KEP 2211: Omit managedFields server-side

[knight42]

This KEP proposes to omit the managedFields of objects on the server-side if users send a request with a special content type modifier.

Motivation: kubernetes/kubernetes#90066

Rendered

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: knight42
To complete the pull request process, please assign fedebongio after the PR has been reviewed.
You can assign the PR to them by writing /assign @fedebongio in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-api-machinery/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[knight42]

/cc @apelisse

[krmayankk]

what about controller-runtime, or is that taken care of by the client-go ?

[knight42]

My proposed change is providing a helper function in client-go which is able to set the Accept header in rest.Config, so that users could tell the API server they want to omit the managed fields.

Then you could use the modified rest.Config everywhere that needs it and the managed fields should be dropped if the API server recognize the new Accept header.

[apelisse]

I'm still really not convinced we need a mechanism to set a single Accept header.

[wojtek-t]

Agree with @apelisse .

[kwiesmueller]

I wouldn't say need but the header we propose for fallback etc. might not be too known or familiar as an option here that I wouldn't mind having a simpler option that does it for you.
Like PreferNoManagedFields() = header with q= fallback and RequestNoManagedFields() = no fallback.

[knight42]

@kwiesmueller yes that's what I mean by saying "providing a helper function", but it seems there is more we could do on client-side if we need to consider the case that API server cannot recognize this new header and we still want to omit the managed fields.

[apelisse]

@julianvmodesto We'll try to get this KEP merged as provisional quickly, so that you can fill in that section if you're ok with it :-)

[apelisse]

The plan is to implement this using Accept: application/yaml+unmanaged,application/yaml;q=0.9, or simply: Accept: application/yaml+unmanaged,application/yaml

[krmayankk]

what does unmanaged mean here ?

[apelisse]

what does unmanaged mean here ?

Omit the managed fields.

[knight42]

PoC of the server-side changes: kubernetes/kubernetes@master...knight42:feat/strip-managed-fields-server-side

[apelisse]

users and controllers, also impact bandwidth usage, size of internal caches

[apelisse]

Not only when user "requests objects", since pretty much all operations return the final object.

[lavalamp]

Hopefully we are talking about omitting them from the response and not stripping them from the stored object.

[krmayankk]

Why not omitting it from stored object as well ? If a cluster operator has made a conscious decision, it would save a lot of storage for him.

[knight42]

Hopefully we are talking about omitting them from the response and not stripping them from the stored object.

Yes, the original object saved in etcd is left intact.

Why not omitting it from stored object as well

The Server-side Apply feature needs the managedFields.

[apelisse]

If a cluster operator has made a conscious decision, it would save a lot of storage for him.

It's unclear if the trade-offs they're making would be all that conscious.

I'm happy to discuss if there is a specific use-case that you have in mind, but the "Accept" header is not where we would want to strip managedFields from storage.

[lavalamp]

Why not omitting it from stored object as well ?

1. it loses valuable context about the object that other aspects of the system need
2. this would not be the right mechanism for that at all, we'd need to make a setting otherwise it would come back
3. this is primarily about read operations, although it will also work on write operations

[resouer]

+1 to Daniel. Managed field is crucial to automatic config mgmt and a depency for system needs. This proposal should be a minimal UI fix IMO.

A off-topic idea is we may want to bring up some real-world cases how this tech could be properly used by the platform team in server-side apply doc. The main use case on our side is k-o-k configuration mgmt scenario, but it should be more.

[krmayankk]

Sounds good thanks. I agree a different setting is needed. I think until this becomes widespread in usage, the default should be ignored in returns and not stored as well. This is ahead of its time , but definitely a really nice concept.

[apelisse]

That's a good point, along with extra bandwidth

[apelisse]

Even if we don't introduce it just yet, we might have other versions for the encoding of managed fields in the future. Currently, we only have v1. Can we describe how the header would look like if I wanted to request a specific format version of managed fields in the future?

[lavalamp]

"unmanaged" isn't the right word. "omitting.managed.fields", "sans-managed" perhaps.

[lavalamp]

I'd prefer something that was a positive specification rather than negative. So, like we could add "managed.v1" (the default) and "managed.omit" (the new option), which leaves room for v2 etc.

[lavalamp]

This needs to compose with the tabular output content type.

Also I think clients would specify these in the "Accept" header. Ah, it's mentioned below. But better to be specific.

[knight42]

Can we describe how the header would look like if I wanted to request a specific format version of managed fields in the future

I guess this is out of the scope of this KEP, but we could still leave room for it.

@lavalamp IIUC are you suggesting changing the Content-Type to application/{json,yaml,profobuf}.managed.omit?

