18 Sep 2023
[benluddy] CBOR Serializer KEP
[cici37] CRD validation rules promoting to GA
[cici37] Clear the GA graduation criteria for ValidatingAdmissionPolicy
[mo] question regarding streaming watch and storage migration (will have KEP open soon)
[cici37] CRD validation rules promoting to GA
[cici37] Clear the GA graduation criteria for ValidatingAdmissionPolicy
[mo] question regarding streaming watch and storage migration (will have KEP open soon)
- 8 participants
- 36 minutes
6 Sep 2023
- [logicalhan, jpbetz, liggitt] [external, public] Safer Kubernetes Upgrades
- [nilekh/mo] KEP to move SVM in-tree
https://hackmd.io/@azure-container-upstream/H14Q8R2T3
- [benluddy] Binary Data Format Questions
- [nilekh/mo] KEP to move SVM in-tree
https://hackmd.io/@azure-container-upstream/H14Q8R2T3
- [benluddy] Binary Data Format Questions
- 9 participants
- 58 minutes
23 Aug 2023
- [shaneutt] discuss policy attachment from Gateway API
Related:
https://gateway-api.sigs.k8s.io/geps/gep-713/
- [jpbetz] quick request for KEPs authors to announce what they have planned for 1.29 and ask that they line up (identify and request review bandwidth from) KEP reviewers
- [fedebongio] we did submit our 1 minute intro video to KubeconNA 23, will see if we make it!
Related:
https://gateway-api.sigs.k8s.io/geps/gep-713/
- [jpbetz] quick request for KEPs authors to announce what they have planned for 1.29 and ask that they line up (identify and request review bandwidth from) KEP reviewers
- [fedebongio] we did submit our 1 minute intro video to KubeconNA 23, will see if we make it!
- 5 participants
- 25 minutes
9 Aug 2023
- [mo] APIService support for URL?
What would be the correct way to limit abuse in terms of network connections being made from KAS to random URL?
Could this be implemented via an ExternalName service? Should it be?
Seems like this may be possible already when --enable-aggregator-routing is disabled (though it is unclear to me what hostname the serving cert is checked against)?
- [geetasg] Consider separate etcd cluster for CRDs https://github.com/kubernetes/kubernetes/issues/118858
What would be the correct way to limit abuse in terms of network connections being made from KAS to random URL?
Could this be implemented via an ExternalName service? Should it be?
Seems like this may be possible already when --enable-aggregator-routing is disabled (though it is unclear to me what hostname the serving cert is checked against)?
- [geetasg] Consider separate etcd cluster for CRDs https://github.com/kubernetes/kubernetes/issues/118858
- 7 participants
- 32 minutes
26 Jul 2023
- [serathius] SIG etcd Charter & Vision
- [benluddy] binary encoding for custom resources
-- Discuss benchmark results / solidify criteria to move forward
- [benluddy] binary encoding for custom resources
-- Discuss benchmark results / solidify criteria to move forward
- 10 participants
- 49 minutes
14 Jun 2023
- [Stefan Schimanski, MikeSpreitzer] KEP-4050: Add generic control plane staging repository https://github.com/kubernetes/enhancements/pull/4052
- [jefftree] Lazy OpenAPI Aggregation
Lazy OpenAPI Aggregation and CRD Building
[- mo] is there a desire to have something like StorageVersionMigrator built into KCM?
- [jefftree] Lazy OpenAPI Aggregation
Lazy OpenAPI Aggregation and CRD Building
[- mo] is there a desire to have something like StorageVersionMigrator built into KCM?
- 7 participants
- 34 minutes
18 May 2023
- The Implicit Kubernetes-ETCD Contract
- Kubernetes control-plane upgrades
- Proposal KEP-4008: CRD Validation Ratcheting
- Kubernetes control-plane upgrades
- Proposal KEP-4008: CRD Validation Ratcheting
- 11 participants
- 49 minutes
22 Mar 2023
- deads2k: Deprecate and slate StorageVersionHash for removal? https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/2342-exposing-hashed-storage-versions-via-the-discovery-API
The StorageVersion API looks like a better footing for the feature and has traction: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/2339-storageversion-api-for-ha-api-servers
- liggitt marking it deprecated is a great first step.
In general there was agreement that deprecating this one (in favor of the 2339) is the right way to move forward.
AI: deads@ will send PR to mark it deprecated, targeting 1.28.
- lavalamp follow-up from feature gate discussion 2 weeks ago: draft KEP for initial review
Daniel asks for feedback, especially around the User Stories to make sure nothing was missed.
-lavalamp follow-up from mixed apiserver version discussion last week: extremely draft KEP
logicalhan Two open questions:
where to store the public key for the apiserver
What approach to take to make discovery consistent
AI Daniel will include an "unresolved" section with details to bring up in future meetings and see if we can get an agreement on the way forward.
deads points out to KEP dependency chain: API Server Identity — Storage Migrator — this one
-jpbetz: Want to raise awareness of De-share InitContainer type from Container to SIG
The StorageVersion API looks like a better footing for the feature and has traction: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/2339-storageversion-api-for-ha-api-servers
- liggitt marking it deprecated is a great first step.
In general there was agreement that deprecating this one (in favor of the 2339) is the right way to move forward.
AI: deads@ will send PR to mark it deprecated, targeting 1.28.
