-
Notifications
You must be signed in to change notification settings - Fork 14.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blog post, outlines KubeVirt's usage k8s extension features #9324
Merged
k8s-ci-robot
merged 4 commits into
kubernetes:master
from
davidvossel:kubevirt-crd-blogpost
Jul 27, 2018
Merged
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
82248fd
Blog post about how KubeVirt extends Kubernetes using CRDs and other …
davidvossel 8f00da9
Update blog post to reflect k8s v1.11 crd versioning support
davidvossel edb9f3b
Update and rename 2018-07-24-kubevirt-crds-for-virtualization.md to 2…
kbarnard10 11c6a1d
Tidy up blog post to reflect reviewer feedback
davidvossel File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
106 changes: 106 additions & 0 deletions
106
content/en/blog/_posts/2018-07-09-kubevirt-crds-for-virtualization.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| --- | ||
| layout: blog | ||
| title: 'KubeVirt: Extending Kubernetes with CRDs for Virtualized Workloads' | ||
| date: 2018-07-09 | ||
| --- | ||
|
|
||
| **Author**: David Vossel (Red Hat) | ||
|
|
||
| ## What is KubeVirt? | ||
|
|
||
| [KubeVirt](https://github.com/kubevirt/kubevirt) is a Kubernetes addon that provides users the ability to schedule traditional virtual machine workloads side by side with container workloads. Through the use of [Custom Resource Definitions](https://Kubernetes.io/docs/concepts/extend-Kubernetes/api-extension/custom-resources/) (CRDs) and other Kubernetes features, KubeVirt seamlessly extends existing Kubernetes clusters to provide a set of virtualization apis that can be used to manage virtual machines. | ||
|
|
||
| ## Why Use CRDs Over an Aggregated API Server? | ||
|
|
||
| Back in the middle of 2017, those of us working on KubeVirt were at a crossroads. We had to make a decision whether or not to extend Kubernetes using an aggregated API server or to make use of the new Custom Resource Definitions (CRDs) feature. | ||
|
|
||
| At the time, CRDs lacked much of the functionality we needed to deliver our feature set. The ability to create our own aggregated API server gave us all the flexibility we needed, but it had one major flaw. **An aggregated API server significantly increased the complexity involved with installing and operating KubeVirt.** | ||
|
|
||
| The crux of the issue for us was that aggregated API servers required access to etcd for object persistence. This meant that cluster admins would have to either accept that KubeVirt needs a separate etcd deployment which increases complexity, or provide KubeVirt with shared access to the Kubernetes etcd store which introduces risk. | ||
|
|
||
| We weren’t okay with this tradeoff. Our goal wasn’t to just extend Kubernetes to run virtualization workloads, it was to do it in the most seamless and effortless way possible. We felt that the added complexity involved with an aggregated API server sacrificed the part of the user experience involved with installing and operating KubeVirt. | ||
|
|
||
| **Ultimately we chose to go with CRDs and trust that the Kubernetes ecosystem would grow with us to meet the needs of our use case.** Our bets were well placed. At this point there are either solutions in place or solutions under discussion that solve every feature gap we encountered back in 2017 when were evaluating CRDs vs an aggregated API server. | ||
|
|
||
| ## Building Layered “Kubernetes like” APIs with CRDs | ||
|
|
||
| We designed KubeVirt’s api to follow the same patterns users are already familiar with in the Kubernetes core api. | ||
|
|
||
| For example, in Kubernetes the lowest level unit that users create to perform work is a Pod. Yes, Pods do have multiple containers but logically the Pod is the unit at the bottom of the stack. A Pod represents a mortal workload. The Pod gets scheduled, eventually the Pod’s workload terminates, and that’s the end of the Pod’s lifecycle. | ||
|
|
||
| Workload controllers such as the ReplicaSet and StatefulSet are layered on top of the Pod abstraction to help manage scale out and stateful applications. From there we have an even higher level controller called a Deployment which is layered on top of ReplicaSets help manage things like rolling updates. | ||
|
|
||
| In KubeVirt, this concept of layering controllers is at the very center of our design. The KubeVirt VirtualMachineInstance (VMI) object is the lowest level unit at the very bottom of the KubeVirt stack. Similar in concept to a Pod, a VMI represents a single mortal virtualized workload that executes once until completion (powered off). | ||
|
|
||
| Layered on top of VMIs we have a workload controller called a VirtualMachine (VM). The VM controller is where we really begin to see the differences between how users manage virtualized workloads vs containerized workloads. Within the context of existing Kubernetes functionality, the best way to describe the VM controller’s behavior is to compare it to a StatefulSet of size one. This is because the VM controller represents a single stateful (immortal) virtual machine capable of persisting state across both node failures and multiple restarts of its underlying VMI. This object behaves in the way that is familiar to users who have managed virtual machines in AWS, GCE, OpenStack or any other similar IaaS cloud platform. The user can shutdown a VM, then choose to start that exact same VM up again at a later time. | ||
