Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / Cloud Provider Special Interest Group / 13 Jan 2022
Kubernetes / Cloud Provider Special Interest Group / 13 Jan 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SIG Cloud Provider Extraction/Migration Subproject - 2022-01-13

Description

Plans for finishing the working group, PR Review, KEPs

A

Hi welcome to the january 13th 2022 uh sig cloud provider, cloud provider, extraction working group meeting. As always, these meetings are intended to be uh inclusive, uh polite and uh considerate of all one's fellow contributors. So you know, please do so. uh We we follow all of the standard rules of the cncf kubernetes as regards to behavior. So with that, let's go ahead and get started. uh El mico. I believe you have two prs uh that you need reviewed, uh one of which is on me. So I apologize.

A

I will go ahead and take a look at that. uh The other one is on bowie uh in these days of working remotely. uh I do not have as easy and access to just wander down the hall and ping bowie, as I usually do so I don't have a particularly easy way, I'll take a look at that and see if it really requires bowie.

A

If it does I'll try to reach out and see if I can find someone on sig networking to go ahead and take a look at it, but I'm guessing that if it if it was intended for bowie that it is probably fairly networking specific.

B

Yeah someone else, um I think, maybe jerry like assigned it to him, someone someone in that thing assigned it to bowie, so I I just assumed that was the right call. It probably.

A

Is but he is always very busy, so it's possible that I may be able to find someone like yonkun to who may also be able to take a look at it.

B

So let me see what I can do: okay, yeah yeah, I was wrong. Jayla was on the first pr there. It looks like uh vachezlav um recommended bowie for the second one.

B

Yeah no worries, let.

A

Me see what I can do with those all right cool. Thank you cool. uh So this is the cloud provider extraction meeting, um so I would like to have a little bit of a planning session uh with regards to how we can actually finish this working group. I would love to actually shut this working group down.

A

Our goal is to remove all of the kubernetes cloud provider, specif all the cloud provider specific code from the main kubernetes repo, uh and toward that there are a few things. We have a few long polls and I think, focusing on those is likely to be the only way we're going to make progress.

A

So the first long poll uh is there is a particular admission controller that runs in the cube api server, that is responsible for tagging, a certain storage uh systems, and that is a thing that is a cloud provider specific.

A

So we had a long discussion about six months ago and with six storage and came to the conclusion that the way we wanted to move forward on this was to find an easy way to allow cloud providers to have web hook a standardized web hook to deal with this. uh So I went ahead and I wrote a cap uh that basically described how we could extend the ccm to be able to run web hooks, and let me be really clear because there was a little bit of contention on this.

A

uh It's not even. I am not necessarily a fan of running the web. Hooks in the same process, uh I think for some distributions that can be fastest and easiest.

A

But since what we have is a framework, the idea was not so much that you had to run them in the same process, but that we would provide a framework which would allow for you to either set up a controller manager set up a web hook or set up a process which is both and that it would be up to the cloud provider to decide which way they wanted to go, uh and that seems fairly reasonable and easy.

A

However, we have yet to get anyone to actually write the code necessary for the alpha version of this.

A

um So I know we've had multiple people who thought they were going to be able to but life intruded, uh and it hasn't happened uh at this point. It is by far one of our two longest pulls, and so I thought it would be good to bring it up and see if anyone had particular feelings about trying to get this to happen.

A

So should it be a blocker.

A

I mean I love, I love this idea. Can you can you expand on it.

C

Though, because I'm not sure what are we giving something are we are we missing something that you fundamentally need to make progress.

C

I mean I, I like the idea of having convenient frameworks to do things, but we can already build web hooks. We can already build controllers. Is this really a blocker.

A

uh So someone great question, I suppose, but someone has to write this and we can either write it for every cloud provider or we can yeah.

C

I mean are web hooks that hard to build. Is this really that I mean? Are we really saving so much here.

A

I think it's more a question of. We have to either write this one time. We can write a framework and it can be then farmed out easily or we have to do the work six times, because we've got to do it for every cloud provider and we.

