Skip to content

Commit

Permalink
Allow special characters environment variable
Browse files Browse the repository at this point in the history
  • Loading branch information
HirazawaUi committed Dec 21, 2023
1 parent 56b0982 commit 36476b0
Show file tree
Hide file tree
Showing 2 changed files with 326 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,284 @@
# KEP-4369: Allow special characters in environment variables

- [Release Signoff Checklist](#release-signoff-checklist)
- [Summary](#summary)
- [Motivation](#motivation)
- [Goals](#goals)
- [Non-Goals](#non-goals)
- [Proposal](#proposal)
- [User Stories (Optional)](#user-stories-optional)
- [Story 1](#story-1)
- [Story 2](#story-2)
- [Risks and Mitigations](#risks-and-mitigations)
- [Design Details](#design-details)
- [Test Plan](#test-plan)
- [Prerequisite testing updates](#prerequisite-testing-updates)
- [Unit tests](#unit-tests)
- [Integration tests](#integration-tests)
- [e2e tests](#e2e-tests)
- [Graduation Criteria](#graduation-criteria)
- [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy)
- [Version Skew Strategy](#version-skew-strategy)
- [Production Readiness Review Questionnaire](#production-readiness-review-questionnaire)
- [Feature Enablement and Rollback](#feature-enablement-and-rollback)
- [Rollout, Upgrade and Rollback Planning](#rollout-upgrade-and-rollback-planning)
- [Monitoring Requirements](#monitoring-requirements)
- [Dependencies](#dependencies)
- [Scalability](#scalability)
- [Troubleshooting](#troubleshooting)
- [Implementation History](#implementation-history)
- [Drawbacks](#drawbacks)
- [Alternatives](#alternatives)
- [Infrastructure Needed (Optional)](#infrastructure-needed-optional)
<!-- /toc -->

## Release Signoff Checklist

<!--
**ACTION REQUIRED:** In order to merge code into a release, there must be an
issue in [kubernetes/enhancements] referencing this KEP and targeting a release
milestone **before the [Enhancement Freeze](https://git.k8s.io/sig-release/releases)
of the targeted release**.
For enhancements that make changes to code or processes/procedures in core
Kubernetes—i.e., [kubernetes/kubernetes], we require the following Release
Signoff checklist to be completed.
Check these off as they are completed for the Release Team to track. These
checklist items _must_ be updated for the enhancement to be released.
-->

Items marked with (R) are required *prior to targeting to a milestone / release*.

- [ ] (R) Enhancement issue in release milestone, which links to KEP dir in [kubernetes/enhancements] (not the initial KEP PR)
- [ ] (R) KEP approvers have approved the KEP status as `implementable`
- [ ] (R) Design details are appropriately documented
- [ ] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
- [ ] e2e Tests for all Beta API Operations (endpoints)
- [ ] (R) Ensure GA e2e tests meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md)
- [ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free
- [ ] (R) Graduation criteria is in place
- [ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md)
- [ ] (R) Production readiness review completed
- [ ] (R) Production readiness review approved
- [ ] "Implementation History" section is up-to-date for milestone
- [ ] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]
- [ ] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes

[kubernetes.io]: https://kubernetes.io/
[kubernetes/enhancements]: https://git.k8s.io/enhancements
[kubernetes/kubernetes]: https://git.k8s.io/kubernetes
[kubernetes/website]: https://git.k8s.io/website

## Summary

Allow all printable ASCII except '=', to be set as environment variables.

## Motivation

Kubernetes should not restrict which environment variable names can be used, because it has no way of knowing what the application may need, and people can't always choose their own variable names, which may limit the adoption of Kubernetes.

### Goals

* Allow users to set printable ASCII other than '=' as environment variables.

### Non-Goals

## Proposal

* Implements relaxed validation at the top level validation method when validating API create requests.
* Document rules for setting environment variables.

#### Risks and Mitigations

### User Stories (Optional)

#### Story 1

I am a .NET Core development engineer, .Net Core applications are using ":" when working with application settings loaded from appsettings.json file. When running .net core app in containers typically overwrite this settings by specifying environmental variable.
such as:
`"Logging": { "IncludeScopes": false, "LogLevel": { "Default": "Warning" } }`
override like this `-e Logging:LogLevel:Default=Debug`

## Design Details

- A feature gate name `RelaxedValidationEnvironment` controlling the loosening of the envvar name validation, initially in alpha state and defaulting to false
- Two sets of validation logic for envvar names:
- Current validation
- Relaxed validation
- Everywhere we validate envvar names in API objects, plumbing a parameter whether we want the strict or relaxed validation
- At the top level validation method when validating API create requests, use the strict validation if the feature gate is off
- At the top level validation method when validating API update requests, use the strict validation if the feature gate is off and the old object passes strict envvar name validation

### Test Plan

[x] I/we understand the owners of the involved components may require updates to
existing tests to make this code solid enough prior to committing the changes necessary
to implement this enhancement.