- lavalamp follow-up from feature gate discussion 2 weeks ago: draft KEP for initial review
Daniel asks for feedback, especially around the User Stories to make sure nothing was missed.
-lavalamp follow-up from mixed apiserver version discussion last week: extremely draft KEP
logicalhan Two open questions:
where to store the public key for the apiserver
What approach to take to make discovery consistent
AI Daniel will include an "unresolved" section with details to bring up in future meetings and see if we can get an agreement on the way forward.
deads points out to KEP dependency chain: API Server Identity — Storage Migrator — this one
-jpbetz: Want to raise awareness of De-share InitContainer type from Container to SIG
- 7 participants
- 26 minutes
9 Mar 2023
[lavalamp, deads2k, liggitt, munnerz] Discovery when apiservers are at mixed versions
- Description of current behavior and some problematic scenarios: https://docs.google.com/document/d/1wMst-2R7Zr0ADrJ_fr40zwkDanxwihHdL7RKSLK_D_s/edit?resourcekey=0-L-Yljgf99s70jmWmRiiHRw#
- Problems to solve (or verify solutions for)
ensure unhandled local APIService endpoints return 503s, not 404s
https://github.com/kubernetes/kubernetes/pull/104748 did this for unready apiservers
server response GC depends on for GET of individual items
type known
list with no objects == 200 with empty list
list inside missing namespace == 200 with empty list?
get missing object == 404
type unknown
list/get == 404 (404 on get is problematic for GC controller)
type in discovery but not known locally
list/get = 404, but maybe should be 503? will this break API clients that use 404 as signal to fall back to other API versions?
(servers don't have discovery-level type-level info for types not known locally today)
recording/informing existence (and info like verbs, namespacedness) of resource types so older servers can serve more complete/correct discovery
would benefit clients who would ignore some types of resources (like namespace controller wouldn't care about metrics server because it wasn't writable, or about cluster-scoped resources)
related to StorageVersion API, which has an entry per resource
related to aggregated discovery
improve namespace controller behavior when discovery permafails (avoid storms)
improve GC behavior when discovery permafails (avoid locking)
[ichekrygin] Question/guidance request about controller extensibility for core k8s types.
- Description of current behavior and some problematic scenarios: https://docs.google.com/document/d/1wMst-2R7Zr0ADrJ_fr40zwkDanxwihHdL7RKSLK_D_s/edit?resourcekey=0-L-Yljgf99s70jmWmRiiHRw#
- Problems to solve (or verify solutions for)
ensure unhandled local APIService endpoints return 503s, not 404s
https://github.com/kubernetes/kubernetes/pull/104748 did this for unready apiservers
server response GC depends on for GET of individual items
type known
list with no objects == 200 with empty list
list inside missing namespace == 200 with empty list?
get missing object == 404
type unknown
list/get == 404 (404 on get is problematic for GC controller)
type in discovery but not known locally
list/get = 404, but maybe should be 503? will this break API clients that use 404 as signal to fall back to other API versions?
(servers don't have discovery-level type-level info for types not known locally today)
recording/informing existence (and info like verbs, namespacedness) of resource types so older servers can serve more complete/correct discovery
would benefit clients who would ignore some types of resources (like namespace controller wouldn't care about metrics server because it wasn't writable, or about cluster-scoped resources)
related to StorageVersion API, which has an entry per resource
related to aggregated discovery
improve namespace controller behavior when discovery permafails (avoid storms)
improve GC behavior when discovery permafails (avoid locking)
[ichekrygin] Question/guidance request about controller extensibility for core k8s types.
- 5 participants
- 53 minutes
25 Jan 2023
[cici37] Clear GA graduation criteria for CRD validation rules(PR)
David and Daniel agree on suggested GA criteria
No other criteria mentioned.
[tallclair] Webhook Match Conditions https://github.com/kubernetes/enhancements/pull/3717
Secondary authz checks
[andrewsy] Mutating Admission with CEL
https://github.com/kubernetes/enhancements/pull/3776
General agreement that there is conceptual alignment on wanting Mutating too in the future.
No rush probably for 1.27, making sure we can address the items discussed in the meeting [TODO: add here] and see more feedback on the Validating use cases.
David and Daniel agree on suggested GA criteria
No other criteria mentioned.
[tallclair] Webhook Match Conditions https://github.com/kubernetes/enhancements/pull/3717
Secondary authz checks
[andrewsy] Mutating Admission with CEL
https://github.com/kubernetes/enhancements/pull/3776
General agreement that there is conceptual alignment on wanting Mutating too in the future.
No rush probably for 1.27, making sure we can address the items discussed in the meeting [TODO: add here] and see more feedback on the Validating use cases.
- 6 participants
- 49 minutes
16 Nov 2022
[lavalamp] Announcement: our teams are extremely out of date. Please consider proposing yourself as a member to one or more: https://github.com/kubernetes/org/blob/main/config/kubernetes/sig-api-machinery/teams.yaml
Han started a PR: https://github.com/kubernetes/org/pull/3838/files
[liggitt] gogo/protobuf
now officially deprecated
https://github.com/kubernetes/kubernetes/issues/96564
Requirements/Desirements/Ideas for replacing gogo/protobuf
[stevekuznetsov] update on RV parsing search (xref)
[Daniel] Clayton expects a KEP before we do any changes to this, to keep this in mind.
