TEP-0029 Technical design for Step & Sidecar Workspaces #260
Conversation
tekton-robot
added
the
size/L
ghost
changed the title
|
/kind tep |
tekton-robot
added
the
kind/tep
|
/test pull-community-teps-lint |
1 similar comment
|
/test pull-community-teps-lint |
teps/0029-step-workspaces.md
Outdated
| ## Drawbacks | ||
|
|
||
| - If we were to pursue the idea of a shareable `Step` type then we would need to find some way to map from | ||
| the workspaces a Task declares into those that a referenced `Step` declares. |
There was a problem hiding this comment.
good point! and i think we'd run into that for params (and maybe results??) too
| - If we were to pursue the idea of a shareable `Step` type then we would need to find some way to map from | ||
| the workspaces a Task declares into those that a referenced `Step` declares. | ||
| - It takes the `Step` and `Sidecar` types further from being "pure" k8s Container. However we've already | ||
| made moves in this direction by introducing our own `Script` field to `Steps` and `Sidecars`. |
There was a problem hiding this comment.
one more potential drawback/risk: automounting workspaces into sidecars could have some kinda unexpected side effect. seems pretty unlikely, but it's possible (e.g. if someone was using a sidecar that mounts something at the same path as a workspace?? pretty far fetched tho)
| additional Tekton-specific context and behaviour (i.e. the additional constraint | ||
| that adding a workspace volume to a `volumeMount` entry will prevent other Steps | ||
| from receiving that `workspace` unless they too include it in their | ||
| `volumeMounts` list). |
There was a problem hiding this comment.
it also removes some of the abstraction that workspaces add - i like that (in my mind anyway) workspaces could be fulfilled by anything the underlying system chooses but by using volume mounts we're saying explicitly it's a mounted volume - and i think we'd have to decide which of the fields at https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#volumemount-v1-core to support
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bobcatfish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
Updated status to implementable and updated the TOC. |
ghost
mentioned this pull request
There was a problem hiding this comment.
a late coming comment and possible ask for clarification @sbwsg
please apply non-SME type of disclaimers to my question :-)
| workspaces: | ||
| - name: my-sensitive-workspace | ||
| ``` | ||
| 3. When a `workspace` is listed in a Step, it is no longer automatically mounted - either to |
There was a problem hiding this comment.
apologies in advance for coming late to this, and possibly re-introducing prior discussion, as well as coming in without hands on experience with sidecars
but the is no longer automatically mounted text implies a change in behaviour and "breaking API change" of sorts
is my non-SME interpretation correct? if so, should this TEP be explicit in stating "a breaking API change is being suggested to facilitate X/Y/Z" ?
some of the referenced design docs may claim that more decisively (apologies, I did not search them for such), but I would contend that detail of such ilk should be surfaced in the TEP.
conversely, if this is not a breaking API sort of change, perhaps some clarification somewhere in the TEP as to why that is the case would help those coming in later on to the discussion
WDYT @sbwsg ?
thanks
There was a problem hiding this comment.
@gabemontero thanks for reviewing!
"is no longer automatically mounted" -> Sorry for the confusion. It's definitely not a breaking API change because we haven't had "Step-level" workspaces before this. So it's a new behaviour that the user opts in to by adding the workspace to a Step. They couldn't do this before - add a workspace to a Step - and by doing so they're effectively saying "I only want this Step to have access to this workspace."
Here's what a Task with workspaces currently looks like:
spec:
workspaces:
- name: foo # All Steps get this workspace (they're automatically mounted to all Steps)
steps:
- image: ubuntu
script: # ...and here's the new thing we're adding:
spec:
workspaces:
- name: foo
steps:
- image: ubuntu
workspaces:
- name: foo # Only this Step gets this workspace (they're no longer automatically mounted to all Steps)
script: # ...There was a problem hiding this comment.
I'll take another breeze through this doc and try to clarify that language.
There was a problem hiding this comment.
ah OK good to know @sbwsg
the before / after yaml's together like that are concise and make the net change clear ... adding the before yaml right before the existing after yaml and changing that text would benefit me at least
thanks
There was a problem hiding this comment.
Added an explicit before/after example at the top of the Proposal section. Cheers!
There was a problem hiding this comment.
OK the new adding new API / behavior but preserving existing API / behavior verbiage makes it very clear now @sbwsg thanks!
LGTM
I'll circle back tomorrow to see if others have chimed in or our planning to chime in soon for the "multi-company" sign off, otherwise I can do it if needed.
There was a problem hiding this comment.
@vdemeester says he is going to look at this today @sbwsg .... I'll defer to him on LGTM-ing
| - name: my-workspace | ||
| ``` | ||
|
|
||
| 4. When a `workspace` is listed in a Sidecar, it is no longer automatically mounted - either to |
There was a problem hiding this comment.
same note as above on the no longer automatically mounted text
tekton-robot
added
lgtm
In f22828 we introduced a new TEP describing two problems: first, Sidecars don't have access to Workspaces. Second: Workspaces are globally available to all Steps all of the time. For sensitive data this is less than ideal - preferably a Task should be able to declare precisely which Steps or Sidecars are allowed to access a given Workspace. This commit adds a technical design to TEP-0029 that shows how we can add both Workspace support to Sidecars as well as a mechanism for isolating Workspaces to specific Steps/Sidecars in a Task.
In f22828 we introduced a new TEP describing two problems: first, Sidecars
don't have access to Workspaces. Second: Workspaces are globally available to all
Steps all of the time. For sensitive data this is less than ideal - preferably a
Task should be able to declare precisely which Steps or Sidecars are allowed to
access a given Workspace.
This commit adds a technical design to TEP-0029 that shows how we can add both
Workspace support to Sidecars as well as a mechanism for isolating Workspaces
to specific Steps/Sidecars in a Task.