Tests would have to get clever about verifying the config is working. If we're concerned, we can simply add a watch on the config objects and always use the latest, but the consistent read must succeed every 30s. That would allow tests to work most of the time. There was a problem hiding this comment. Why is 2 an explicit goal? That sounds very easy to achieve. Sure. I'll add this option to the doc, and let's see if we are on the same page. There was a problem hiding this comment. I just mean as - it's the thing that they have to do today, and it's worked so far. So it's ok to say "you must restart your masters to guarantee the latest config applied", which is probably reasonable. There was a problem hiding this comment. @smarterclayton - got it. Thanks a lot for explanation. That makes perfect sense to me. |
||
|
|
||
|
|
||
| #### Rejected 2. Don't synchronize, but report what is the cached version | ||
|
|
||
| Rejected because it violates Goal 2 on the time bound. | ||
|
|
||
| The main goal is *NOT* to always apply the latest | ||
| `AdmissionControlConfiguration`, but to make it predictable what | ||
|
|
@@ -165,50 +216,3 @@ observedGeneration and predict if all the initializer/hooks listed in the | |
| In the HA setup, the `observedGeneration` reported by of every apiserver's | ||
| `initializer admission controller` and `generic webhook admission controller` | ||
| are different, so the API needs to record multiple `observedGeneration`. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say-- if multiple ports are exposed, it will use 443 if available and be an error condition otherwise. If only a single port is exposed it can just use that.