[howardjohn] Exposing informer synced state
Interested in discussing possible options moving forward
[Daniel] will take a look at the issue and suggest offline.
[howardjohn] Generics in client-go
Interested in getting high level direction on what a path forward would look like for this: client-go/v2, generic wrappers around existing code, generic and legacy code side-by-side, third-party/sig implementation, etc? Do Nothing is also an option.
[tallclair] Contextual logging in the apiserver (KEP)
[fedebongio] Kubecon NA 2022 API Machinery Deep Dive Talk jfyi
Han started a PR: https://github.com/kubernetes/org/pull/3838/files
[liggitt] gogo/protobuf
now officially deprecated
https://github.com/kubernetes/kubernetes/issues/96564
Requirements/Desirements/Ideas for replacing gogo/protobuf
[stevekuznetsov] update on RV parsing search (xref)
[Daniel] Clayton expects a KEP before we do any changes to this, to keep this in mind.
[howardjohn] Exposing informer synced state
Interested in discussing possible options moving forward
[Daniel] will take a look at the issue and suggest offline.
[howardjohn] Generics in client-go
Interested in getting high level direction on what a path forward would look like for this: client-go/v2, generic wrappers around existing code, generic and legacy code side-by-side, third-party/sig implementation, etc? Do Nothing is also an option.
[tallclair] Contextual logging in the apiserver (KEP)
[fedebongio] Kubecon NA 2022 API Machinery Deep Dive Talk jfyi
- 8 participants
- 59 minutes
19 Oct 2022
[andrewsy] Discuss kube-apiserver identifier format (KEP-1965)
[lavalamp] fine-grained-authz KEP pre-review (follow up from Sep 21 discussion)
[fedebongio] Virtual Session at Kubecon NA - API Machinery deep dive: https://kccncna2022.sched.com/event/182Mo
[lavalamp] fine-grained-authz KEP pre-review (follow up from Sep 21 discussion)
[fedebongio] Virtual Session at Kubecon NA - API Machinery deep dive: https://kccncna2022.sched.com/event/182Mo
- 4 participants
- 59 minutes
5 Oct 2022
* [mo, anish] Discuss about KEP status and blockers for moving these to beta in v1.27? In regards to sig-auth/3299-kms-v2-improvements
**2339-storageversion-api-for-ha-api-servers
**1965-kube-apiserver-identity
* [lavalamp] quick followup from last time: status of logical clock vs RV
* [lavalamp] quick followup from last time: status of subresources vs fine grained permissions (follow-up doc)
* [fedebongio] KEP List for 1.26? Tracking Board for 1.26 & All Open KEPs with SIG API Machinery label
**Allow informers for getting a stream of data instead of chunking #3157
**CEL for Admission Control #3488
**Aggregated Discovery #3352
**2339-storageversion-api-for-ha-api-servers
**1965-kube-apiserver-identity
* [lavalamp] quick followup from last time: status of logical clock vs RV
* [lavalamp] quick followup from last time: status of subresources vs fine grained permissions (follow-up doc)
* [fedebongio] KEP List for 1.26? Tracking Board for 1.26 & All Open KEPs with SIG API Machinery label
**Allow informers for getting a stream of data instead of chunking #3157
**CEL for Admission Control #3488
**Aggregated Discovery #3352
- 5 participants
- 38 minutes
21 Sep 2022
*[lavalamp, pohly] Add whole-object logical clock field, or relax client RV constraints, to support “assumption caches”? https://github.com/kubernetes/kubernetes/pull/112202
*[lavalamp] subresources vs fine grained permissions. See doc (shared with api machinery mailing list).
thoughts on using CEL for this (design 5)
because CEL is non-default, optional, example of https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement which is off by default causing confusion for developers and cluster operators
thoughts on using secondary authz checks (~design 4)
*[deads2k] - choose which KEPs we want in 1.26 in the next week or so.
https://github.com/orgs/kubernetes/projects/98/views/1
*Shameless Plug: Virtual Session at Kubecon NA - API Machinery deep dive: https://kccncna2022.sched.com/event/182Mo
*[lavalamp] subresources vs fine grained permissions. See doc (shared with api machinery mailing list).
thoughts on using CEL for this (design 5)
because CEL is non-default, optional, example of https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement which is off by default causing confusion for developers and cluster operators
thoughts on using secondary authz checks (~design 4)
*[deads2k] - choose which KEPs we want in 1.26 in the next week or so.
https://github.com/orgs/kubernetes/projects/98/views/1
*Shameless Plug: Virtual Session at Kubecon NA - API Machinery deep dive: https://kccncna2022.sched.com/event/182Mo
- 6 participants
- 57 minutes
7 Sep 2022
* [shyamjvs] Make gzip compression configurable on the apiserver (revisit of June 15th)
Switching to compression level 1 looks like an easy win for cpu and latency to last byte as measured by the client
The 20mb/s limit is actually a limit in the default golang gzip compressor
There is a non-standard, parallel gzip compressor that claims 100x improvement in throughput. Perhaps that would be useful to do a CPU analysis on
Adding the ability to specify compressed or not in a kubeconfig was well received
Idea for changing compression per resources -- david and daniel weren’t excited about adding knobs for this.
