Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve API guidelines for subresources #8130

Open
jpbetz opened this issue Oct 25, 2024 · 4 comments
Open

Improve API guidelines for subresources #8130

jpbetz opened this issue Oct 25, 2024 · 4 comments
Labels
sig/architecture Categorizes an issue or PR as relevant to SIG Architecture.

Comments

@jpbetz
Copy link
Contributor

jpbetz commented Oct 25, 2024

I'd like to leverage kubernetes/kubernetes#127320 as an opportunity to improve our API guidelines for subresources for future contributors. Let's accumulate knowledge that we should document here.

I'll start with some topics that we've noticed over the last few days:

  • When should a subresource be introduced? For example, RBAC permissions can be set on subresources, allowing more fine grained access. But subresources also bypass any preexisting admission plugins/webhooks/policies that match the root resource.
  • For subresources that either have the same kind as the root resource but where only certain field may be updated:
    • How should subresource validation be handled? Should changes to other fields be ignored or should validation fail (/ephemeralcontainers fails validation, for example). We should also document how GetResetFields() must implemented when fields are ignored.
    • How should root validation be handled? Making the fields read-only in the root resource makes it possible to control write access via RBAC on the subresource. When this approach is taken, how should kubectl be enhanced to support the subresource?
    • How should the generated client to updated? We typically don't generate a per-subresource path function, but we do often generate Update and Apply functions.

cc @iholder101 @tallclair @thockin @liggitt
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Oct 25, 2024
@k8s-ci-robot
Copy link
Contributor

@jpbetz: The label(s) sig/arch cannot be applied, because the repository doesn't have them.

In response to this:

/sig arch

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@jpbetz
Copy link
Contributor Author

jpbetz commented Oct 25, 2024

/sig architecture

@k8s-ci-robot k8s-ci-robot added sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 25, 2024
@thockin
Copy link
Member

thockin commented Oct 29, 2024

subresources also bypass any preexisting admission plugins/webhooks/policies that match the root resource

That seems like something a gap we should fix? Maybe subresource should be able to (optionally) trigger admission?

@liggitt
Copy link
Member

liggitt commented Oct 29, 2024

subresources also bypass any preexisting admission plugins/webhooks/policies that match the root resource

That seems like something a gap we should fix? Maybe subresource should be able to (optionally) trigger admission?

I'm pretty sure that's captured in kubernetes/kubernetes#84530, and has lots of thorny / juicy issues to work through if trying to route requests to a subresource to an admission plugin registered only for the parent resource.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sig/architecture Categorizes an issue or PR as relevant to SIG Architecture.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jpbetz @liggitt @thockin @k8s-ci-robot