--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig-api-machinery@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/eac78014-5a03-497c-a57d-1ed18f020471%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Part of this effort would remove the SSH tunnel from the kube-apiserver since that depends on the cloud provider and I don't think we would plan to replace it with anything. If we agree to do that, I think we should announce the removal of SSH tunnel now, indicate that VPN (or similar) network config is the future and set a removal release date for the SSH tunnel.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig-api-machinery@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/4f69b7f3-d471-4bb7-b78e-4e3a1d97a5f6%40googlegroups.com.
I think we still can't deprecate (start the clock) until a non-alpha alternative exists.
On Wed, Oct 18, 2017 at 11:15 AM, <de...@redhat.com> wrote:
Part of this effort would remove the SSH tunnel from the kube-apiserver since that depends on the cloud provider and I don't think we would plan to replace it with anything. If we agree to do that, I think we should announce the removal of SSH tunnel now, indicate that VPN (or similar) network config is the future and set a removal release date for the SSH tunnel.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsubs...@googlegroups.com.
To post to this group, send email to kubernetes-sig-api-machinery@googlegroups.com.
>>>> an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
>>>> To post to this group, send email to
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/4f69b7f3-d471-4bb7-b78e-4e3a1d97a5f6%40googlegroups.com.
>>>>
>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "K8s API Machinery SIG" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> To post to this group, send email to
> To view this discussion on the web visit
That sounds like a super user-hostile replacement. Would you be happy if something you depended on deprecated like that?We either should do better than that, or try to identify all actual users and make sure that they actually plan to stop using it in the timeframe.
On Thu, Oct 19, 2017 at 5:32 AM, David Eads <de...@redhat.com> wrote:
Off the shelf VPN solutions already exist for joining multiple networks and making them routable. Similarly DNS solutions exist for looking up names.I think that this is a good case for deprecation. We announce deprecation now and give consumers ample time to learn and deploy the VPN (or other networking solution) of their choice. The solutions are fairly standard and generally understood, so the normal one year deprecation policy for GA features is reasonable for the SSH tunnel removal.
On Wed, Oct 18, 2017 at 4:45 PM, Daniel Smith <dbs...@google.com> wrote:
I tentatively agree that the replacement needn't be in-process. But it does need to exist.
On Wed, Oct 18, 2017 at 1:08 PM, David Eads <de...@redhat.com> wrote:
For the SSH tunnel, I think most people agree that no in-process alternative should be developed. Network configuration is outside the scope of kube-apiserver.
On Wed, Oct 18, 2017 at 3:36 PM, Daniel Smith <dbs...@google.com> wrote:
I think we still can't deprecate (start the clock) until a non-alpha alternative exists.
On Wed, Oct 18, 2017 at 11:15 AM, <de...@redhat.com> wrote:
Part of this effort would remove the SSH tunnel from the kube-apiserver since that depends on the cloud provider and I don't think we would plan to replace it with anything. If we agree to do that, I think we should announce the removal of SSH tunnel now, indicate that VPN (or similar) network config is the future and set a removal release date for the SSH tunnel.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
We have identified the actual user: GKE
One year deprecation period, starting now, for GKE to start its own VPN tunnels sounds reasonable to me.
Den torsdag 19 oktober 2017 kl. 18:45:52 UTC+1 skrev lavalamp:
That sounds like a super user-hostile replacement. Would you be happy if something you depended on deprecated like that?We either should do better than that, or try to identify all actual users and make sure that they actually plan to stop using it in the timeframe.
On Thu, Oct 19, 2017 at 5:32 AM, David Eads <de...@redhat.com> wrote:
Off the shelf VPN solutions already exist for joining multiple networks and making them routable. Similarly DNS solutions exist for looking up names.I think that this is a good case for deprecation. We announce deprecation now and give consumers ample time to learn and deploy the VPN (or other networking solution) of their choice. The solutions are fairly standard and generally understood, so the normal one year deprecation policy for GA features is reasonable for the SSH tunnel removal.
On Wed, Oct 18, 2017 at 4:45 PM, Daniel Smith <dbs...@google.com> wrote:
I tentatively agree that the replacement needn't be in-process. But it does need to exist.
On Wed, Oct 18, 2017 at 1:08 PM, David Eads <de...@redhat.com> wrote:
For the SSH tunnel, I think most people agree that no in-process alternative should be developed. Network configuration is outside the scope of kube-apiserver.
On Wed, Oct 18, 2017 at 3:36 PM, Daniel Smith <dbs...@google.com> wrote:
I think we still can't deprecate (start the clock) until a non-alpha alternative exists.
On Wed, Oct 18, 2017 at 11:15 AM, <de...@redhat.com> wrote:
Part of this effort would remove the SSH tunnel from the kube-apiserver since that depends on the cloud provider and I don't think we would plan to replace it with anything. If we agree to do that, I think we should announce the removal of SSH tunnel now, indicate that VPN (or similar) network config is the future and set a removal release date for the SSH tunnel.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsubs...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/4f69b7f3-d471-4bb7-b78e-4e3a1d97a5f6%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig-api-machinery@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/cdefd51c-fd35-4c7d-802a-29b2194c6b35%40googlegroups.com.
To post to this group, send email to kubernetes-sig-api-machinery@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/cdefd51c-fd35-4c7d-802a-29b2194c6b35%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig-api-machinery@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/CAB_J3bb09VGSaKkyiP_Uj3qAXQz-Tk73cJodugfuvwqUhd0HTw%40mail.gmail.com.
As described in https://github.com/kubernetes/kubernetes/issues/54076, only the GCE cloudprovider has ever supported distributing keys to nodes.
That means the tunneling feature has only ever functioned standalone within GCE.
Further, 1.2 was the only release where this feature functioned correctly outside of GCE (though even that still required an external process to distribute keys to nodes):
- In 1.0 and 1.1, SSH tunneling broke proxy subresources in all environments (including GCE/GKE)
- Since 1.3, using SSH tunneling outside a GCE/GKE cloudprovider environment causes API servers to go unhealthy after 10 minutes (due to key distribution health checks that fail everywhere but GCE)
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/4f69b7f3-d471-4bb7-b78e-4e3a1d97a5f6%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/cdefd51c-fd35-4c7d-802a-29b2194c6b35%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/4f69b7f3-d471-4bb7-b78e-4e3a1d97a5f6%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/cdefd51c-fd35-4c7d-802a-29b2194c6b35%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/4f69b7f3-d471-4bb7-b78e-4e3a1d97a5f6%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/cdefd51c-fd35-4c7d-802a-29b2194c6b35%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-machinery+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig...@googlegroups.com.
As described in https://github.com/kubernetes/kubernetes/issues/54076, only the GCE cloudprovider has ever supported distributing keys to nodes. That means the tunneling feature has only ever functioned standalone within GCE.
Further, 1.2 was the only release where this feature functioned correctly outside of GCE (though even that still required an external process to distribute keys to nodes):I am strongly in favor of deprecating and removing this feature from the apiserver:
- In 1.0 and 1.1, SSH tunneling broke proxy subresources in all environments (including GCE/GKE)
- Since 1.3, using SSH tunneling outside a GCE/GKE cloudprovider environment causes API servers to go unhealthy after 10 minutes (due to key distribution health checks that fail everywhere but GCE)
- only GCE/GKE benefit from it
- all other deployments are responsible for forming their network outside the apiserver process
- it makes the apiserver responsible for maintaining network topology, which seems well outside the apiserver's scope
- it has consistently increased complexity for new features within the apiserver (subresource proxying, aggregation, webhook admission, etc)