Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Immutable Secrets and ConfigMaps #1412

Closed
wojtek-t opened this issue Dec 17, 2019 · 48 comments · Fixed by #2615
Closed

Immutable Secrets and ConfigMaps #1412

wojtek-t opened this issue Dec 17, 2019 · 48 comments · Fixed by #2615
Assignees
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/node Categorizes an issue or PR as relevant to SIG Node. sig/scalability Categorizes an issue or PR as relevant to SIG Scalability. sig/storage Categorizes an issue or PR as relevant to SIG Storage. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Milestone

Comments

@wojtek-t
Copy link
Member

wojtek-t commented Dec 17, 2019

Enhancement Description

Please to keep this description up to date. This will help the Enhancement Team track efficiently the evolution of the enhancement

@wojtek-t wojtek-t self-assigned this Dec 17, 2019
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Dec 17, 2019
@wojtek-t
Copy link
Member Author

wojtek-t commented Dec 17, 2019

/sig storage
/sig node
/sig scalability

@saad-ali

@k8s-ci-robot k8s-ci-robot added sig/storage Categorizes an issue or PR as relevant to SIG Storage. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/scalability Categorizes an issue or PR as relevant to SIG Scalability. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 17, 2019
@wojtek-t
Copy link
Member Author

wojtek-t commented Dec 17, 2019

/stage alpha

@k8s-ci-robot k8s-ci-robot added the stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status label Dec 17, 2019
@palnabarun palnabarun added the tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team label Dec 17, 2019
@wojtek-t
Copy link
Member Author

wojtek-t commented Dec 18, 2019

@palnabarun - KEP has just been approved as implementable; can we start tracking it?

@palnabarun
Copy link
Member

palnabarun commented Dec 18, 2019

Hi @wojtek-t , the 1.18 Enhancements team will reach out when the release cycle for 1.18 begins to flip the tracked status and set the milestone.

Thank you for the updates on this enhancement.

@jeremyrickard
Copy link
Contributor

jeremyrickard commented Jan 10, 2020

@wojtek-t Thanks for the update. We'll track this for 1.18.

For your awareness, the release schedule is:

Monday, January 6th - Release Cycle Begins
Tuesday, January 28th EOD PST - Enhancements Freeze
Thursday, March 5th, EOD PST - Code Freeze
Monday, March 16th - Docs must be completed and reviewed
Tuesday, March 24th - Kubernetes 1.18.0 Released

Please make sure all the k/k PRs link here so we can track them.

@jeremyrickard
Copy link
Contributor

jeremyrickard commented Jan 10, 2020

/milestone v1.18

@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Jan 10, 2020
@jeremyrickard jeremyrickard added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels Jan 10, 2020
@liggitt liggitt added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label Jan 30, 2020
@VineethReddy02
Copy link

VineethReddy02 commented Feb 5, 2020

Hello, @wojtek-t I'm 1.18 docs lead.
Does this enhancement work planned for 1.18 require any new docs (or modifications to existing docs)? If not, can you please update the 1.18 Enhancement Tracker Sheet (or let me know and I'll do so)
If so, just a friendly reminder we're looking for a PR against k/website (branch dev-1.18) due by Friday, Feb 28th, it can just be a placeholder PR at this time. Let me know if you have any questions!

@wojtek-t
Copy link
Member Author

wojtek-t commented Feb 6, 2020

Yes we will add some doc - I will open it by the deadline.

@johnbelamaric
Copy link
Contributor

johnbelamaric commented Feb 11, 2020

Hey @wojtek-t, code freeze is March 5. Please link any PRs that are needed to complete this for 1.18, so we can track them in the release team. Thanks!

@wojtek-t
Copy link
Member Author

wojtek-t commented Feb 12, 2020

We seem to be code-complete, unless we find some issue. So only docs are missing.

@VineethReddy02
Copy link

VineethReddy02 commented Feb 21, 2020

Hello @wojtek-t
We are close to the docs placeholder PR deadline i.e less than week left for docs placeholder PR against the dev-1.18 branch. Having a placeholder PR in place will definitely help us in tracking enhancements much better.

