resolving KEP comment - flesh out what to do if SLO not being met section

aaron-prindle · aaron-prindle · commit e120fb9ca445 · 2025-02-12T00:52:11.000Z
diff --git a/keps/sig-api-machinery/5073-declarative-validation-with-validation-gen/README.md b/keps/sig-api-machinery/5073-declarative-validation-with-validation-gen/README.md
@@ -31,7 +31,7 @@
       - [Risk: we get hundreds of PRs from people migrating fields and can't review them all.](#risk-we-get-hundreds-of-prs-from-people-migrating-fields-and-cant-review-them-all)
         - [Mitigation: These are not urgent and we will have patterns which can be reviewed by more people.](#mitigation-these-are-not-urgent-and-we-will-have-patterns-which-can-be-reviewed-by-more-people)
       - [Risk: Versioned validation drifts between versions.](#risk-versioned-validation-drifts-between-versions)
-        - [Mitigation: round-trip testing + fuzzing + equivalence tests.](#mitigation-round-trip-testing--fuzzing--equivalence-tests)
+        - [Mitigation: round-trip testing + fuzzing + equivalence tests + linting.](#mitigation-round-trip-testing--fuzzing--equivalence-tests--linting)
       - [Risk: Migration to Declarative Validation introduces breaking change to API validation](#risk-migration-to-declarative-validation-introduces-breaking-change-to-api-validation)
         - [Mitigation: Ensure Invalid Objects Still Invalid](#mitigation-ensure-invalid-objects-still-invalid)
         - [Mitigation: Ensure Valid Old Objects Still Valid](#mitigation-ensure-valid-old-objects-still-valid)
@@ -333,9 +333,9 @@ The migration to declarative validation is not time-sensitive. We can proceed at
 
 #### Risk: Versioned validation drifts between versions.
 
-##### Mitigation: round-trip testing + fuzzing + equivalence tests.
+##### Mitigation: round-trip testing + fuzzing + equivalence tests + linting.
 
-FIXME...
+In order to prevent issues with versioned validation drifting between versions, we plan on using round-trip testing, fuzz testing, equivalence testing (including runtime equivalence testing with `DeclarativeValidationMismatchMetrics`) and lint rules which ensure that rules that should be synced across versions are.
 
 #### Risk: Migration to Declarative Validation introduces breaking change to API validation
 
@@ -1257,6 +1257,31 @@ No change in behavior.
 
 ###### What steps should be taken if SLOs are not being met to determine the problem?
 
+If the API server is failing to meet SLOs (latency, validation error-rate, etc.) and Declarative Validation is suspected as a cause, operators can diagnose issues by following these steps:
+
+1. **Gather Request-Level Details**
+    *   Identify the failing/high-latency HTTP requests. This typically involves looking at API server logs.
+        *   Record the verb (`CREATE` etc.), the resource type (e.g., `ReplicationController`), the namespace/name if applicable, and any relevant request parameters. 
+       *   ^ Be sure to submit this information when filing an issue (see step 5)
+    *   Idenify the existing-resource/new-object that is causing issues. If not already known from usage, try to map/reconstruct the suspect resource from the API server logs
+       *   ^ Be sure to submit this information when filing an issue (see step 5)
+2. **Check Relevant Metrics**
+    *   Use the `apiserver_request_duration_seconds` metric to check for differences in latency. Comparing `apiserver_request_duration_seconds` when `DeclarativeValidation` is enabled vs. disabled can reveal whether validation code generation or logic is causing performance regressions.
+    *   If you suspect correctness mismatches, enable the `DeclarativeValidationMismatchMetrics` feature gate and monitor the `declarative_validation_mismatch` metric. Any increments in that metric indicate a situation where the new declarative validation results differ from the legacy hand-written validation for the same request.
+3. **Inspect APIServer Logs**
+    *   With `DeclarativeValidationMismatchMetrics` enabled, you can check the API server logs for entries on mismatched validation outcomes. These logs will include details about the request (the resource, version, kind, namespace/name, and user) and which fields triggered the mismatch.
+    *   If the logs show repeated mismatches or errors for certain resource types, compare the declarative validation tags in `types.go` with the original hand-written logic to identify gaps or typos
+        *   ^ Be sure to submit this information when filing an issue (see step 5)
+4. **Compare Feature Gate Settings**
+    *   Verify whether `DeclarativeValidation` is enabled for all API servers in an HA environment. Partial enablement can sometimes lead to inconsistent behavior or unexpected rejections.
+    *   Temporarily disabling `DeclarativeValidation` can help isolate if new validation logic is the root cause. Bear in mind that rolling back may block updates on objects that were only valid under declarative validation rules if there is a bug related to this, so review “Can the feature be disabled once it has been enabled?” in this KEP in this case.
+5. **File or Triage Issues**
+    *   If you confirm that Declarative Validation logic is producing incorrect results or performance regressions, open a Github issue in the kubernetes/kubernetes repository. Include:
+        *   The exact failing resource object or field that triggers errors.
+        *   Logs, relevant metric snapshots (e.g., from `/metrics`), and your cluster’s configuration (feature gate state, etc.).
+6.  [optional] **Roll back** (only if absolutely necessary)
+    * Roll back (only if absolutely necessary) after confirming the downstream impact (see “Can the feature be disabled once it has been enabled?”).
+
 ## Implementation History
 
 ## Drawbacks
