KEP-5018: move to beta in 1.34 #5327
Conversation
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
k8s-ci-robot
added
the
wg/device-management
|
@ritazh: GitHub didn't allow me to assign the following users: for, sig, auth, PRR. Note that only kubernetes members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
kind/kep
k8s-ci-robot
added
the
sig/auth
k8s-ci-robot
added
cncf-cla: yes
| - Gather feedback | ||
| - Additional tests are in Testgrid and linked in KEP | ||
| - Implementations in the kubernetes-sigs/dra-example-driver | ||
| - Implementations in the kubernetes-sigs/dra-example-driver: https://github.com/kubernetes-sigs/dra-example-driver/issues/97 and the NVIDIA dra driver: https://github.com/NVIDIA/k8s-dra-driver-gpu/issues/337 |
There was a problem hiding this comment.
do those issues mean we will show those repos labeling namespaces as admin access and using devices as admin access before promoting the gate to beta?
There was a problem hiding this comment.
Yes, Implementations in the kubernetes-sigs/dra-example-driver was part of the original beta criteria. I think we should be able to add an example there. I'm less certain about the exact timeline of the Nvidia one. I could remove that one for now and add it back AFTER it's done. wdyt?
There was a problem hiding this comment.
let's not take dependencies on consumers we're not sure will be ready as a beta graduation criteria ... one example use seems sufficient
|
|
||
| Will be considered for beta. | ||
| - kube-controller-manager: If the kube-controller-manager fails to create `ResourceClaim` objects from `ResourceClaimTemplate` due to misconfigurations or permission issues relating to `adminAccess`, then the associated Pods will remain in a pending state and won't be scheduled. | ||
| - kube-scheduler: Bugs in the scheduler might lead to Pods not being scheduled even when resources are available or, scheduling Pods that shouldn't be scheduled due to unmet `adminAccess` requirements. If the `DRAAdminAccess` feature gate isn't enabled or is misconfigured, the scheduler might not recognize ResourceClaim requirements, leading to scheduling failures. |
There was a problem hiding this comment.
is this thinking of something more than generic scheduler backoff behavior when it encounters failed API requests?
There was a problem hiding this comment.
No, this should be part of the generic scheduler backoff behavior.
There was a problem hiding this comment.
ok, maybe clarify that... otherwise this line sounds scarier or more specific to this feature than it actually is
| --> | ||
|
|
||
| Will be considered for beta. | ||
| ".status.allocation.devices.results[*].adminaccess" will be set to true for a claim using adminAccess when needed by a pod. |
There was a problem hiding this comment.
| ".status.allocation.devices.results[*].adminaccess" will be set to true for a claim using adminAccess when needed by a pod. | |
| ".status.allocation.devices.results[*].adminAccess" will be set to true for a claim using adminAccess when needed by a pod. |
|
|
||
| Will be considered for beta. | ||
| - The DynamicResourceAllocation feature gate must be enabled to create ResourceClaim, ResourceClaimTemplate. More details at [KEP-4381 - DRA Structured Parameters](https://github.com/kubernetes/enhancements/issues/4381) | ||
| - A third-party DRA driver is required for how the driver should interpret the AdminAcess field to get acess to device specific resources without allocating them. |
There was a problem hiding this comment.
| - A third-party DRA driver is required for how the driver should interpret the AdminAcess field to get acess to device specific resources without allocating them. | |
| - A third-party DRA driver is required for how the driver should interpret the AdminAcess field to get access to device specific resources without allocating them. |
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
|
/lgtm |
k8s-ci-robot
added
the
lgtm
| #### Beta | ||
| - Gather feedback |
There was a problem hiding this comment.
Missing bits higher in the doc:
- make sure to check appropriate boxes in
Release Singoff Checklist - In
Integration testssection, please make sure to link tests according to the template, especially the newly added that are called out there, since looking at the PRs submitted during alpha they did add new tests.
There was a problem hiding this comment.
These comments still hold.
There was a problem hiding this comment.
while reviewing an unrelated DRA KEP, we realized this is using an inconsistent label key ...
labels / annotations are expected to use $group.kubernetes.io/... domain prefixes, so this should really be resource.kubernetes.io/admin-access
"kubernetes.io" is the preferred form for labels and annotations, "k8s.io" should not be used for new map keys.
Sorry I didn't catch that last release
/hold
There was a problem hiding this comment.
so do we need to update this label in 1.34? and if so, is that still ok to move to beta?
There was a problem hiding this comment.
so do we need to update this label in 1.34?
I would say so, yes.
and if so, is that still ok to move to beta?
I think so, for the following reasons:
- pre-1.34 clusters default the feature off, so the adminAccess field is forcibly cleared on creation, so there's no existing objects with this field set unless someone opted into an alpha feature
- ResourceClaim / ResourceClaimTemplate only check admin access on create, since their specs are immutable, so no 1.33 server would have to handle authorizing an update to an
adminAccess: trueobject persisted by a 1.34 server - If someone was using the feature in alpha, it's easy to double-label their namespace until they complete upgrading to 1.34 to let both 1.33 and 1.34 be happy.
There was a problem hiding this comment.
Thanks for catching this now! and +1 on moving to beta.
I can add a validation and warning for using the old label, not sure if it's worth the effort to maintain the code though.
There was a problem hiding this comment.
Thanks for catching this now! and +1 on moving to beta. I can add a validation and warning for using the old label, not sure if it's worth the effort to maintain the code though.
I think just a release note is fine for something changed before exiting alpha.
There was a problem hiding this comment.
Looks good to me, thanks to both of you for taking care of this.
Now I just need to erase k8s.io from my own memory to avoid using it for future extensions...
k8s-ci-robot
added
do-not-merge/hold
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
| #### Beta | ||
| - Gather feedback |
There was a problem hiding this comment.
These comments still hold.
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
k8s-ci-robot
added
size/L
| - 1 example of real-world usage | ||
| - Allowing time for feedback | ||
| - All issues and gaps identified as feedback during beta are resolved | ||
| **Note:** GA criteria must not include any functional, security, monitoring, or testing requirements. Those must be beta requirements. |
k8s-ci-robot
added
the
approved
|
/assign @enj |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt, ritazh, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/wg device-management
/assign @liggitt for sig auth
/assign @pohly
/assign @soltysh for PRR