KEP-4330: Change API availability to forward compatibility

[siyuanfoundation]

• One-line PR description: change api availability to forward compatible to make it easier to handle API graduation in compatibility version.

• Issue link: Introduce compatibility version for Kubernetes control-plane upgrades #4330

• Other comments: more discussions can be found in [Compatibility Version] Guidance on API version promotion kubernetes#127791

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: siyuanfoundation
Once this PR has been reviewed and has the lgtm label, please assign dims for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-architecture/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[siyuanfoundation]

/cc @jpbetz @Jefftree @liggitt @aaron-prindle

[Jefftree]

Most of this is referring to API enablement/disablement on a group-version level. However, API lifecycles are generally individual on the group-version-resource level. I think it would make more sense to discuss the individual beta->GA resources rather than the entire group version?

[siyuanfoundation]

updated.

[Jefftree]

I think we should add a section on how MinCompatibilityVersion will change storage version since the policy has always been n-1.

[siyuanfoundation]

Updated in #5006

[Jefftree]

intractable only for withholding API introductions. API removals don't need special handling.

[siyuanfoundation]

Updated the whole section. Please review again see if it is more clear.

[Jefftree]

Is this referring to the prerelease lifecycle files or a different mechanism? prerelease lifecycle operates on the types instead of the group version.

[siyuanfoundation]

it is referring to the the prerelease lifecycle.

[jpbetz]

My understanding is that we're doing this specifically for controllers. Are there other use cases or should we simplify the wording here and just state up front that we're doing this to support controllers specifically?

[jpbetz]

A comparison (maybe in a table), or how emulation works for normal APIs vs how it works for un-emulatable (non-emulatable?) features might make this information easier to digest.

[jpbetz]

We're proposing that non-emulatable feature controllers to update to use the newest available API, ignoring emulation API enablement, right? Maybe say this more directly?

[siyuanfoundation]

Yes, mainly for controllers for now. May expand to kublet if we want to add compat version in node. Updated the section.

[jpbetz]

What alternatives were considered here? It's not clear to me WHY we're deciding to refuse to start apiservers that have a non-emulatable beta on vs. allowing the beta to be turned on but not guaranteeing emulation for the feature.

Having the apiserver refuse to start is a potential footgun for anyone with automation that uses emulation version, and also offers the capability to turn on beta features/APIs.

[siyuanfoundation]

Giving more thoughts to it, I think the alternative is the better way to go. Updated the section with pros and cons.

[aojea]

is not the case today? apiserver should be always be upgraded first

[siyuanfoundation]

today although apiserver should be upgraded first according to the doc, you can still upgrade all the control plane components in one node first - apiserver1, cm1, scheduler1, before moving on to the next node. That is not a problem today because apis support N-1, N, N+1. But with emulation version, this might not work anymore.

[aojea]

I see, this is what the coordinated leader election will solve #5088

[Jefftree]

Coordinated Leader Election is trying to solve this problem but it is preexisting. Given the situation Siyuan described, a controller that graduated to GA could still talk to a GA API unavailable on other apiservers that haven't upgraded.

[aojea]

This also always assume that the logic in the controllers is the same between versions, but that may not be the case, if the controller and the API change between versions, or also when an existing GA API add a new field and the controller depends on that new field, you'll never being able to emulate the previous behavior ...

[siyuanfoundation]

similar to #5038 (comment)

[deads2k]

So if a 1.32 controller does thing/A. A 1.33 controller does thing/A and also does wrongThing/B. Does this meant that switching to an emulation version for 1.32 does not stop the 1.33 controller from doing wrongThing/B?

[deads2k]

why is v1beta2 on in this scenario since it wasn't even introduced in 1.31?

[siyuanfoundation]

v1beta2 and v1beta1 have the same stability level, so the controller may have moved on to v1beta2 in the binary. By forward compatibility, we are exposing apis that are introduced later than the emulation version that are the same / more stable then the apis enabled at the emulation version.

[deads2k]

Newer APIs can have new behavior that may be problematic and be the reason someone is trying to rollback. For instance, what if v1beta2 broke cost estimation for VAP and someone wants to close the hole. They rollback to 1.31 behavior, but because this API is being enabled when only v1beta1 is wanted, they're stuck with the improper version enabled. That seems like the sort of scenario we want to avoid.