[apelisse]

let's also look at this really quick: https://trac.tools.ietf.org/html/draft-ietf-appsawg-media-type-regs-14#section-6

[apelisse]

I'm happy to merge this as provisional for now.
/lgtm

[lavalamp]

The serializer would ideally just take the version (either v1 or omit) rather than needing a different one for each version.

[wojtek-t]

Technically, it will be wrapper around existing serializers I think.

[lavalamp]

I don't think we should encourage a combinatorial explosion. We should represent this with a {json/yaml/proto, managed-fields:v1/omit} pair.

[knight42]

@lavalamp Could you elaborate more on the representation please?

[wojtek-t]

+1 to Daniel (modulo the fact that for backward compatibility we need to default to v1 if unset)

This BTW will also reflect the implementation.

[krmayankk]

what is the name of the header ?

[wojtek-t]

Technically, it will be wrapper around existing serializers I think.

[wojtek-t]

Agree with @apelisse .

[wojtek-t]

+1 to Daniel (modulo the fact that for backward compatibility we need to default to v1 if unset)

This BTW will also reflect the implementation.

[wojtek-t]

you need sig-apimachinery approver too (it seems @lavalamp is already looking into it)

[wojtek-t]

We need

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[liggitt]

it's not clear to me why the server-side piece is required... that seems significantly more complex and doesn't remove the need for client-side logic to pass alternate content-type headers. Is the bandwidth savings significant? Why would we not just drop the field in the client?

[lavalamp]

Correct, it's ~30% of the object size if you're in proto mode.

[lavalamp]

Now that you mention it though, why don't we just implement in kubectl and see if controller operators complain? So far all the complaints have just been from users that don't want to see it AFAIK.

[liggitt]

why don't we just implement in kubectl and see if controller operators complain?

I would definitely start there (or somewhere client-side... client-go or cli-runtime or kubectl). If there's good evidence we need to push it further up the stack, doing it with a ;omit=metadata.managedFields modifier or something in a later iteration could be reasonable

[apelisse]

We already have complaints about the network impact:
kubernetes/kubernetes#90066 (comment)

Hi, @apelisse, Due to addition managedFields metadata, payload of the every object got increased by 40%. For example, for simple nginx pod, before <1.18, response was ~6KB and >=1.18, response is 10KB. Ours is monitoring application, we use k8s apis to get the response of all objects (chunked fashion) and we dont use this field. The additional payload significantly costing the cpu and memory. is there any way to express the k8s API to exclude in the response ? If not, having functionality like this will significantly helpful for the clients.

kubernetes/kubernetes#90066 (comment)

As I've mentioned before and as @ganga1980 mentioned as well, the main managed fields problem is not a cosmetic one of hiding them in kubectl, it's a performance one, they increase the CPU, memory and bandwidth utilisation, solving this at the client side is not enough.

it's unclear from these comments what CPU/memory is being affected here.

[krmayankk]

+1 on doing on server side, we have lot of querying and storing the k8s resources, and a 40% increase with no specific near time use will help with bandwidth and processing power of our clients which are making this query continuously. What version was this managedFields introduced in responses from the server side, we might have to plan for this ?

[lavalamp]

If you're worried about storage, just clear client-side. You only need to clear serverside if there's a problem with network bandwidth.

[soltysh]

client-side already has some changes, see kubernetes/kubernetes#91946 which dropped those from edit, but I keep on hearing this over and over that folks want to see those stripped also when doing get.

[smarterclayton]

Ugh, we already have content type modifiers defined for metadata lists. Why are we not using that mechanism?

[lavalamp]

This is what I was trying to ask for 😅

[apelisse]

I didn't know about these 🤷‍♂️

[wojtek-t]

@smarterclayton - you mean thins like "as=Table", "as=PartialObjectMetadata" etc?
Shouldn't those be generic types?

[If you meant those - these doesn't benefit from this optimization yet: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1152-less-object-serializations

• and i think that we don't want to drop this.]

[added later]
It seems that "as" is one potential modifier, another one is e.g. "pretty", which is supported by the optimization above. So I guess we can implement the new modifier to take advantage of the optimization above.

[smarterclayton]

I would prefer to leverage the existing negotiation modifier mechanism, which already handles partial objects. How it's modelled is open to debate, but this feels way too specific to managed fields and has no future proofing.

[liggitt]

handled at https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/negotiation/negotiate.go#L172-L179, used for things like application/json;as=Table;v=v1;g=meta.k8s.io

[wojtek-t]

@smarterclayton - you mean thins like "as=Table", "as=PartialObjectMetadata" etc?
Shouldn't those be generic types?