* [jpbetz] CEL for Admission Control KEP overview (slides, KEP)
How will we allow schema evolution for the configuration?
Secondary authorization check as a requirement for beta? not for a first alpha.
Joe was open to this. Tim Allclair had concerns, but didn’t get a chance to explain in the meeting. Daniel had previously had concerns, but brought up a use-case that would benefit
How is user information accessed?
Will we support a pattern of namespaced resources holding configuration for each namespace like quota?
* [deads2k] P&F 1.26 plans - v1beta3 or v1? (v1beta2 starts deprecation period in 1.26)
We need a v1beta3
Switching to compression level 1 looks like an easy win for cpu and latency to last byte as measured by the client
The 20mb/s limit is actually a limit in the default golang gzip compressor
There is a non-standard, parallel gzip compressor that claims 100x improvement in throughput. Perhaps that would be useful to do a CPU analysis on
Adding the ability to specify compressed or not in a kubeconfig was well received
Idea for changing compression per resources -- david and daniel weren’t excited about adding knobs for this.
* [jpbetz] CEL for Admission Control KEP overview (slides, KEP)
How will we allow schema evolution for the configuration?
Secondary authorization check as a requirement for beta? not for a first alpha.
Joe was open to this. Tim Allclair had concerns, but didn’t get a chance to explain in the meeting. Daniel had previously had concerns, but brought up a use-case that would benefit
How is user information accessed?
Will we support a pattern of namespaced resources holding configuration for each namespace like quota?
* [deads2k] P&F 1.26 plans - v1beta3 or v1? (v1beta2 starts deprecation period in 1.26)
We need a v1beta3
- 6 participants
- 54 minutes
20 Apr 2022
April 20th, 2022
[35 minutes] [wojtekt] API pagination in watchcache
https://github.com/kubernetes/enhancements/pull/3274
[20 minutes] [liggitt] etcd client test gaps
context:
https://groups.google.com/a/kubernetes.io/g/steering/c/e-O-tVSCJOk
https://github.com/kubernetes/kubernetes/pull/106591
https://github.com/etcd-io/etcd/pull/13737
[35 minutes] [wojtekt] API pagination in watchcache
https://github.com/kubernetes/enhancements/pull/3274
[20 minutes] [liggitt] etcd client test gaps
context:
https://groups.google.com/a/kubernetes.io/g/steering/c/e-O-tVSCJOk
https://github.com/kubernetes/kubernetes/pull/106591
https://github.com/etcd-io/etcd/pull/13737
- 11 participants
- 57 minutes
23 Feb 2022
Items for today's meeting
1) remove audit.k8s.io/v1[alpha|beta]1 versions: https://github.com/kubernetes/kubernetes/pull/108092
2) add StartsWith and EndsWith operators to label selectors. Want to get feedback and see if the community would like to move forward
https://github.com/kubernetes/kubernetes/pull/107972
https://kubernetes.slack.com/archives/C0EG7JC6T/p1644383070192189
1) remove audit.k8s.io/v1[alpha|beta]1 versions: https://github.com/kubernetes/kubernetes/pull/108092
2) add StartsWith and EndsWith operators to label selectors. Want to get feedback and see if the community would like to move forward
https://github.com/kubernetes/kubernetes/pull/107972
https://kubernetes.slack.com/archives/C0EG7JC6T/p1644383070192189
- 6 participants
- 56 minutes
13 Dec 2021
Service APIs Bi-Weekly Meeting (APAC Friendly Time) for 20211213
- 10 participants
- 46 minutes
6 Dec 2021
Service APIs Bi-Weekly Meeting (APAC Friendly Time) for 20211206
- 6 participants
- 28 minutes
29 Nov 2021
Service APIs Bi-Weekly Meeting (APAC Friendly Time) for 20211129
- 6 participants
- 46 minutes
15 Nov 2021
Service APIs Bi-Weekly Meeting (APAC Friendly Time) for 20211115
- 9 participants
- 1:01 hours
8 Nov 2021
Service APIs Bi-Weekly Meeting (APAC Friendly Time) for 20211108
- 8 participants
- 59 minutes
1 Nov 2021
Service APIs Bi-Weekly Meeting (APAC Friendly Time) for 20211101
- 8 participants
- 57 minutes
25 Oct 2021
Service APIs Bi-Weekly Meeting (APAC Friendly Time) for 20211025
- 6 participants
- 1:01 hours
18 Oct 2021
Service APIs Bi-weekly Meeting (APAC Friendly Time) for 20211018
- 7 participants
- 38 minutes
11 Oct 2021
Bi-Weekly Service APIs Meeting (APAC Friendly Time) for 20211011
- 4 participants
- 22 minutes
25 Aug 2021
Aug 25th
-[Vijay Tripathi] Discuss https://github.com/kubernetes-sigs/controller-tools/pull/569
Remove the DangerousTypes
Continue discussion about pros and cons in the mailing list
-[jefftree] OpenAPI v3 https://github.com/kubernetes/enhancements/pull/2898
-[sttts,tkashem] inconsistent behaviour of kube-apiserver before readiness, and clients that care, like GC and namespace controllers
GC issue: https://github.com/kubernetes/kubernetes/issues/104342
before readiness (/readyz 200), i.e. without load-balancer
CRDs potentially unavailable (404)
aggregated resources potentially unavailable (404)
discovery incomplete
This one impacts the namespace lifecycle controller in an easy to see way. Possibly others.