C

Can just say.

A

Every cloud provider has to do this, but.

C

I mean, as I've seen every cloud provider to build a web hook. Does it to me obviously seem like a problem like there is frameworking for building a web hook if they're all building a different web hook, then I don't think there's going to be a lot of redundancy.

A

Well, I mean, I think it is essentially the same I mean playing devil's advocate for a second. I think it is the same web book essentially.

C

Well then, we could just build that once and then everybody can just use.

A

It sure I mean the problem. I again, I don't think the problem is it's difficult. I think the problem has been that we just haven't found the resources to do it.

C

Oh just to build this web hook at all.

A

Yeah again, I don't think I have a complexity problem. I think it's a resourcing problem.

C

Yeah, I I think I misunderstood. I thought I thought the problem was somehow getting infrastructure into controllers to run a web hook was the problem. It's just writing this web hook itself. Well, I.

D

Think that I think the intention was like we're gonna like we're gonna, build that one web hook in controller manager but like to build that web hook. Specifically, we have to add the initial wiring in the controller manager to support webhooks at all so like yeah. Maybe this is the best for it, but.

C

Initially yeah I mean I see that I'm just I'm just trying to point out that running the web hook in the controller doesn't to me seem super essential. So if this is really blocking progress, are we willing to compromise and say let's just build a simple web hook that people can use and you have to forget how to run it and if anybody wants to step up and make that easier great. But let's keep moving forward.

E

Yeah.

C

We.

E

I mean what, if we started with just like a sample web hook, type thing, sampling, implementation and then just kind of see how that proof of concept goes. And if we want to add that to the you know, the framework sure.

A

I am perfectly okay with that. I I'm just pointing out that I don't think that it's a complexity problem. I think it has been a resourcing problem.

E

Yeah definitely, but it might be easier to find resources if we reduce the complexity of the first task.

A

Sure give it a try.

B

Yeah, I thought we had an engineer lined up a redhead. He was really keen to do this stuff, but um yeah. It doesn't seem like it's going to work out for him. Yeah yeah.

A

I mean that's the thing and I think we I don't think red hat is the only one who has thought that they would do this.

E

So I'm happy to take some of this work, and I we had this conversation before like I just can't take the entire, like you know like a, I don't think I can own the entire like building out of framework, um but I could, if we can split this up into you know like smaller pieces, and you know I'd be happy to take like proof of concept. Web hook type thing um that seems much more uh doable with less time.

A

Sure I mean I'm I'm I'm kind of slammed right now, but I'm happy to take a proof of concept and and fold it into the framework, because I think I understand the framework better than most other people. So I can certainly help with that.

B

All right, but just my curiosity, how much provider specific like tagging is happening now in this admission controller like like how much custom behavior is there currently, so I believe.

A

It's as odd as it, I think the tagging is all the same. It's a it's a question of uh filter, filtering it and getting the tack right. So I believe it's a question of looking up the the persistent volume determining whether it is a legacy, persistent volume and then getting a cloud provider, specific value which is going to be put in the tag, so that, I believe, is what what is cloud provider specific. I think the impactful of writing the value to the pv is the same for everyone.

B

Okay, so it sounds like there is some fairly generic kind of like pieces here, yeah and in fact,.

A

It looks like andrew was nice enough to uh send a link to the relevant pv admission controller.

D

Yeah, it's very like similar to a lot of other integrations where, like you, have a generic behavior, but there's a interface that gives you the value that you need for that provider.

D

So walter I'm wondering if um so I do agree like this- is important because, like we would be breaking some storage stuff. If we didn't have this right, um but I'm wondering for like 124, because the deadline is coming up. Do you think we should spend some time now and like actually um maybe like list all the caps in flight, including this one and then stack rank them.

A

So this the good news is this cap- is done, signed off and is tagged for alpha. So as far as the kept deadline, this one is clear, but I think your point is still absolutely spot on. Are there any other caps in flight that we need.