[If you meant those - these doesn't benefit from this optimization yet: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1152-less-object-serializations

• and i think that we don't want to drop this.]

[added later]
It seems that "as" is one potential modifier, another one is e.g. "pretty", which is supported by the optimization above. So I guess we can implement the new modifier to take advantage of the optimization above.

[wojtek-t]

+1

[wojtek-t]

Where is this flag? kubectl only?

[wojtek-t]

If you want to target alpha in 1.21, you need to fill PRR and get approval before feature freeze.

[soltysh]

There are parallel efforts for keeping kubectl preferences, compare #2111

[soltysh]

If the functionality doesn't exist on the server then we do nothing. I don't want to repeat the mechanism the sever already have. It'll just be a no-op in those cases.

[soltysh]

client-side already has some changes, see kubernetes/kubernetes#91946 which dropped those from edit, but I keep on hearing this over and over that folks want to see those stripped also when doing get.

[soltysh]

👍 for sig-cli pov, it allows much more flexibility for the future.

[soltysh]

I'm even inclined to have it default to omit.

[soltysh]

I'm not a fan of this approach, I'd prefer seeing the other flag with omit being the default.

[lavalamp]

For some reason github won't let me reply directly to some of @soltysh's comments above, so:

I have a new thought, which is to combine this feature with a filtering feature, so basically there'd be one flag. The paradigm is that this flag consumes the managed fields, and uses them to filter the object:

• --managed-fields-filter=.* take off managed fields, and show all fields.
• --managed-fields-filter=<fieldmanager> take off managed fields, and show only fields managed in the current version by the given field manager*
• --managed-fields-filter=<fieldmanager regexp> take off managed fields, and show all fields managed in the current version by any of the field managers matching the given regexp
• --managed-fields-filter=^$ take off managed fields, and show fields managed by no one.
• --managed-fields-filter= existing behavior-- leave managed fields alone, don't do any filtering

Could be a weird idea, could be useful, what do you think?

[kwiesmueller]

@soltysh my problem with the omit flag is, that it doesn't seem consistent.
Using -o is the direct translation of what happens on the server. We chose a different serializer that removes managedFields and as far as I understand -o is there for exactly that, specifying the serialization the user wants.
This has the additional benefit of allowing us to request different versions of managedFields in the future (-o yaml+managed.v2).

Aside from that technicality, the omit flag doesn't seem like fully deterministic UX to me.
If it is --show-managed-fields then this flag does not really guarantee to do anything in some cases (like when there are no managedFields to show).
What would happen in combination with -o wide or just no -o. Sure, we would not show managedFields as usual, but the user technically is asking for them and we provide them with the option. On the other hand limiting the use of this flag to certain scenarios would make using the CLI harder.

The -o flag would directly translate to the Accept header (imo) so if it can not be provided, it would act just as if you request a format that does not exist.

If the flag would be --omit-managed-fields this would be a little more consistent, but still add a flag for something we already have and can represent while adding a very long flag.

I know this is discussing on a very granular level and making the topic probably more complicated than necessary. There was a vote on Slack and the flag won so I'll go with it. But as you just commented here, I want to raise my concerns while I still can.

[soltysh]

* `--managed-fields-filter=.*` take off managed fields, and show all fields.

I'd love to have default be to filter out managed fields. Rarely folks invoking kubectl care about those managed fields.

* `--managed-fields-filter=^$` take off managed fields, and show fields managed by no one.

Is it possible that a field is not managed by anyone?

* `--managed-fields-filter=` existing behavior-- leave managed fields alone, don't do any filtering

Could be a weird idea, could be useful, what do you think?

@lavalamp I assume this flag would directly translate to params being passed to the server or are you referring to client-side filtering? I still would be a big proponent of having this mechanism on the server. The proposal itself seems reasonable although I'm worried about too much complexity when specifying those, but that's still on the table.

[soltysh]

@kwiesmueller although -o can translate to what the server response looks like it doesn't necessarily have to. Since its inception --output was used to steer the shape of the output. For example, the default output and -o wide are actually printing data from the same tabled output the server provides. I'd prefer to keep that distinction still intact and left kubectl decide only about -o value without coupling it to what we ask the server to print. Yet still, this is still under discussions so I don't want to clearly say yes or no 😉

[apelisse]

For some reason github won't let me reply directly to some of @soltysh's comments above, so:

I have a new thought, which is to combine this feature with a filtering feature, so basically there'd be one flag. The paradigm is that this flag consumes the managed fields, and uses them to filter the object:

• --managed-fields-filter=.* take off managed fields, and show all fields.
• --managed-fields-filter=<fieldmanager> take off managed fields, and show only fields managed in the current version by the given field manager*
• --managed-fields-filter=<fieldmanager regexp> take off managed fields, and show all fields managed in the current version by any of the field managers matching the given regexp
• --managed-fields-filter=^$ take off managed fields, and show fields managed by no one.
• --managed-fields-filter= existing behavior-- leave managed fields alone, don't do any filtering

Could be a weird idea, could be useful, what do you think?