OpenAPI incomplete (there is a PR at least fixing CRDs)
RBAC incomplete (403 where it shouldn't)
[deads2k] - this doesn’t sound so bad. Controllers retry and people F5.
Idea 1: --startup-send-retry-after-until-ready sending 429 with Retry-After header
Problem: problematic to unbrick self-hosted clusters
Idea 2: 429 instead of 404 for GC protection. But discovery?
Idea 3: 429 for GC/namespace-lifecycle-controller only
Idea 4: add request header that makes the request conditional on the apiserver being ready
Idea 5: add a reply header or content --- at least for discovery and 404 replies --- that indicates whether the server is ready
-[@mkimuram] Liens - https://github.com/kubernetes/enhancements/pull/2840
-[Vijay Tripathi] Discuss https://github.com/kubernetes-sigs/controller-tools/pull/569
Remove the DangerousTypes
Continue discussion about pros and cons in the mailing list
-[jefftree] OpenAPI v3 https://github.com/kubernetes/enhancements/pull/2898
-[sttts,tkashem] inconsistent behaviour of kube-apiserver before readiness, and clients that care, like GC and namespace controllers
GC issue: https://github.com/kubernetes/kubernetes/issues/104342
before readiness (/readyz 200), i.e. without load-balancer
CRDs potentially unavailable (404)
aggregated resources potentially unavailable (404)
discovery incomplete
This one impacts the namespace lifecycle controller in an easy to see way. Possibly others.
OpenAPI incomplete (there is a PR at least fixing CRDs)
RBAC incomplete (403 where it shouldn't)
[deads2k] - this doesn’t sound so bad. Controllers retry and people F5.
Idea 1: --startup-send-retry-after-until-ready sending 429 with Retry-After header
Problem: problematic to unbrick self-hosted clusters
Idea 2: 429 instead of 404 for GC protection. But discovery?
Idea 3: 429 for GC/namespace-lifecycle-controller only
Idea 4: add request header that makes the request conditional on the apiserver being ready
Idea 5: add a reply header or content --- at least for discovery and 404 replies --- that indicates whether the server is ready
-[@mkimuram] Liens - https://github.com/kubernetes/enhancements/pull/2840
- 14 participants
- 59 minutes
11 Aug 2021
Aug 11th
-Demo + KEP preview: CEL as embedded expression language for CRDs validation/defaulting/conversion (@jpbetz, @cici37) slides
-(Kevin Delgado) Discuss Server-Side Unknown Field Validation. Align on the goals and proposed API changes.
Next step for kevindelgado@ is KEP, initial performance numbers for strict vs not-strict decoding
-[@howardjohn] Discuss https://github.com/kubernetes/enhancements/pull/2836
Next steps: look into how this can be used with default controllers (for upgrade benefits), how it handles multi-locks, and how we can make sure there is no overlap of the locks
Would be great to review the API part (they `key` field) early to make it more likely that we can try the change in our own controller before upstreaming, without compatibility issues when upgrading to the upstreamed version.
-[eddiezane] Discuss https://github.com/kubernetes/kubernetes/pull/103619#issuecomment-887921598
Please confirm wether the other clients have the same behaviour or just the discovery client, so we can better decide if the fix needs to go into client-go code, or is a documentation problem we have to fix.
-Demo + KEP preview: CEL as embedded expression language for CRDs validation/defaulting/conversion (@jpbetz, @cici37) slides
-(Kevin Delgado) Discuss Server-Side Unknown Field Validation. Align on the goals and proposed API changes.
Next step for kevindelgado@ is KEP, initial performance numbers for strict vs not-strict decoding
-[@howardjohn] Discuss https://github.com/kubernetes/enhancements/pull/2836
Next steps: look into how this can be used with default controllers (for upgrade benefits), how it handles multi-locks, and how we can make sure there is no overlap of the locks
Would be great to review the API part (they `key` field) early to make it more likely that we can try the change in our own controller before upstreaming, without compatibility issues when upgrading to the upstreamed version.
-[eddiezane] Discuss https://github.com/kubernetes/kubernetes/pull/103619#issuecomment-887921598
Please confirm wether the other clients have the same behaviour or just the discovery client, so we can better decide if the fix needs to go into client-go code, or is a documentation problem we have to fix.
- 11 participants
- 54 minutes
16 Jun 2021
June 16th
- [carried over from last time] Vivek P (vivekpatani): etcd Namespace Quota Design Intro
Relevant k8s issue: https://github.com/kubernetes/enhancements/issues/2754
Introduction to the feature and get feedback (10 min)
- (caesarxuchao@ roycaihw@) Shall we keep investing in the storage version migrator? (10 min)
Box the project,
Call it done when the migration API is done. Automatic triggering can be excluded from GA.
@mspreitz: IBM is using it this way (manual triggering migration)
For built-in resources, without storage version migrator, we need to indefinitely keep type definitions and the generated conversion code of removed API versions. People seem to have accepted this as a fact, there is no complaint in #52185.
@deads2k: This is still desirable because otherwise we can’t drop fields
For CRDs, how do CRD managers handle deprecated CRD versions today?
