Sts per Pod Name Label

[kow3ns]

What this PR does / why we need it:
StatefulSet controller will add a label for each Pod in the StatefulSet. The label is of the form
statefulset.kubernetes.io/pod-name: <pod.Name>. This allows a unique service to be created for each Pod in the StatefulSet.

Fixes #44103, #28660

StatefulSet controller will create a label for each Pod in a StatefulSet. The label is named statefulset.kubernetes.io/pod-name and it is equal to the name of the Pod. This allows users to create a Service per Pod to expose a connection to individual Pods.

[enisoc]

Do we have conventions for machine-managed label names? For controller revision, we use controller.kubernetes.io/hash. For failure domains, we use failure-domain.beta.kubernetes.io/region. For Deployment, we use pod-template-hash.

Also, should we put this constant in types.go for a given API version like the others?

[kow3ns]

Also, should we put this constant in types.go for a given API version like the others?

The label is not version specific, and, by convention, the versioning seems to only apply to annotations. If we were to move it, I think the only other appropriate home would well_know_labels.go in the apis package.

I just want the name to be easily usable statefulset.kubernetes.io/podName is fine with me, but as you point out we don't have conventions. It would be good to start a trend though. Do you have thoughts on a better name?

[enisoc]

Do we lose anything by making the label just the ordinal, instead of the whole Pod name?

I think it's more flexible. For example, you could select the ordinal=0 Pod across multiple StatefulSets.

[kow3ns]

yes, the pod name is namespace unique. The ordinal is not.

[kow3ns]

Selecting the same Pod across multiple sts's defeats the purpose of the label.

[enisoc]

I see. The ordinal label would be insufficient, even if combined with the other selector labels, because controllers can have overlapping selectors. Agreed that selecting across multiple StatefulSets doesn't meet any need we've ever heard of.

[enisoc]

Is it possible that pod.Labels has become nil again at this point? Do we enforce anywhere that Pods must have at least one label?

[kow3ns]

it shouldn't but it doesn't hurt to check

[kow3ns]

/retest

[enisoc]

I found some written conventions that seem to apply here:

Inclusion of a system prefix in a label key is fairly hostile to UX. A prefix is only necessary in the case that the user cannot choose the label key, in order to avoid collisions with user-defined labels. However, I firmly believe that the user should always be allowed to select the label keys to use on their resources, so it should always be possible to override default label keys.

Therefore, resources supporting auto-generation of unique labels should have a uniqueLabelKey field, so that the user could specify the key if they wanted to, but if unspecified, it could be set by default, such as to the resource type, like job, deployment, or replicationController.

This indicates we should avoid adding a prefix for the label key, but we should allow the user to override the label key with a setting in StatefulSet.Spec.

For backward compatibility, maybe we should set the default key as "" (meaning don't add a label at all) for pre-v1 versions, so the behavior stays the same. For v1, we can set a non-empty default key.

Key names should be all lowercase, with words separated by dashes instead of camelCase

Given this I suggest pod-name as the default key for v1.

[kow3ns]

Therefore, resources supporting auto-generation of unique labels should have a uniqueLabelKey field, so that the user could specify the key if they wanted to, but if unspecified, it could be set by default, such as to the resource type, like job, deployment, or replicationController.

This is not applicable as it pertains to auto generated labels based on hashes and UUIDs that have no semantic meaning. e.g. Job controllers override.

For backward compatibility, maybe we should set the default key as "" (meaning don't add a label at all) for pre-v1 versions, so the behavior stays the same. For v1, we can set a non-empty default key.

I don't think we should allow name overriding without a more compelling reason. We should prefer simplicity over the potential to introduce misconfiguration unless there is an actual use case to support. If we find one, we can add an override switch in a backward compatible way.

Given this I suggest pod-name as the default key for v1.

