PodPreset initializer implementation

[jpeeler]

No description provided.

[jpeeler]

This supercedes #1195 (but still WIP currently)

[MHBauer]

@jberkhahn this should interest you. It has the binding stuff.

[pmorie]

I'm not sure why github isn't complaining about this - it looks like it needs rebase.

[jberkhahn]

Reviewed with @MHBauer

[jberkhahn]

Why does this feature-gate flag have no argument associated with it? @MHBauer thinks it should one like the OriginatingIdentity on line 61. Either we should have them all be separate, or they should all be jumbled together.

[MHBauer]

There doesn't seem to be any added gates in this PR. Why does this exist in this PR at all?

[jpeeler]

Good point, it's easier to specify a boolean rather than the feature gate parameter.

[jberkhahn]

Wouldn't it make more sense for this file to be in plugins/pkg/admission with the other admission controllers?

[jpeeler]

I don't think so. The other admission controllers are for the main controller while this admission controller is for the pod preset controller.

[pmorie]

It's not an admission controller, per se - it's a controller that implements an initializer. Fine semantic difference, but this should not go under plugin/pkg

[MHBauer]

Needs to be called "initializer" or something, and the admit should become initialize. I don't want there to be any cross talk of idea/names since they are so different in their lifecycle.

[jberkhahn]

Is there really no generic methods we can use from PodPreset code over in Kubernetes/Kubernetes? Do we really have to rewrite all of this merge stuff ourselves?

[jpeeler]

Not sure, but the original podpreset code was checked into Kubernetes using the same functions.

[jberkhahn]

This comment is kind of cryptic. Maybe "Initialize annotation map for pod preset information" to say that we using it right now. @MHBauer

[jberkhahn]

Is there any reason not to add t.parallel? From: @MHBauer

[jpeeler]

For unit tests like these, I don't see any benefit to adding parallel. If the concern was for speed, test execution of all the podpreset tests on my system takes 0.059s.

[jberkhahn]

Why is this block here?

[jberkhahn]

It seems weird to @MHBauer and I that we need this check. It seems to me that if we get here and the pod no longer needs initialization something has Gone Wrong because we check if the pod still needs initialization in both places. Is there something we're not seeing?

[jpeeler]

I believe you're correct, will remove.

[MHBauer]

It's written as an admission controller, but it can't really be one, because we'll never be able to see pods before the core apiserver. Since we obviously can't get this code into the core to run, we have to find another way.

As an initializer, we need to make sure this code is running. It could probably be done as either another webserver on the controller, or a completely separate entity which means it needs a new image, and possibly other things.

@jpeeler as this is in-progress, depending on how much time you have to push it forward, I think @jberkhahn and I are very interested in getting this through to the end.

As in-progress, and given how much more work seems to be required, not sure if we want to bring the work in, in stages, or try and finish it all in one shot.

[jpeeler]

I added a few files in contrib/examples/podpresets to make this easier to understand how this works. To be clear though, the integration with bindings will come in a later PR.

[jberkhahn]

Why did we switch the package here and nowhere else?

[MHBauer]

I think we need this in the helm chart.

[jpeeler]

Good idea, added.

[jberkhahn]

Hmm, I tried demo-ing this, but I can't get the initializer to work. I create it, but when I go to create the pod, the logs show as no initializers found for the pod, so it skips it.

[jpeeler]

I added the initializer configuration to be deployed with helm, so to repeat the testing I've been doing from contrib/examples/podpresets:

kubectl create -f podpreset-preset.yaml
kubectl create -f pod.yaml
kubectl describe po apod

Verify that pod has mutation annotation and added port environment variable.

[jpeeler]

Prerequisite commands I've been using to test with:

To start k8s, in kubernetes repo:
KUBELET_FLAGS="--serialize-image-pulls=false" ALLOW_SECURITY_CONTEXT=true LOG_LEVEL=5 hack/local-up-cluster.sh -O

To start helm, in catalog repo:
helm install charts/catalog --name catalog --namespace=catalog --set image=service-catalog:canary,imagePullPolicy=Never,apiserver.podPresetEnabled=true

[MHBauer]

I may have started something in the wrong order. I see successfully initialized pods.

