kube-apiserver identity

[roycaihw]

Enhancement Description

• One-line enhancement description (can be used as a release note): In a HA cluster, each kube-apiserver has an ID. Controllers have access to the list of IDs for living kube-apiservers in the cluster.
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1965-kube-apiserver-identity
• Primary contact (assignee): @roycaihw
• Responsible SIGs: sig-api-machinery
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y) 1.20
  • Beta release target (x.y) TBD
  • Stable release target (x.y) TBD

Related PRs:

• Move lease controller: Generalize node lease controller kubernetes#95428
• kube-apiserver lease controller: Add kube-apiserver lease controller kubernetes#95533
• apiserver lease garbage collector: Apiserver lease garbage collector kubernetes#95895
• documentation: document kube-apiserver identity website#24921
• metrics: KEP-1965: update apiserver-identity KEP with metrics #3005

[roycaihw]

/sig api-machinery

[kikisdeliveryservice]

Hi @roycaihw

Enhancements Lead here. Can you confirm that this is intended for alpha in 1.20?

Thanks
Kirsten

[roycaihw]

@kikisdeliveryservice Yes. This feature is intended for alpha in 1.20.

@lavalamp @deads2k Could one of you add this issue to the release 1.20 milestone?

[kikisdeliveryservice]

thanks for the update

/milestone v1.20

[kikisdeliveryservice]

Some KEP updates here:
#1998
#1999

But as a reminder, to be included in a release, by Enhancements Freeze (October 6th) all KEPs:

The KEP must be merged in an implementable state
The KEP must have test plans
The KEP must have graduation criteria.

Also updated description to link directly to merged KEP.

[roycaihw]

@kikisdeliveryservice Thanks for the reminder! Will do.

[kinarashah]

Hi @roycaihw ,

Enhancement shadow for 1.20 release here 👋 . As we're moving closer to the Enhancement Freeze deadline (October 6), just wanted to remind you to update your KEP PR,

We're looking for the KEP PR to have the following before this deadline:

• should have test plans
• should have graduation criteria
• should be merged in implementable state

Thank you!

[roycaihw]

@kinarashah Thanks for the reminder. The KEP is now implementable #1998, and has test plans and graduation criteria.

[kinarashah]

Hi @roycaihw ,

Since your Enhancement is scheduled to be in 1.20, please keep in mind the important upcoming dates:
Friday, Nov 6th: Week 8 - Docs Placeholder PR deadline
Thursday, Nov 12th: Week 9 - Code Freeze

As a reminder, please link all of your k/k PR as well as docs PR to this issue so we can track them.

Thank you!

[reylejano]

Hello @roycaihw , 1.20 Docs shadow here.

Does this enhancement work planned for 1.20 require any new docs or modification to existing docs?

If so, please follows the steps here to open a PR against the dev-1.20 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Nov 6th.

Also take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

[reylejano]

Hi @roycaihw

The docs placeholder deadline is almost here. Please make sure to create a placeholder PR against the dev-1.20 branch in the k/website before the deadline

Also, please keep in mind the important upcoming dates:

• Friday, Nov 6th: Week 8 - Docs Placeholder PR deadline
• Thursday, Nov 12th: Week 9 - Code Freeze
• Monday, Nov 23rd: Week 11 - Docs PR Ready for Review

As a reminder, please link all of your k/k PR as well as docs PR to this issue for the release team to track.

[roycaihw]

Hi @reylejano-rxm, I've created the docs placeholder kubernetes/website#24921 and updated the description with links to related PRs. Thanks!

[kikisdeliveryservice]

Hi @roycaihw

I see that kubernetes/kubernetes#91389 has not yet merged.

Just a reminder that Code Freeze is tomorrow Thursday, November 12th. All PRs must be merged by that date, otherwise an Exception is required.

Thanks,
Kirsten

[roycaihw]

Thanks @kikisdeliveryservice. I think kubernetes/kubernetes#91389 is tracked in the Priority and Fairness feature: #1040 (comment).

The alpha-level functionality for kube-apiserver identity has been implemented. All PRs linked in the description have been merged, except the doc one.

[kikisdeliveryservice]

Great!! Thanks for clarifying - congrats!

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten

[rhockenbury]

/label tracked/yes
/remove-label tracked/no
/stage alpha

[rhockenbury]

Hello @enj 👋, 1.26 Enhancements team here.

Just checking in as we approach enhancements freeze TOMORROW on 18:00 PDT on Thursday 6th October 2022.

This enhancement is targeting for stage beta for 1.26 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.26
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would just need to get #3589 merged up to meet the requirements.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[enj]

/assign

@rhockenbury #3589 is open for review.

[rhockenbury]

Thanks. Please try to get #3589 merged up before enhancements freeze later today.

[enj]

@rhockenbury #3589 is merged :)

[rhockenbury]

Great. I have it marked as tracked for v1.26 now.

[cathchu]

Hello @andrewsykim and @enj 👋 1.26 Release Docs shadow here!

This enhancement is marked as ‘Needs Docs’ for 1.26 release. Please follow the steps detailed in the documentation to open a PR against dev-1.26 branch in the k/website repo. This PR can be just a placeholder at this time, and must be created by November 9. Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thank you!

[ruheenaansari34]

Hi @roycaihw 👋,

Checking in once more as we approach the 1.26 code freeze at 17:00 PDT on Tuesday 8th November 2022.

Please ensure the following items are completed:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PRs are fully merged by the code freeze deadline.

If you do have k/k PRs open, other than the PRs in the description, please link them to this issue.

As always, we are here to help should questions come up. Thanks!

[lavalamp]

This is now being led by @andrewsykim, fyi

[krol3]

Hi @roycaihw , Thank you for the draft doc PR here, Please update to Ready for Review, the deadline it's on Tuesday 15th November 2022. Thank you!

CC @cathchu

[andrewsykim]

@krol3 I don't think there's a doc PR open for this yet but I'll get to it later today

[andrewsykim]

I opened a doc PR for the feature gate reference change here; kubernetes/website#37921

I'm not sure yet if we want more detailed documentation for this feature since the main use-cases for it are internal to kubernetes (i.e. StorageVersion API).

[sftim]

If I implement a serverless extension API server (eg using a provider managed API gateway in the cloud, and some serverless compute), what should my aggregated API do in respect of this feature?

[enj]

If I implement a serverless extension API server (eg using a provider managed API gateway in the cloud, and some serverless compute), what should my aggregated API do in respect of this feature?

Aggregated APIs require a Kubernetes service and do not support an external hostname, so you basically always have something on the cluster. Either way, if the extension API server has rest storage, it needs to identify itself somehow, probably based on its current config - i.e. all instances of the same config would have the same identity. Does any such API server exist?

[marosset]

/remove-label lead-opted-in
/remove-label tracked/yes
/label tracked/no
/milestone clear