Invalid parent references are challenging to implement status for

[howardjohn]

spec:
  parentRefs:
  - kind: Gaway
    name: foo

Lets say I have a route like ^. I made a typo on the kind. In this case, the route will be totally ineffective (assuming no controller implements a Gaway type). However, there is no way to actually report this to a user. No controller can write "Unknown kind Gaway" or equivalent, since they don't know if its truely unknown, or just not known to them, but is known to another controller.

The same also applies to name/namespace not matching.

Essentially, we need a valid parentRef in order to report status on a parent, which makes it impossible to report invalid parentRefs.

One option that could work is to suggest that controllers report invalid parentRefs IFF there is not already another controller that wrote the status for that parent. This means for an invalid ref, the first controller will "win" and report an error. If that reference becomes valid later (say another controller understands it) it will overwrite it with a valid status; the old "winner" will now stop reporting any errors.

[robscott]

We have the same problem if a Gateway specifies an invalid/missing GatewayClass. There are essentially no controllers that can or should be responsible for setting an error message on that Gateway. I think the same applies to an invalid parentRef. We have no way of knowing whether a resource has some kind of special meaning to a given implementation and therefore it becomes difficult or impossible to confidently invalidate a parentRef, let alone determine which controller should be responsible for doing that. I think the best signal we can give is simply the lack of status indicating that a resource has been attached/accepted.

[robscott]

In #839 I added a note to Route status describing this limitation.

[jpeach]

I expect that the specific case of an invalid kind could be caught by the admission validation. I don't think that we can require the referent object to actually exist at this time though maybe the validation can resolve the reference and set an initial status condition.

[howardjohn]

Can a mutating webhook actually set status?

We have the same problem if a Gateway specifies an invalid/missing GatewayClass

The same solution could actually apply, that controllers should set the "unknown GatewayClass" IFF no other controller has set it. That way a controller will never turn a positive condition to a negative, but can turn negative to positive (and thus "take ownership" of the field)

[youngnick]

Yeah, I think it should be every controller's responsibility to set the status to "looks like there's a really bad problem" unless they see something else has done that previously.

So yes, a race, but a race that should solve itself quickly.

[jpeach]

Can a mutating webhook actually set status?

We have the same problem if a Gateway specifies an invalid/missing GatewayClass

We default the gateway status so it's clear that is is not getting reconciled.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.