This guide suggests users either using the migrator or doing migration manually.
deads2k - What we have today seems to actually work quite well and is in use. How about promoting what we have to stable? I see sttts and sanchezl have been working on it fairly recently.
- [@tallclair] Safer rollout of admission webhooks #102019 (30 min)
Good discussion, needs someone to drive forward a KEP. Will circulate across orgs/companies to see if someone steps up.
- [@mspreitz] Support for lengthy node disconnection (10 min)
https://docs.google.com/document/d/1x9RNaaysyO0gXHIr1y50QFbiL1x8OWnk2v3XnrdkT5Y/edit#heading=h.nxm2mmue5hc
- [carried over from last time] Vivek P (vivekpatani): etcd Namespace Quota Design Intro
Relevant k8s issue: https://github.com/kubernetes/enhancements/issues/2754
Introduction to the feature and get feedback (10 min)
- (caesarxuchao@ roycaihw@) Shall we keep investing in the storage version migrator? (10 min)
Box the project,
Call it done when the migration API is done. Automatic triggering can be excluded from GA.
@mspreitz: IBM is using it this way (manual triggering migration)
For built-in resources, without storage version migrator, we need to indefinitely keep type definitions and the generated conversion code of removed API versions. People seem to have accepted this as a fact, there is no complaint in #52185.
@deads2k: This is still desirable because otherwise we can’t drop fields
For CRDs, how do CRD managers handle deprecated CRD versions today?
This guide suggests users either using the migrator or doing migration manually.
deads2k - What we have today seems to actually work quite well and is in use. How about promoting what we have to stable? I see sttts and sanchezl have been working on it fairly recently.
- [@tallclair] Safer rollout of admission webhooks #102019 (30 min)
Good discussion, needs someone to drive forward a KEP. Will circulate across orgs/companies to see if someone steps up.
- [@mspreitz] Support for lengthy node disconnection (10 min)
https://docs.google.com/document/d/1x9RNaaysyO0gXHIr1y50QFbiL1x8OWnk2v3XnrdkT5Y/edit#heading=h.nxm2mmue5hc
- 10 participants
- 59 minutes
2 Jun 2021
June 2nd
3 topics on platforms setting up clusters:
1) [soorena776] Should we webhook webhooks: https://github.com/kubernetes/kubernetes/pull/101815
2) [vivekbagade] Should we add a 2nd authz webhook?
Issue: link
Next Step: start a KEP and present into SIG Auth.
3) [carried over from last time] (Yuvaraj or Nabarun) - Advice on next steps on the CRD install problem (Discussion here)
-[Nabarun] The 2nd/multiple Authz webhook feature solves the problem of users modifying platform installed resources at runtime.
-[Nabarun] The 2nd webhook will allow us to have a “platform-admin” concept.
-[Nabarun] Open Question: Who initializes the objects? A new controller in controller-manager? An addon-manager like binary?
-How do we ensure HA?
3 topics on platforms setting up clusters:
1) [soorena776] Should we webhook webhooks: https://github.com/kubernetes/kubernetes/pull/101815
2) [vivekbagade] Should we add a 2nd authz webhook?
Issue: link
Next Step: start a KEP and present into SIG Auth.
3) [carried over from last time] (Yuvaraj or Nabarun) - Advice on next steps on the CRD install problem (Discussion here)
-[Nabarun] The 2nd/multiple Authz webhook feature solves the problem of users modifying platform installed resources at runtime.
-[Nabarun] The 2nd webhook will allow us to have a “platform-admin” concept.
-[Nabarun] Open Question: Who initializes the objects? A new controller in controller-manager? An addon-manager like binary?
-How do we ensure HA?
- 7 participants
- 59 minutes
14 Apr 2021
Service APIs Bi-Weekly Meeting (APAC Friendly Time) For 20210414
- 6 participants
- 59 minutes
1 Apr 2021
Service APIs Bi-Weekly Meeting (APAC Friendly Time) for 20210401
- 5 participants
- 1:04 hours
2 Dec 2020
-[eddiezane] Working with OpenAPI data inside kubectl
Recommended to join the discussion as part of API Expression WG
-[dims] gogo proto is going to be gone
https://github.com/kubernetes/kubernetes/issues/96564
https://groups.google.com/g/kubernetes-sig-api-machinery/c/tcwFubV9Boo/m/-C3C3Aw-AgAJ
https://github.com/gogo/protobuf/issues/691
-[eddiezane] Documentation for `kind: List`?
https://github.com/kubernetes/kubectl/issues/837
-[jefftree] SSA GA Requirements:
https://docs.google.com/document/d/1y7bs8PI98gEnKvZi4GQXxQa1_OxPtBL4fQ0b4k48dwo
Targeting 1.21 for GA (yay!)
-[kwiesmueller] Stripping managedFields from API Responses
https://github.com/kubernetes/kubernetes/issues/90066
Idea to add a dump an object from a users perspective using managedFields
Accept header sounds good, allow a format that can represent different managedFields encoding versions in the future
Recommended to join the discussion as part of API Expression WG
-[dims] gogo proto is going to be gone
https://github.com/kubernetes/kubernetes/issues/96564
https://groups.google.com/g/kubernetes-sig-api-machinery/c/tcwFubV9Boo/m/-C3C3Aw-AgAJ
https://github.com/gogo/protobuf/issues/691
-[eddiezane] Documentation for `kind: List`?
https://github.com/kubernetes/kubectl/issues/837
-[jefftree] SSA GA Requirements:
https://docs.google.com/document/d/1y7bs8PI98gEnKvZi4GQXxQa1_OxPtBL4fQ0b4k48dwo
Targeting 1.21 for GA (yay!)