Do we want to have this mechanism available to control the output of every command, including apply, patch, edit, etc? I think what you're describing here makes sense, but there are enough options and controls and it's specific enough that I think it'd be better in its own command rather than as a horizontal flag that applies to all command outputs.

[lavalamp]

I assume this flag would directly translate to params being passed to the server or are you referring to client-side filtering? I still would be a big proponent of having this mechanism on the server.

@soltysh I think it'd be best to implement on the client. I don't really see much benefit in having the server do this for you (it's fairly trivial with the structured-merge-diff library). Maybe if it begins to be a blocker to api clients in other languages.

[lavalamp]

Do we want to have this mechanism available to control the output of every command, including apply, patch, edit, etc? I think what you're describing here makes sense, but there are enough options and controls and it's specific enough that I think it'd be better in its own command rather than as a horizontal flag that applies to all command outputs.

I was only thinking about this for get commands personally. For get commands, my first thought is that it's not good to make users pipe the output through a separate kubectl managed-fields apply ____ command to do the filtering to omit them. For other commands it seems a bit more reasonable? I really don't know.

[soltysh]

Yeah, we have a get in-flight client-side, see kubernetes/kubernetes#96878

[knight42]

As for the server-side changes, it looks like we all agree it is better to leverage the existing negotiation modifier mechanism, so I have updated the design detail in kep, and here is a PoC: kubernetes/kubernetes@master...knight42:feat/server-omit-managed-fields. Reviewers please take another look.

[wojtek-t]

@knight42 - are we going to proceed with this? Or can we close it?

[knight42]

@wojtek-t I would love to proceed, but no one has commented on the updated KEP 😢 , so I am not sure whether it needs further improvement.

[apelisse]

I think we don't have enough evidence that we need this at that time. We can close it and see if people have stronger use-cases that require this, or we can let open. 🤷

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[kwiesmueller]

With SSA in GA now, I still think there can be use-cases where omitting the managedFields server-side could be beneficial.
We've already heard from people complaining about the increased network load and object cache size due to managedFields. While SSA should be useable by any user on the cluster, there might be some selected applications that don't need them and should be able to do without them.

Sadly we didn't get enough energy here to get to a positive conclusion.
I'm gonna set this to
/lifecycle frozen
until we decide to abandon this idea fully or the need grows more.
We should see more feedback with the growing adoption of v1.22 to influence that decision.

[k8s-ci-robot]

@kwiesmueller: The lifecycle/frozen label cannot be applied to Pull Requests.

In response to this:

With SSA in GA now, I still think there can be use-cases where omitting the managedFields server-side could be beneficial.
We've already heard from people complaining about the increased network load and object cache size due to managedFields. While SSA should be useable by any user on the cluster, there might be some selected applications that don't need them and should be able to do without them.

Sadly we didn't get enough energy here to get to a positive conclusion.
I'm gonna set this to
/lifecycle frozen
until we decide to abandon this idea fully or the need grows more.
We should see more feedback with the growing adoption of v1.22 to influence that decision.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

@kwiesmueller: The lifecycle/frozen label cannot be applied to Pull Requests.

In response to this:

/lifecycle frozen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[kwiesmueller]

Nevermind, PRs can't be frozen.
Then for the sake of having a proper status, I'll close it and we keep an eye on it in wg-api-expression.
If you have any input regarding this feature please let us know.
/close

[k8s-ci-robot]

@kwiesmueller: Closed this PR.

In response to this:

Nevermind, PRs can't be frozen.
Then for the sake of having a proper status, I'll close it and we keep an eye on it in wg-api-expression.
If you have any input regarding this feature please let us know.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[xiaobaitusi]

Hi k8s experts, I just want to add another data point related to the size issue of managedFields. Basically for operators, e.g. KCC watch a great amount of objects, say over 20K objects, even with metadata-only watch enabled, we have still see a good portion of memory footprint reduction (over 30%) if watches can trim managedFields and the last-applied-configuration annotation (it includes the full spec even in metadata only watch).

Looking at the previous discussion about solving and mitigating the issue on the client side. The ask to reduce memory footprint for watches can potentially belong to controller-runtime library. Can anyone comment on the current thinking about this kep? If it's more appropriate to purpose the light watch in controller-runtime layer?