[MHBauer]

Is there any possibility that the pods created by helm install would get held up by the creation of the intializer that helm is created? Trying to debug why I failed previously.

[EronWright]

There's an implied ordering here between PodPresets and Pods. Imagine I had a helm chart containing a Deployment and a PodPreset that should be applied to the pods created by the deployment. There's no guarantee that the preset is in place before the pods are created, correct? Is there a mitigation for this or do we assume that pod presets are generally established long before the relevant consumer is deployed?

[pmorie]

Imagine I had a helm chart containing a Deployment and a PodPreset that should be applied to the pods created by the deployment.

Good question. Right now there is no guarantee of ordering that PodPresets make. They only affect pods that are created after the pod preset itself is created.

One next step for this work is to allow deployments to be triggered by the creation of a PodPreset that matches the deployment's label selector. So, for example - if you have a deployment, and later, a PodPreset is created that matches that deployment's label selectors, a new generation of pods will be created.

[pmorie]

I think this is LGTM modulo some minor nits (see below).

I would say we should have a very basic e2e before this gets merged.

[pmorie]

I think this should probably just be "" (the 'special' name for the core API group)

[pmorie]

I think we may want to tease this into a separate controller, or at least one that you can run without running the entire service catalog controller, but this is sufficient for now.

[pmorie]

Is this a @jpeeler todo now?

[n3wscott]

a better way is to use TODO(#issue number):

[pmorie]

how about just podpreset.yaml as the name of this file?

[MHBauer]

I concur.

[pmorie]

It's not an admission controller, per se - it's a controller that implements an initializer. Fine semantic difference, but this should not go under plugin/pkg

[MHBauer]

There appears to be a race condition with the intializers and the pods created for svc-cat.

Can we ignore pods for svc-cat somehow?

[MHBauer]

For example, this is what I see

$ kubectl get pods -n catalog --include-uninitialized catalog-catalog-apiserver-5bc7c8d7fc-hwp56 -o yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: 2018-03-27T21:33:39Z
  generateName: catalog-catalog-apiserver-5bc7c8d7fc-
  initializers:
    pending:
    - name: podpreset.initializer.k8s.io
  labels:
    app: catalog-catalog-apiserver
    chart: catalog-0.1.8
    heritage: Tiller
    pod-template-hash: "1673748397"
    release: catalog
    releaseRevision: "1"
  name: catalog-catalog-apiserver-5bc7c8d7fc-hwp56

[MHBauer]

I need to retract my "let's put it in helm" statement. I don't see anyway to prevent that from happening.

We can exempt our pods from all initialization, but maybe some other initializer was present, we'd skip the extra one.

Even just sequencing the add of the initializer after the start of the controller is problematic, as if the controller pod ever needs to be destroyed and recreated, the initializer needs to be disabled for that time period. So things will miss initialization during that time period.

Is there some special exemption here that I don't know about? It seems completely untenable.

[jpeeler]

Turns out there really isn't a good way to prevent this ordering issue. I'm looking into not using initializers and instead using a mutating webhook.

[MHBauer]

@jpeeler still active on finding a solution?

[jpeeler]

I'm working on a solution in jpeeler/podpreset-crd. Once it's ready for merging into catalog, I'll close this PR with a link to that PR. Though if people want to just close this PR, then that's fine too.

[pmorie]

We should probably close this PR. Jeff, will you prepareademo for the next SIG meeting?

…

On Mon, May 28, 2018 at 6:45 PM Jeff Peeler ***@***.***> wrote: I'm working on a solution in jpeeler/podpreset-crd. Once it's ready for merging into catalog, I'll close this PR with a link to that PR. Though if people want to just close this PR, then that's fine too. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1754 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAWXmCnenvZErpgowuPt4ObYLimX_u2Nks5t3CmPgaJpZM4SObV-> .

[jpeeler]

I can demo next week.