Thanks! :)

@wojtek-t
Copy link
Member Author

wojtek-t commented Feb 25, 2020

I opened kubernetes/website#19297 - it's the only remaining thing for Alpha

@wojtek-t
Copy link
Member Author

wojtek-t commented Mar 13, 2020

We seem to be complete for Alpha.

@paulgmiller
Copy link

paulgmiller commented Nov 7, 2020

@wojtek-t If you have a cluster with a large count of big unconsumed secrets this won't help the initial list that kubelet does to start it's watches right?

Was looking at large memory spikes when heavy users of helm restart many kubelets at once helm/helm#8977 and was hoping making the releases helm stores immutable would help but since nobody wathes them it looks it would only impact correctness not api server load.

@wojtek-t
Copy link
Member Author

wojtek-t commented Nov 8, 2020

@wojtek-t If you have a cluster with a large count of big unconsumed secrets this won't help the initial list that kubelet does to start it's watches right?

I think I'm not fully following. When Kubelet is observing new pod (or update of existing one) it is doing a get (technically it's a list with field selector for metadata.name which translates it to get) for all not yet watched ones. Each of them is pretty cheap on their own as it returns a single item basically.

Kubelet is NOT listing/watching anything that none of its own pods are mounting.

I didn't read the whole helm/helm#8977 but the initial analysis doesn't seem correct because of the above. You would need to look into what kinds of requests are happening on kube-apiserver to understand better.

@paulgmiller
Copy link

paulgmiller commented Nov 8, 2020

Hmm my assumption was that kubelet was doing a list/watch on all secrets at startup so it could update any mounted secret for it's pods. Let me confirm what were seeing in clusters with heavy large secret usage at kubelet startup

@wojtek-t
Copy link
Member Author

wojtek-t commented Nov 8, 2020

Yeah - that's not true. Kubelet is not listing everything - it's getting/watching one-by-one and only those that are used by the pods it's running.

@xing-yang
Copy link
Contributor

xing-yang commented Jan 6, 2021

/milestone v1.21

@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Jan 6, 2021
@xing-yang
Copy link
Contributor

xing-yang commented Jan 6, 2021

Updated KEP is merged: #2179

@annajung annajung added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team stage/beta Denotes an issue tracking an enhancement targeted for Beta status labels Jan 14, 2021
@annajung
Copy link
Member

annajung commented Jan 25, 2021

Hi @wojtek-t, 1.21 Enhancements Lead here.
I see that you’ve opted in this enhancement into 1.21, but I also see that this is tagged with participation from the SIG app, node, scalability. Is that accurate? If so, is there work that other SIGs must deliver in 1.21 as well?

@wojtek-t
Copy link
Member Author

wojtek-t commented Jan 25, 2021

With kubernetes/kubernetes#97615 we're already code-complete.
The only missing bit is to update the documentation to reflect that the feature will get GA-ed.

@apelisse
Copy link
Member

apelisse commented Jan 28, 2021

cc @xiaobaitusi

@wojtek-t
Copy link
Member Author

wojtek-t commented Feb 12, 2021

kubernetes/website#26477 opened for documentation

@wojtek-t
Copy link
Member Author

wojtek-t commented Feb 17, 2021

kubernetes/website#26477 has merged

This is now both:

  • code-complete
  • documentation complete

@annajung
Copy link
Member

annajung commented Feb 17, 2021

Hi @wojtek-t

With code/doc complete, if you update the kep.yaml to reflect a status of implemented, we can also close out this issue.

@wojtek-t
Copy link
Member Author

wojtek-t commented Feb 17, 2021

Let's wait until code-freeze to ensure nothing will get reverted. And I will do that.

@annajung
Copy link
Member

annajung commented Apr 8, 2021

Hi @wojtek-t friendly reminder to update the kep status (#1412 (comment)) so that this issue can be closed out :) thanks!

@wojtek-t
Copy link
Member Author

wojtek-t commented Apr 9, 2021

#2615 out for review

@JamesLaverack JamesLaverack added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Apr 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/node Categorizes an issue or PR as relevant to SIG Node. sig/scalability Categorizes an issue or PR as relevant to SIG Scalability. sig/storage Categorizes an issue or PR as relevant to SIG Storage. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Projects
None yet
Development

Successfully merging a pull request may close this issue.