E

One that I just noticed was the cubelet, I believe the cubelet image credential provider. Is that still an alpha.

A

That's a great question: andrew, do you know.

D

Yes, it's I think it's still an alpha, because we wanted like at least two providers with implementations that have been tested before we go beta. I think that's my understanding at least um so like it.

D

It seems like we should. We should try to push for that. This release as well yeah we're yeah. We.

E

Should definitely try to get that to beta, in my opinion, uh we're we're testing our implementation um now. um Is there anybody else.

A

Hey joe, where are we with the google one? I thought that one had been tested.

C

Yeah we've tested it um so, but it's not it's not.

C

I I don't, I don't think the testing is like. We have a open source, repeatable test. I think the testing is like we tested it on our internal stuff and it worked.

A

Okay, so two quick questions on that. um I think, but I'd have to go double check. No, no, that's fair! um So I have a couple of quick questions. One uh did we ever get to the point where the windows uh was.

A

The windows version of the credential provider was being tested, no okay, so we have an action item there and we still, we could theoretically put this into kkk, but we don't currently, as I understand it, have a way of generating images. Correct.

C

Official images, no, we don't yet um it's the the idea was to get the basal change in, which um makes it a lot easier to do that and then get the image support fully added.

A

No, it's fair. It's just my thought had been that if we wanted to get what you were mentioning, which is not an official automated test, we could get something into tests. The to run run uh the the standard tests with our credential provider, but that's a lot easier. If there's a a official ins official version of that image,.

C

Yeah we can, we can prototype the flow because we have, we have a um a stopgap image published or being published, so we can at least get all the infrastructure working and then, when we get repeatable images, we can like automate.

A

All right that sounds good, so that sounds like we could get amazon in google which meets the two we need for beta unless someone else has a suggestion for a third credential provider that that could be. As you know,.

D

Sounds like not okay, I'll, maybe check with the azure folks. Maybe.

A

Bridget's not here today, but I'm guessing she'll, be um on wednesday fall, so we can check with widget on wednesday.

F

All right, um any other caps.

D

The controller manager leader migration- one- uh I don't know if we're doing anything but I'm just listing the caps.

A

Yeah, no, no, absolutely! I believe that is in beta uh and I don't think we're going to be in the position to take that one to ga.

G

uh Why not like I'm, I'm already working on testing that with kelps? You know this one is close to down so as long as we have a like uh as long as I can so. I I already add, like official external system, support for collaborative and indirect is already there.

A

If you want to try and push for ga uh on the cap, we can do that, but I don't think that all of the upgrade testing across all the platforms is going to be in the position to be ready in this.

F

Upcoming windows, but I'm happy to be proven wrong. Okay, we only need we only need two major clockwise, no.

A

We needed two for beta. We need it working everywhere. It's going to be used for gm.

D

Maybe we can agree on, like the the ga criterias emerge that and then like at the time of release. If we don't yeah.

A

Yeah absolutely, but I I think I think honestly we should you know I will take el niko's feelings on this one, but I'm fairly sure that openshift is not going to be happy with us saying it only needs to work on two of the cloud providers.

F

Yeah.

B

I have a feeling you're going to get some engineering either way. If you do that, you know.

A

But yeah I mean I I will say I think 2 was a good number for beta, but for ga you know we need to cover everywhere it's going to be used uh which is vmware.

A

uh Theoretically, it's vmware, google, azure and amazon.

F

All right, um unless someone has any other ones they want, uh do you have any other caps.

B

But I'm sure that you're gonna, I'm sure, there's gonna be people from like ibm cloud running it alibaba is probably going to want it too. So I mean there's probably going to be a long list of people are going to want this.

H

I think because they don't have injury providers right.

A

Is specifically about migrating from kcm only to kcm, plus ccm, okay, so the cloud provider is somewhat limited.

A

um All right do we have any other caps that we should review.

D

I put so I don't think we have this in a cab, but I put last known good in there because we've talked about that quite a bit, um yeah, I'm not sure. What's going on for that, do we.