##### Prerequisite testing updates

##### Unit tests

Currently coverages:

* pkg/apis/core/validation/validation_test.go: `2023-12-21` - `83.9%`
* pkg/kubelet/kubelet_pods_test.go: `2023-12-21` - `83.9%`
* staging/src/k8s.io/apimachinery/pkg/util/validation/validation_test.go: `2023-12-21` - `94.8%`

These tests will be added:

* New tests will be added to ensure environment variable fields can be correctly validated `pkg/apis/core/validation/validation_test.go`
* A new test will be added to ensure that the environment variable name field is valid `staging/src/k8s.io/apimachinery/pkg/util/validation/validation_test.go`
* Add a new test that sets special character environment variables for pods in a given namespace `pkg/kubelet/kubelet_pods_test.go`

##### Integration tests

- N/A

##### e2e tests

* Add a test to `test/e2e/common/configmap.go` to test that the special characters in configmap are consumed by the environment variable.

* Add a test to `test/e2e/common/secret.go` to test that the special characters in secret are consumed by the environment variable.

* Add a test to `test/e2e/common/expansion` to test environment variable can contain special characters.

### Graduation Criteria

#### Alpha

- Created the feature gate and implement the feature, disabled by default.
- Add unit and e2e tests for the feature.

#### Beta

- Solicit feedback from the Alpha.
- Ensure tests are stable and passing.

#### GA

- No issues reported during two releases.

### Upgrade / Downgrade Strategy

#### Upgrade

Environment variables previously set by the user will not change. To use this enhancement, users need to enable the feature gate

#### Downgrade

users need to reset their environment variables for special characters to normal characters.

### Version Skew Strategy

kubelet and kube-apiserver will need to enable feature gates to use this feature.

If kube-apiserver is not enabled feature gate will use strict validation.

If kube-apiserver enabled the feature gate, but kubelet does not enable the feature gate, kubelet will refuse to set environment variables to special characters.

## Production Readiness Review Questionnaire

### Feature Enablement and Rollback

###### How can this feature be enabled / disabled in a live cluster?

- [x] Feature gate (also fill in values in `kep.yaml`)
- Feature gate name: RelaxedValidationEnvironment
- Components depending on the feature gate: kube-apiserver, kubelet

###### Does enabling the feature change any default behavior?

No

###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?

If close the feature gate, already running workloads will not be affected in any way,
but workloads that use special characters as environment variables will not be created.

###### What happens if we reenable the feature if it was previously rolled back?

The feature should continue to work just fine.

###### Are there any tests for feature enablement/disablement?

Yes.

### Rollout, Upgrade and Rollback Planning

###### How can a rollout or rollback fail? Can it impact already running workloads?

When a feature gate is closed, already running workloads are not affected in any way, but update fields for workload will cause the workload to fail.

###### What specific metrics should inform a rollback?

N/A

###### Were upgrade and rollback tested? Was the upgrade->downgrade->upgrade path tested?

N/A

###### Is the rollout accompanied by any deprecations and/or removals of features, APIs, fields of API types, flags, etc.?

No.

### Monitoring Requirements

- N/A

### Dependencies

N/A

###### Does this feature depend on any specific services running in the cluster?

No.

### Scalability

###### Will enabling / using this feature result in any new API calls?

No

###### Will enabling / using this feature result in introducing new API types?

No

###### Will enabling / using this feature result in any new calls to the cloud provider?

No

###### Will enabling / using this feature result in increasing size or count of the existing API objects?

No

###### Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?

No

###### Will enabling / using this feature result in non-negligible increase of resource usage (CPU, RAM, disk, IO, ...) in any components?

No

###### Can enabling / using this feature result in resource exhaustion of some node resources (PIDs, sockets, inodes, etc.)?

No

### Troubleshooting

###### How does this feature react if the API server and/or etcd is unavailable?

###### What are other known failure modes?

###### What steps should be taken if SLOs are not being met to determine the problem?

## Implementation History

\- 2023-12-21: Initial draft KEP

## Drawbacks

## Alternatives

## Infrastructure Needed (Optional)
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
title: Allow special characters environment variable
kep-number: 4369
authors:
- "@HirazawaUi"
owning-sig: sig-node
participating-sigs:
- sig-api-machinery
status: provisional
creation-date: 2023-12-21
reviewers:
- "@liggitt"
- "@thockin"
approvers:
- "@liggitt"
- "@thockin"

see-also: []
replaces: []

# The target maturity stage in the current dev cycle for this KEP.
stage: alpha

# The most recent milestone for which work toward delivery of this KEP has been
# done. This can be the current (upcoming) milestone, if it is being actively
# worked on.
latest-milestone: "v1.30"

# The milestone at which this feature was, or is targeted to be, at each stage.
milestone:
alpha: "v1.30"

# The following PRR answers are required at alpha release
# List the feature gate name and the components for which it must be enabled
feature-gates:
- name: RelaxedValidationEnvironment
components:
- kube-apiserver
- kubelet
disable-supported: true

# The following PRR answers are required at beta release
metrics: []

0 comments on commit 36476b0

Please sign in to comment.