SGTM

[janetkuo]

We should probably put this in types.go, like where we placed pod-template-hash

[janetkuo]

nit: remove this

[janetkuo]

Most workload controllers use xxx-xxx-xxx format (instead of xxx.xxxx.xxx/xxxx) as label key (e.g. pod-template-hash, controller-revision-hash).

Deployment hash label was named pod-template-hash instead of something like deployment.kubernetes.io/podTemplateHash, because the latter is lengthy and more suitable as annotations -- we expect users to type label name (e.g. kubectl get name -l) more frequently than annotations.

This is not documented AFAIK. The convention may have changed.

[janetkuo]

Does this fix #28660?

[enisoc]

@kow3ns wrote:

This is not applicable as it pertains to auto generated labels based on hashes and UUIDs that have no semantic meaning. e.g. Job controllers override.

That particular paragraph may be specific to hash-style labels, but it's an application of the general convention proposed above it:

I firmly believe that the user should always be allowed to select the label keys to use on their resources, so it should always be possible to override default label keys.

Of course, it's only the author's opinion of what the convention should be. Also, it seems we have decided not to follow it for Job and Deployment, so I'm willing to chalk it up to out-of-date documentation.

However, I still think it's important that this behavior be controlled by a field that's off by default for pre-v1. Unlike annotations, labels are the user's domain, so adding a new label is a change in behavior. What do you think?

@janetkuo wrote:

Does this fix #28660?

I think it makes a workaround possible, but a full fix for that issue would include a feature that creates a Service per StatefulSet Pod for you.

[kow3ns]

@janetkuo I think it closes #28660 as will not fix. We will never materializes Services on behalf of the user. We will provide, as a part of the StatefulSet's Pods' identity, a label that allows Services to be attached to the Pods in order to allow users to configure the Pods' networking as appropriate to their use case.

@enisoc The label should be considered to be part of the Pods identity. Having a unique identity that is not selectable has become tantamount to a defect for many users. Service per Pod is the right way to route traffic to StatefulSet Pods where each Pod needs to advertise a unique network identity, and, without this label as part of the Pods identity, there is no viable way to do this. If adding the label was a destructive update I would definitely want an opt in switch, but the addition of the label to running Pods is a non-destructive update that should not adversely impact users.

[enisoc]

I still think that adding the label is new behavior according to the letter of the API conventions, but I'm willing to believe that it's non-destructive in all but the most idiosyncratic of setups. In addition, we are only "breaking" pre-v1 APIs.

@janetkuo Do you have an opinion on the above?

[kow3ns]

/retest

[thockin]

This should be prefixed. We have absolutlely no consistency across teh codebase but it should be either:

statefulset.kubernetes.io/pod-name

or

kubernetes.io/statefulset-pod-name

I lean towards the former.

revision hash should probably be, also, but it's harder to fix retroactively.

[thockin]

/approve

[kow3ns]

/retest

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request Needs Attention

@enisoc @janetkuo @kow3ns @thockin @kubernetes/sig-apps-misc

Action required: During code slush, pull requests in the milestone should be in progress.
If this pull request is not being actively worked on, please remove it from the milestone.
If it is being worked on, please add the status/in-progress label so it can be tracked with other in-flight pull requests.

Note: If this pull request is not resolved or labeled as priority/critical-urgent by Wed, Nov 22 it will be moved out of the v1.9 milestone.

Pull Request Labels

• sig/apps: Pull Request will be escalated to these SIGs if needed.
• priority/important-longterm: Escalate to the pull request owners; move out of the milestone after 1 attempt.
• kind/feature: New functionality.

Help

• Additional instructions
• Commands for setting labels

[janetkuo]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: janetkuo, kow3ns, thockin

Associated issue: 44103

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/controller/statefulset/OWNERS [janetkuo,kow3ns,thockin]
• staging/src/k8s.io/api/OWNERS [thockin]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 55340, 55329, 56168, 56170, 56105). If you want to cherry-pick this change to another branch, please follow the instructions here.