KEP-3746 - Initial KEP for specifying root-fs volume size for Windows containers

[marosset]

• One-line PR description:

• Issue link: Specify root-fs volume size for Windows containers #3746

• Other comments:

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: marosset
Once this PR has been reviewed and has the lgtm label, please assign wojtek-t for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS
• keps/sig-windows/OWNERS [marosset]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jsturtevant]

what about running less than 20gb?

[jsturtevant]

ah I see you mentioned it down here. Maybe could link to the various issues we've gotten related to this?

[liggitt]

agree storage is ambiguous in how it interacts with mounted volumes... would a more explicit rootfs-storage be better?

also, is there a reason this would not apply to both linux and windows?

[liggitt]

what was the resolution of the name storage being ambiguous?

[liggitt]

I'm guessing this would be added to a lot of the places we include ephemeral storage, in terms of validation.

See use of EphemeralStorage in https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/core/helper/helpers.go, which fans out to helper methods like IsStandardContainerResourceName, IsStandardResourceName, IsStandardQuotaResourceName, etc.

Any validation of resources and allowed values for resources would need to consider skew so we don't persist data an n-1 API server or controller would choke on.

[marosset]

Updated - PTAL

[liggitt]

not seeing the update, still looks like N/A

[liggitt]

I left a comment at #3951 (comment) with a sketch of how to relax validation safely and be sure you are considering the impact on all callers

[marosset]

/api-review

[liggitt]

what was the resolution of the name storage being ambiguous?

[liggitt]

Relaxing validation has to be done over two releases. Otherwise, we allow data to be persisted that will be considered invalid by the previous release of the API server (which could still be running in a multi-server cluster during rolling upgrade).

I would suggest doing the following:

1. in pkg/apis/core/validation/validation.go, add an AllowContainerStorageResource bool field to PodValidationOptions
2. make sure that options struct is passed through all validation functions down to ValidateContainerResourceName
   • this will reveal lots of call paths that lead to this function, all of which have to consider whether to allow the relaxed data or not
   • in ValidateContainerResourceName, only allow the relaxed validation if the AllowContainerStorageResource field is true
3. in GetValidationOptionsFromPodSpecAndMeta, compute the validation options based on the new and old object
   • in this release
     • on create (new object is non-nil, old object is nil), set the AllowContainerStorageResource field to true only if the feature gate is enabled
     • on update, set the AllowContainerStorageResource field to true only if the old object already has a container using the storage resource or the feature is enabled
   • in a future release, enable the feature gate
   • in an even more future release, graduate the feature gate and remove the option check

[liggitt]

not seeing the update, still looks like N/A

[jpbetz]

Just to clarify, any existing pods that have been admitted with a root-fs size other than 20Gb will continue to run at the configured size even if the feature is turned off?

[marosset]

Yes, I would expect a pod that has been admitted with a root-fs size other than 20Ggb would continue to run at the configures size after the feature was turned off.

[jpbetz]

Would you add this detail to the KEP? Thanks!

[k8s-ci-robot]

@marosset: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-enhancements-test	885c570	link	true	/test pull-enhancements-test
pull-enhancements-verify	885c570	link	true	/test pull-enhancements-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[johnbelamaric]

Please update with me as approver, and make the addition Joe asked for and I can approve PRR.

[johnbelamaric]

please but me here

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle rotten
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Reopen this PR with /reopen
• Mark this PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Reopen this PR with /reopen
• Mark this PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.