-[kwiesmueller] Stripping managedFields from API Responses
https://github.com/kubernetes/kubernetes/issues/90066
Idea to add a dump an object from a users perspective using managedFields
Accept header sounds good, allow a format that can represent different managedFields encoding versions in the future
- 10 participants
- 36 minutes
7 Oct 2020
- [jdetiber] Demo / discuss https://github.com/thetirefire/badidea
- [jqmichael] Quick follow up on the discussion from July 15th 2020, “exclusion-based options to webhook configuration”.
- [soltysh] Aliases for related resources https://github.com/kubernetes/kubernetes/issues/95280
- [jqmichael] Quick follow up on the discussion from July 15th 2020, “exclusion-based options to webhook configuration”.
- [soltysh] Aliases for related resources https://github.com/kubernetes/kubernetes/issues/95280
- 9 participants
- 46 minutes
29 Jul 2020
Today's Agenda:
-[wojtekt]Proposal to fix api server starting up with empty change history in watch cache: https://github.com/kubernetes/enhancements/pull/1878
-[Bhagwat] Discussion about deep healthz check on API server. [
-[Bhagwat] Discussion about graceful shutdown of API server.
-[fedebongio] metacontroller update here.
-[mvladev] ResourceQuota admission controller and aggregated apiservers
-[wojtekt]Proposal to fix api server starting up with empty change history in watch cache: https://github.com/kubernetes/enhancements/pull/1878
-[Bhagwat] Discussion about deep healthz check on API server. [
-[Bhagwat] Discussion about graceful shutdown of API server.
-[fedebongio] metacontroller update here.
-[mvladev] ResourceQuota admission controller and aggregated apiservers
- 12 participants
- 50 minutes
17 Jun 2020
SIG API Machinery meeting, discussing a separate healthz/readyz endpoint for load balancers. Also discussed CRD sub resource configuration. Discussion primarily focused on projection webhook.
- 9 participants
- 56 minutes
20 May 2020
May 20th, 2020
KEPs in for 1.19
-Recommended status conditions schema - we will create the type and perhaps helpers
-Standardize QPS and Burst - I think this will miss freeze
--Will not make it in 1.19
--Maybe survey for users in the mailing list of taking advantage of the feature
-Agree on beta requirements for api priority and fairness (not yet merged)
--Need to merge (probably does not require an exception?)
--lavalamp@ to ping commenters and close open comments
-Require transition from beta - we are implementing generator and enforcement
--David to link generator PRs and related work to the issue
-Warning mechanisms for deprecated APIs
-Tracing in apiserver - couldn’t quite get it reviewed in time, maybe could have an exception?
--Needs David to take a look
--Probably will miss 1.19
Open PRs stats review (first pass)
-Discussion about closing vs keeping frozen and stale issues and PRs
-Looking forward for a better triage / reporting mechanism using
KEPs in for 1.19
-Recommended status conditions schema - we will create the type and perhaps helpers
-Standardize QPS and Burst - I think this will miss freeze
--Will not make it in 1.19
--Maybe survey for users in the mailing list of taking advantage of the feature
-Agree on beta requirements for api priority and fairness (not yet merged)
--Need to merge (probably does not require an exception?)
--lavalamp@ to ping commenters and close open comments
-Require transition from beta - we are implementing generator and enforcement
--David to link generator PRs and related work to the issue
-Warning mechanisms for deprecated APIs
-Tracing in apiserver - couldn’t quite get it reviewed in time, maybe could have an exception?
--Needs David to take a look
--Probably will miss 1.19
Open PRs stats review (first pass)
-Discussion about closing vs keeping frozen and stale issues and PRs
-Looking forward for a better triage / reporting mechanism using
- 9 participants
- 40 minutes
22 Apr 2020
April 22nd, 2020
@liggitt: KEP-1693: Mechanism for warning API clients about deprecated API use
-[liggitt] proposed for beta in 1.19:
-server-side mechanism to send warnings
-server-side warnings for deprecated API use
-client-go implementation to capture/handle warnings
-kubectl implementation to display warnings
-@deads2k request for kubectl option to treat warnings as fatal
Include in GA criteria:
-Guidance for level, meaning, and structure of warnings
what should be a warning (e.g. known bad field values)?
verbosity, formatting, etc
-required for in-tree warnings
-recommended for contributions from extension mechanisms
-Parity for extensions mechanisms:
--API deprecation indicator for CRD versions
--initially: version-level
--eventually: field-level
-Warning contributions by Admission webhooks via AdmissionReview status fields
-A way for kubectl to escalate warnings to errors
-bool flag (not envvar or kubeconfig, not filtering/structured/codes)
surface deprecation status in discovery
-in API resource?
-in openapi v2 as extension?
Notes from discussion / things to consider:
-kubectl get still prefers deprecated ingress version
-maybe inform warning-adders their warning was too late (post-headers)?