|
|
||
| In addition to VMs, we also have a VirtualMachineInstanceReplicaSet (VMIRS) workload controller which manages scale out of identical VMI objects. This controller behaves nearly identically to the Kubernetes ReplicSet controller. The primary difference being that the VMIRS manages VMI objects and the ReplicaSet manages Pods. Wouldn’t it be nice if we could come up with a way to [use the Kubernetes ReplicaSet controller to scale out CRDs?](https://github.com/kubernetes/kubernetes/issues/65622) | ||
|
|
||
| Each one of these KubeVirt objects (VMI, VM, VMIRS) are registered with Kubernetes as a CRD when the KubeVirt install manifest is posted to the cluster. By registering our apis as CRDs with Kubernetes, all the tooling involved with managing Kubernetes clusters (like kubectl) have access to the KubeVirt apis just as if they are native Kubernetes objects. | ||
|
|
||
| ## Dynamic Webhooks for API Validation | ||
|
|
||
| One of the responsibilities of the Kubernetes apiserver is to intercept and validate requests prior to allowing objects to be persisted into etcd. For example If someone tries to create a pod using a malformed pod spec, the Kubernetes apiserver immediately catches the error and rejects the POST request. This all occurs before the object is persistent into etcd preventing the malformed pod spec from making its way into the cluster. | ||
|
|
||
| This validation occurs during a process called admission control. Until recently, it was not possible to extend the default Kubernetes admission controllers without altering code and compiling/deploying an entirely new Kubernetes apiserver. This meant that if we wanted to perform admission control on KubeVirt’s CRD objects as they are posted to the cluster, we’d have to build our own version of the Kubernetes apiserver and convince people they should use it. That was not a viable solution for us. | ||
|
|
||
| Using the new [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) feature in that first landed in Kubernetes 1.9 we now have a path for performing custom validation on KubeVirt api through the use of a [ValidatingAdmissionWebhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#external-admission-webhooks). This feature allows KubeVirt to dynamically register an https webhook with Kubernetes at KubeVirt install time. After registering the custom webhook, all requests related to KubeVirt api objects are forwarded from the Kubernetes apiserver to our https endpoint for validation. If our endpoint rejects a request for any reason, the object will not be persisted into etcd and the client receives our response outlining the reason for the rejection. | ||
|
|
||
| For example, if someone posts a malformed VirtualMachine object, they’ll receive an error indicating what the problem is. | ||
|
|
||
| ``` | ||
| $ kubectl create -f my-vm.yaml | ||
| Error from server: error when creating "my-vm.yaml": admission webhook "virtualmachine-validator.kubevirt.io" denied the request: spec.template.spec.domain.devices.disks[0].volumeName 'registryvolume' not found. | ||
| ``` | ||
|
|
||
| In the example output above, that error response is coming directly from KubeVirt’s admission control webhook. | ||
|
|
||
| ## CRD OpenAPIv3 Validation | ||
|
|
||
| In addition to the validating webhook, KubeVirt also uses the ability to provide an [OpenAPIv3 validation schema](https://kubernetes.io/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/#advanced-topics) when registering a CRD with the cluster. While the OpenAPIv3 schema does not let us express some of the more advanced validation checks that the validation webhook provides, it does offer the ability to enforce simple validation checks involving things like required fields, max/min value lengths, and verifying that values are formatted in a way that matches a regular expression string. | ||
|
|
||
| ## Dynamic Webhooks for “PodPreset Like” Behavior | ||
|
|
||
| The Kubernetes Dynamic Admission Control feature is not only limited to validation logic, it also provides the ability for applications like KubeVirt to both intercept and mutate requests as they enter the cluster. This is achieved through the use of a **MutatingAdmissionWebhook** object. In KubeVirt, we are looking to use a mutating webhook to support our VirtualMachinePreset (VMPreset) feature. | ||
|
|
||
| A VMPreset acts in a similar way to a PodPreset. Just like a PodPreset allows users to define values that should automatically be injected into pods at creation time, a VMPreset allows users to define values that should be injected into VMs at creation time. Through the use of a mutating webhook, KubeVirt can intercept a request to create a VM, apply VMPresets to the VM spec, and then validate that the resulting VM object. This all occurs before the VM object is persisted into etcd which allows KubeVirt to immediately notify the user of any conflicts at the time the request is made. | ||
|
|
||
| ## Subresources for CRDs | ||
|
|
||
| When comparing the use of CRDs to an aggregated API server, one of the features CRDs lack is the ability to support subresources. Subresources are used to provide additional resource functionality. For example, the ‘pod/logs’ and ‘pod/exec‘ subresource endpoints are used behind the scenes to provide the ‘kubectl logs’ and ‘kubectl exec’ command functionality. | ||
|
