--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-arch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAO_RewZY0bg7QO5F_PbiUXXXY1D0-RCtwgchky27_u-cpmHkDQ%40mail.gmail.com.
--
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAGv8vBoJ%3DrOBLupouaj2bBj%2BXMscEzHSbfzZzG3ndOc%3Ds8bSvw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAO_RewY_Gu5d7m_Jbtg52aRG10t6PA97_e3RX_JRYVcZ1ZhEkw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAO_RewY_Gu5d7m_Jbtg52aRG10t6PA97_e3RX_JRYVcZ1ZhEkw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CALXpagybs8Cj2_khMFn_XYU77K%3DPGaNAcWbDJ1EMnNJbkRZY4Q%40mail.gmail.com.
it is enforced that you can't touch status via the regular endpoint ...
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAB_J3bZ-V7GQw35ifcXb4ZjuqQPCR7ckj-zuSGT7zz9XavKUcA%40mail.gmail.com.
It's cleared in PrepareFor{Create|Update} methods.FWIW I do not think spec vs status should be a security boundary, it was not intended initially to be so. The difference is "how I want it to be" vs "how it actually is".
On Fri, Feb 5, 2021 at 2:53 PM Daniel Smith <dbs...@google.com> wrote:It's cleared in PrepareFor{Create|Update} methods.FWIW I do not think spec vs status should be a security boundary, it was not intended initially to be so. The difference is "how I want it to be" vs "how it actually is".I think that horse has left the barn. Most resources have a single controller or a small number of pretty well-trusted controllers. As such spec/status has a natural mapping. We have lots of such examples.For those fields that might be more promiscuously updated (status.conditions!) we should probably have distinct sub-resources.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAO_RewZT__Q0qtCYcYiNs_Dbhi2KAAxxRbJxQJ1A-7G2w%3DhKeQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAO_RewYLiXroePRmBBCMq_P3%2BHa5D7c9TUt5VK0fDZSKt7oZMA%40mail.gmail.com.
IMO the "imagine status got dropped, could you reconstruct it" scenario was an intuition pump to help people understand if a given thing was spec or status, because it was kind of a foreign concept to a lot of people initially.The part where it *actually* gets dropped doesn't actually make a ton of sense to me, and I'm not we were actually serious about that being a legitimate thing the system might do? Yes, you can do that with events, but it's very different. And yes, Brian has wanted to actually store Spec & Status separately for ages, but IIRC that's a contention / scalability thing, I don't believe there's gains to be made from making status less durable. The fact that we've never even bothered to try wiping status in a test to see what happens is evidence that we were never intending for the system to literally handle that.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAB_J3banNXtYwT3iHF2XoE%2BET%3DP5P6-AFPYBDadobze93Fk5wg%40mail.gmail.com.
On Fri, Feb 5, 2021 at 6:18 PM 'Tim Hockin' via kubernetes-sig-architecture <kubernetes-si...@googlegroups.com> wrote:On Fri, Feb 5, 2021 at 2:53 PM Daniel Smith <dbs...@google.com> wrote:It's cleared in PrepareFor{Create|Update} methods.FWIW I do not think spec vs status should be a security boundary, it was not intended initially to be so. The difference is "how I want it to be" vs "how it actually is".I think that horse has left the barn. Most resources have a single controller or a small number of pretty well-trusted controllers. As such spec/status has a natural mapping. We have lots of such examples.For those fields that might be more promiscuously updated (status.conditions!) we should probably have distinct sub-resources.Should is pretty different than do, can, or must.
You SHOULD separate your desired state from actual state (spec / status).
You SHOULD ensure only the people who can update status are the ones who should be doing so.
You SHOULD have single writer where possible.
You SHOULD have reconstructable state.
You SHOULD let controllers set fields in spec when those are desired intent.
You SHOULD consider subresources for when your object needs to adapt to an interface (Scale is a good example of what tim is descirbing above).
It's really hard for me to imagine that any of these can be MUST. The value of SHOULD is where tools can infer behavior. Is inferring that status can be wiped in apply useful? Yes. Is having consistent fields in status (conditions, observed generation) useful and consistent? Yes.But it's way past the time where we could enforce MUST on any of these and break users. I definitely have examples of where it is useful to break those guidelines above, but they are the exceptions that prove the rule.
If we think "status can be wiped" is a useful litmus test, then a) we need to solve the 'spec-like things" problem and b) we could/should do a few things to make that litmus test easier (e.g. actually provide an API to wipe status and ask people to use that when testing)
. I expect huge explosions, though, as users and controllers lose state, load-balancers get de-provisioned, volumes get un-bound, replicas get re-launched etc.
On Feb 5, 2021, at 8:34 PM, Tim Hockin <tho...@google.com> wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAO_RewbEqFjwDDxJkamXRfUqpgQMNKNndSj88E6z4ZZATMDAOA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-arch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/40fc1bed74804507f8490e60e9c243ec78a87aaf.camel%40gmail.com.
I like having status reflect the observable state of the world. When status reflects the observable state of the world and is reconciled, it is impossible for status fields to end up in a state where they are corrupted due to some unexpected situation and are never corrected. It's the difference between a count that is returned by actually counting the number of records and a count that is returned by adding every delta perfectly over time. One reflects the state of the world, the other is your estimation of that state and if you ever mess up, it will never be correct again.
If we want to create a section of spec that is more trusted or a section of status that is less trusted, we can do that today using admission plugins. Built-in resources could even do it using subresources (this is how we do the ACL separation of spec/status today).
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAFS1Mj%2BoJn7jzpQrQVbPYoh9kOG%2ByNr3qxjXFoGZkGOTN63fNg%40mail.gmail.com.