@liggitt: KEP-1693: Mechanism for warning API clients about deprecated API use
-[liggitt] proposed for beta in 1.19:
-server-side mechanism to send warnings
-server-side warnings for deprecated API use
-client-go implementation to capture/handle warnings
-kubectl implementation to display warnings
-@deads2k request for kubectl option to treat warnings as fatal
Include in GA criteria:
-Guidance for level, meaning, and structure of warnings
what should be a warning (e.g. known bad field values)?
verbosity, formatting, etc
-required for in-tree warnings
-recommended for contributions from extension mechanisms
-Parity for extensions mechanisms:
--API deprecation indicator for CRD versions
--initially: version-level
--eventually: field-level
-Warning contributions by Admission webhooks via AdmissionReview status fields
-A way for kubectl to escalate warnings to errors
-bool flag (not envvar or kubeconfig, not filtering/structured/codes)
surface deprecation status in discovery
-in API resource?
-in openapi v2 as extension?
Notes from discussion / things to consider:
-kubectl get still prefers deprecated ingress version
-maybe inform warning-adders their warning was too late (post-headers)?
- 8 participants
- 48 minutes
11 Mar 2020
March 11th, 2020
- [micahhausler] Need for graceful handling of storage level failures on individual objects (#69579)
--We need a document (probably KEP?) listing the alternatives. Need someone to volunteer.
--Add a metric counting deserialization errors on read paths (Owner: micahhausler, mentor: ?)
--Add a metric counting validation errors of the *old* object during an update (Owner: micahhausler, mentor: ?)
--Add better logging when an object can't be deserialized?
-[lavalamp] Need for more guidance around modifying APIs. Need to revamp current documentation in light of CRDs.
--E.g.: https://github.com/kubernetes/community/pull/4571
Discussion.
--A tool evaluating an API change for safety might be good.
-[fedebongio] Reminders
--KubeCon EU was postponed
--Open SIG API Machinery bug/pr triages twice a week (Tue - Thu)
--Agenda closes the day before the meeting (Tuesday afternoon PST)
- [micahhausler] Need for graceful handling of storage level failures on individual objects (#69579)
--We need a document (probably KEP?) listing the alternatives. Need someone to volunteer.
--Add a metric counting deserialization errors on read paths (Owner: micahhausler, mentor: ?)
--Add a metric counting validation errors of the *old* object during an update (Owner: micahhausler, mentor: ?)
--Add better logging when an object can't be deserialized?
-[lavalamp] Need for more guidance around modifying APIs. Need to revamp current documentation in light of CRDs.
--E.g.: https://github.com/kubernetes/community/pull/4571
Discussion.
--A tool evaluating an API change for safety might be good.
-[fedebongio] Reminders
--KubeCon EU was postponed
--Open SIG API Machinery bug/pr triages twice a week (Tue - Thu)
--Agenda closes the day before the meeting (Tuesday afternoon PST)
- 11 participants
- 53 minutes
5 Mar 2020
Sorry you can't see the other participants... but you can hear their voices.
- 3 participants
- 15 minutes
22 Nov 2019
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Meet the Gears Behind Kubernetes APIs: Introduction to SIG API-Machinery - Federico Bongiovanni, Google
It will be a big overview of the SIG. We will go through several sections, including: - the charter of the SIG, - current SIG structure, - the areas of ownership and the different components that fall under the SIG domain - the regular meetings - places where you could get involved - plans for onboarding programs
https://sched.co/Uajg
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Meet the Gears Behind Kubernetes APIs: Introduction to SIG API-Machinery - Federico Bongiovanni, Google
It will be a big overview of the SIG. We will go through several sections, including: - the charter of the SIG, - current SIG structure, - the areas of ownership and the different components that fall under the SIG domain - the regular meetings - places where you could get involved - plans for onboarding programs
https://sched.co/Uajg
- 1 participant
- 33 minutes
12 Sep 2019
Bi weekly sig meeting, covered agenda topics from here: https://docs.google.com/document/d/1x9RNaaysyO0gXHIr1y50QFbiL1x8OWnk2v3XnrdkT5Y/edit
- 11 participants
- 58 minutes
10 Apr 2019
Please see this link for more information: https://github.com/liggitt/gomodules/blob/master/README.md
Thank you Jordan Liggitt for the fantastic overview!
Thank you Jordan Liggitt for the fantastic overview!
- 4 participants
- 39 minutes
20 Jun 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 13 participants
- 50 minutes
6 Jun 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 10 participants
- 36 minutes
23 May 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 8 participants
- 14 minutes
9 May 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 7 participants
- 31 minutes
25 Apr 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 11 participants
- 55 minutes
11 Apr 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 6 participants
- 16 minutes
28 Mar 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 4 participants
- 14 minutes
28 Feb 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 7 participants
- 49 minutes
14 Feb 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 10 participants
- 46 minutes
31 Jan 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 8 participants
- 50 minutes
17 Jan 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 13 participants
- 47 minutes
3 Jan 2018
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 12 participants
- 58 minutes
7 Dec 2017
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 6 participants
- 1:09 hours
8 Nov 2017
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 6 participants
- 30 minutes
25 Oct 2017
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
- 11 participants
- 43 minutes
12 Apr 2017
Kubernetes SIG API Machinery bi-weekly meeting. See a demo by Phillip Wittrock.
- 8 participants
- 1:02 hours