[deads2k]

I bet this is stemming from different modes of upgrade. Some systems upgrade all the kube binaries as a unit (I think GKE does this) and while they may rollout in an HA manner, each unit is either 1.31 or 1.32. Other system upgrade binaries across the cluster, so each instance of the kube-apiserver upgrades, then the kube-controller-manager, etc. OpenShift does this.

This leads to two different perspectives of emulation version.

1. I want kube-apsierver --emulation-version=1.31 to be explicitly different than a 1.31 kube-apiserver. Perhaps in a manner that makes it impractical to stop taking broken paths (v1beta2 is broken case). This might be preferred (sometimes) by upgrade everything as a unit upgrades. But leaves us in a state where if v1beta2 is broken, there doesn't appear to be a way to actually disable it and function with the v1beta1 API on and the v1beta2 API off.
2. I want kube-apiserver --emulation-version=1.31 to be behave like a 1.31 kube-apiserver. This is probably preferred by those who upgrade binaries independent of each other.

The current proposal appears to make #2 impossible. What if instead we made --emulation-version=1.31 emulate the 1.31 version of the kube-apiserver and required requesting serving the non-included APIs? In this example --runtime-config=api/v1beta1=true,api/v1beta2=true

[siyuanfoundation]

To avoid the confusion about what is expected from emulation version, I have added a --api-forward-compatible, so that kube-apiserver --emulation-version=1.31 would behave like a 1.31 kube-apiserver by default, and only include the future api if explicitly set.

[jpbetz]

in this situation they need the v1 API enabled also.

This is exactly the type of scenario I'd like to make sure we support correctly. This scenario works when -emulate-version-forward-compatible=1.33 since the binary version is 1.33 and the 1.33 provides v1 of the API, which is what the controller expects. I wouldn't know what --emulate-version-forward-compatible=1.32 would mean for 1.31 emulation with a 1.33 binary. Does this suggest that --emulate-version-forward-compatible should always be set to the binary version?

If we had customer/C, who ran 1.31 without v1beta1=true. They end up at 1.33. They want to go back to --emulation-version=1.31 --emulate-version-forward-compatible=1.33. I would expect this to not enable the v1 API and I would expect controller/x to not run. Is this what would happen?

That's my expectation as well. I'm expecting the apiserver to only enable forward compatible APIs for the APIs that are actually enabled, and that we've flagged as needing forward compatibility.

[Jefftree]

This is exactly the type of scenario I'd like to make sure we support correctly. This scenario works when -emulate-version-forward-compatible=1.33 since the binary version is 1.33 and the 1.33 provides v1 of the API, which is what the controller expects.

I think we're missing a case in the KEP of this scenario with the chain of v1beta1->v1beta2->v1. Logically (at--emulated-version=1.31 --forward-compatible=1.33 bv: 1.33) enabling v1beta1 would only require v1 to be enabled (for controller compatibility), but what about other APIs in the chain? Would v1beta2 be need to be enabled as well? Is it weird that upgrading from --emulated-version=1.31 --forward-compatible=1.32 (bv=1.32) to --emulated-version=1.31 --forward-compatible=1.33 (bv=1.33) disables the v1beta2 API?

I wouldn't know what --emulate-version-forward-compatible=1.32 would mean for 1.31 emulation with a 1.33 binary. Does this suggest that --emulate-version-forward-compatible should always be set to the binary version?

I would think so, we cannot guarantee forward compatibility with another version other than the binary version.

[siyuanfoundation]

suppose the controller uses v1beta1 (bv: 1.31)-> v1beta2 (bv: 1.32) -> v1 (bv: 1.33).
If the user is using --emulated-version=1.31 (bv: 1.32) to make the controller work, we have to enable v1beta2 when --runtime-config=v1beta1=true. If the user is using --emulated-version=1.31 (bv: 1.33) to make the controller work, we have to enable v1 when --runtime-config=v1beta1=true, in this case setting --emulate-version-forward-compatible=1.32 does not make the controller work with v1beta2 api because the controller is already using the lastest API. So we have to enable the latest api.