|
||
| Just like Kubernetes uses the pod/exec subresource to provide access to a pod’s environment, In KubeVirt we want subresources to provide serial-console, VNC, and SPICE access to a virtual machine. By adding virtual machine guest access through subresources, we can leverage RBAC to provide access control for these features. | ||
|
|
||
| So, given that the KubeVirt team decided to use CRD’s instead of an aggregated API server for custom resource support, how can we have subresources for CRDs when the CRD feature expiclity does not support subresources? | ||
|
|
||
| We created a workaround for this limitation by implementing a stateless aggregated API server that exists only to serve subresource requests. With no state, we don’t have to worry about any of the issues we identified earlier with regards to access to etcd. This means the KubeVirt api is actually supported through a combination of both CRDs for resources and an aggregated API server for stateless subresources. | ||
|
|
||
| This isn’t a perfect solution for us. Both aggregated API servers and CRDs require us to register an api GroupName with Kubernetes. This api GroupName field essentially namespaces the api’s REST path in a way that prevents api naming conflicts between other third party applications. Because CRDs and aggregated API servers can’t share the same GroupName, we have to register two separate GroupNames. One is used by our CRDs and the other is used by the aggregated API server for subresource requests. | ||
|
|
||
| Having two GroupNames in our api is slightly inconvenient because it means the REST path for the endpoints that serve the KubeVirt subresource requests have a slightly different base path than the resources. | ||
|
|
||
| For example, the endpoint to create a VMI object is as follows. | ||
|
|
||
| **/apis/kubevirt.io/v1alpha2/namespaces/my-namespace/virtualmachineinstances/my-vm** | ||
|
|
||
| However, the subresource endpoint to access graphical VNC looks like this. | ||
|
|
||
| **/apis/subresources.kubevirt.io/v1alpha2/namespaces/my-namespace/virtualmachineinstances/my-vm/vnc** | ||
|
|
||
| Notice that the first request uses **kubevirt.io** and the second request uses **subresource.kubevirt.io**. We don’t like that, but that’s how we’ve managed to combine CRDs with a stateless aggregated API server for subresources. | ||
|
|
||
| One thing worth noting is that in Kubernetes 1.10 a very basic form of CRD subresource support was added in the form of the /status and /scale subresources. This support does not help us deliver the virtualization features we want subresources for. There have however been discussions about exposing custom CRD subresources as webhooks in a future Kubernetes version. If this functionality lands, we will gladly transition away from our stateless aggregated API server workaround to use a subresource webhook feature. | ||
|
|
||
| ## CRD Finalizers | ||
|
|
||
| A [CRD finalizer](https://kubernetes.io/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/#advanced-topics) is a feature that lets us provide a pre-delete hook in order to perform actions before allowing a CRD object to be removed from persistent storage. In KubeVirt, we use finalizers to guarantee a virtual machine has completely terminated before we allow the corresponding VMI object to be removed from etcd. | ||
|
|
||
| ## API Versioning for CRDs | ||
|
|
||
| The Kubernetes core apis have the ability to support multiple versions for a single object type and perform conversions between those versions. This gives the Kubernetes core apis a path for advancing the v1alpha1 version of an object to a v1beta1 version and so forth. | ||
|
|
||
| Unfortunately in Kubernetes 1.10, CRDs do not have support for multiple versions. This means when we want to progress a CRD from kubevirt.io/v1alpha1 to kubevirt.io/v1beta1, the only path currently available to us is to backup our CRD objects, delete the registered CRD from Kubernetes, register a new CRD with the updated version, convert the backed up CRD objects to the new version, and finally post the migrated CRD objects back to the cluster. | ||
|
|
||
| That strategy is not a viable option for us. | ||
|
|
||
| Luckily, while we don’t currently have a complete solution in place to handle CRDs with multiple versions, there is [work underway to rectify this issue in Kubernetes](https://github.com/kubernetes/features/issues/544). Looking at the Kubernetes 1.11 release notes, the [initial steps](https://github.com/kubernetes/kubernetes/pull/63830) have already been taken to kick off this feature. CRDs with multiple versions will be supported soon and we look forward to taking advantage of that feature as soon as it lands. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This pretty much says that the CRD versioning in 1.11 isn't complete for Kubevirt's use case. Can you expand on that? What work remains to be done? The feature in 1.11 is marked as a complete implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no conversion between CRD versions. It's also strange that all the versions share the same OpenAPIv3 validation. It's like we've created a way to progress an api from alpha->beta->release only if that api contains no changes.
The value of the current implementation seems limited, but it's definitely a first step in the right direction.
I'll update the doc to reflect my thoughts here.