A

We need something we can argue whether it's a cap or not, um I have talked once, is stephen augustus, who ran away like in fear uh with the things that we were going to want from sig release as part of this effort, uh but yeah. I do actually think this is I I don't know if that means it is a cap, but this is clearly a cross sig effort.

A

So, um okay, where were you last with this joe.

G

Sorry, what was that.

A

We're talking about one of your favorites lkg.

C

It's kind of stalled out right now. We don't have anybody actively working on it.

A

Okay, so I had jd working on it, but jd has since left. um So from my perspective, just there are a few action items, so the first is, I would very much like, uh and there is a pr I'll pick it up and move it forwards, but there is a pr to allow testing to turn off cloud provider in kk for in the cluster up script.

A

uh That will allow us to create a test, a suite or whatever um automated test suite. That will show what happens when you turn on the relevant uh feature flags, and we should get a list of everything that breaks.

A

So I think one item one is enumerating the list of items that break that need to be dealt with uh and probably engaging with the other cigs that are going to need to do to to at least tell us how they want to deal with each of those tests.

A

Dealing with those tests, in my mind, comes down to one of three items. One of three paths forward so path, one, the easiest is they say we don't need this test anymore, delete the test, uh I'm guessing, that's not where we most of these will land, but it is certainly an option option two is the the belief is that tests shouldn't require anything cloud provider specific uh which means that someone, preferably the sig who owns the test, needs to investigate why the test is failing and work out how to make it not fail.

A

uh Common examples of this that come to my mind, would be things like if it uh as an example on leagues were owned, if the if it used an image that only exists in gcr.io or if I know a lot of the storage and networking tests, uh make certain assumptions about the vm that they're going to run on and as a result, you know the test may not be testing anything cloud provider specific, but the methods that it's using to do the tests are cloud provider specific.

A

So uh an example I ran on ran across from me. I forgot it was networking or node, but there are tests that assume that there are certain networking start and stop scripts that live in a particular location that you can sudo to uh restart the networking and make sure that recovery works properly.

A

uh And I mean you know, I'm not.

A

Obviously we want networking to restart properly, but that you know, assuming that the the vm is set up. A particular way is a particularly cloud-provided specific task uh and then the third option- and this is where lkg clicks in is we say look this test is cloud is or is believed to be sufficiently cloud provider specific that we think we could just move this code, this testing into uh a cloud uh deployment, or at least you know the the reference implementation and that we will- and this is where lkg gets a little complicated.

A

But the idea here is, uh I make a change that change gets shipped to the cloud provider, the cloud provider rebuilds everything they need to build, deploys and then runs the test and then ships the resulting uh test results back to kk for a given release, and I think that is a large portion of what the lkg proposal that joe has is about, and I think that is option number three- that we can look at with tests that fail.

F

Any questions.

A

Awesome all right so yeah. I definitely think that, by the way, when I mentioned earlier that it's one of the two long poles in my mind, that is the other of the two long poles and I think it's actually probably probably pretty important that we at least get the list of tests that we believe to be a problem generated.

D

Cool, uh so I prioritized the four things I did. A rough prioritization of the four things we talked about. Does that order make sense in the agenda.

D

Like should we.

D

Like because, like it seems like we have a like, it seems like resourcing, is the biggest farm right um and like, if there's anyone available to do work, they should.

D

We should probably ask them to do the top thing first and then go down.

A

Like personally, I would bump lkg to the number two slot.

D

Okay,.

D

Right because the other two are kind of just like baking, it like waiting and waiting for it to bake right.

A

Yeah and the other thing is, while I do think, the controller manager leader migration is important, it's already at beta right right, and so theoretically, you know if it doesn't move to. If we, even if we don't make ga criteria this time around, um it's there are two more releases before it becomes a blocker.

A

Okay makes sense.

A

Cool awesome, um I think we are out of time. Thank you. Everyone see ya thanks walter.

E

Thanks.