--emulate-version-forward-compatible=1.32 will only make controllers with APIs that have not changed from 1.32 to 1.33 work. The users would have to track when the versions of all beta api in use are changed, or most likely they would just use --emulate-version-forward-compatible=1.33 to cover all cases. If they want finer control, they can use --runtime-config without --emulate-version-forward-compatible. So I think setting the specific version in emulate-version-forward-compatible does not give us much benefit.

As for whether v1beta2 should be enabled: from the api lifecycle, we know that v1beta2 is introduced at 1.32 and v1 at 1.33. But we don't know when the controller is changed from v1beta2 to v1, because sometimes an api is introduced before it is actually used. From the perspective of the api server, I think we have enable both v1beta2 and v1 when --emulate-version-forward-compatible is requested.

If we had customer/C, who ran 1.31 without v1beta1=true. They end up at 1.33. They want to go back to --emulation-version=1.31 --emulate-version-forward-compatible=1.33. I would expect this to not enable the v1 API and I would expect controller/x to not run. Is this what would happen?

Yes, they would need to enable v1beta1 for v1 to be enabled.

[jpbetz]

It sounds like we've mostly converged on the problem and what the general shape of a solution should be? How about a KEP update that incorporates all of this? We could then iterate from there.

[siyuanfoundation]

Updated. PTAL

[cbandy]

Why is this feature described as Removed: 1.31 in the 1.30 release below?

enhancements/keps/sig-architecture/4330-compatibility-versions/README.md

Lines 438 to 449 in 41a49ff

	The steps to remove the Beta feature would be:
	| Release | Stage | Feature tracking information |
	| ------- | ----- | ------------------------------------------------- |
	| 1.26 | beta | Beta: 1.26 |
	| 1.27 | beta | Beta: 1.26, Deprecated: 1.27 |
	| 1.28 | beta | Beta: 1.26, Deprecated: 1.27 |
	| 1.29 | beta | Beta: 1.26, Deprecated: 1.27 |
	| 1.30 | - | Beta: 1.26, Deprecated: 1.27, Removed: 1.31 |
	| 1.31 | - | Beta: 1.26, Deprecated: 1.27, Removed: 1.31 |
	| 1.32 | - | Beta: 1.26, Deprecated: 1.27, Removed: 1.31 |
	| 1.33 | - | **`if featureGate enabled { // implement feature }` code may be removed at this step** |

[siyuanfoundation]

sometimes if you know when the api would be removed you can just add the removal before the actual release.

[cbandy]

Does "graduated to GA" imply that the Beta API is removed (from N)?

Should --runtime-config=api/v1beta1=true have some effect when emulation-version=N?

[siyuanfoundation]

"graduated to GA" does not imply that the Beta API is removed (from N) automatically.
--runtime-config=api/v1beta1=true would have both api/v1beta1 and api/v1 both available. This is the same as before, so we are not listing it out explicitly.

[cbandy]

Does the storage version depend on the compatibility version? If so, should it be mentioned here?

What happens in this case for Story 2, administrator needs to roll back?

1. 1pm: emulation=N-1, everything is stored v1beta1
2. 2pm: emulation=N, so some items are stored as v1
3. 3pm: emulation=N-1, so...?

[siyuanfoundation]

The storage version is determined by the minCompatibilityVersion, and I am adding some clarification in #5006.

In a 2 step upgrade scenario, only the 1st step is considered rollback safe. So if the emulation version is increased, it is no longer rollbacksafe, unless you have set the minCompatibilityVersion N-1 in all steps in your example.

[aojea]

FYI Jordan and David did something similar for avoiding beta apis to be enabled by default kubernetes/kubernetes@af99d19

[aojea]

LGTM

IIUIC the proposal builds on the API compatibility guarantees we have to avoid complicating the consumers of the APIs in the emulation versions, if the API stored version is the same the emulated version.

This allows any code in the in-tree kubernetes codebase that consumes new APIs to be perfectly emulated without having to complicate the code with conditionals based on emulated / binary version and API available.