Skip to content

Commit 0ab9e87

Browse files
roycaihwroycaihw
committed
address comments:
rephrase caveats; the namespace risk was false alarm; clarify GC controller host; add e2e test for beta graduation
1 parent 41e5084 commit 0ab9e87

File tree

1 file changed

+8
-11
lines changed
  • keps/sig-api-machinery/1965-kube-apiserver-identity

1 file changed

+8
-11
lines changed

keps/sig-api-machinery/1965-kube-apiserver-identity/README.md

Lines changed: 8 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@
66
- [Motivation](#motivation)
77
- [Proposal](#proposal)
88
- [Caveats](#caveats)
9-
- [Risks and Mitigations](#risks-and-mitigations)
109
- [Design Details](#design-details)
1110
- [Test Plan](#test-plan)
1211
- [Graduation Criteria](#graduation-criteria)
@@ -83,22 +82,17 @@ listing the pods selected by the service, an aggregated server can learn the
8382
list of living servers with distinct podIPs. A server can get its own IDs via
8483
downward API.
8584

86-
We prefer false positives over false negatives, because false negatives are more
87-
harmful. In the storage version API scenario, if a kube-apiserver accidentally
85+
We prefer that expired Leases remain for a longer duration as opposed to
86+
collecting them quickly, because in the latter case, if a Lease is falsely
87+
collected by accident, it can do more damage than the former case. Take the
88+
storage version API scenario as an example, if a kube-apiserver accidentally
8889
missed a heartbeat and got its Lease garbage collected, its StorageVersion can
8990
be falsely garbage collected as a consequence. In this case, the storage
9091
migrator won’t be able to migrate the storage, unless this kube-aipserver gets
9192
restarted and re-registers its StorageVersion. On the other hand, if a
9293
kube-apiserver is gone and its Lease still stays around for an hour or two, it
9394
will only delay the storage migration for the same period of time.
9495

95-
### Risks and Mitigations
96-
97-
A new namespace will be reserved for storing kube-apiserver identity Lease
98-
objects. There is a chance that existing clusters may already be using the
99-
namespace. We mitigate the risk by documenting the namespace in the release
100-
note and use a feature gate to disable the behavior in alpha release.
101-
10296
## Design Details
10397

10498
The [kubelet heartbeat](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/0009-node-heartbeat.md)
@@ -114,7 +108,8 @@ default `leaseDurationSeconds` is chosen to be way longer than the default
114108
refresh period, to tolerate clock skew and/or accidental refresh failure. The
115109
default resync period is 1h. By default, assuming negligible clock skew, a Lease
116110
will be deleted if the kube-apiserver fails to refresh its Lease for one to two
117-
hours.
111+
hours. The GC controller will run in kube-controller-manager, to leverage leader
112+
election and reduce conflicts.
118113

119114
The refresh rate, lease duration will be configurable through kube-apiserver
120115
flags. The resync period will be configurable through a kube-controller-manager
@@ -136,6 +131,8 @@ Alpha should provide basic functionality covered with tests described above.
136131
#### Alpha -> Beta Graduation
137132

138133
- Appropriate metrics are agreed on and implemented
134+
- An e2e test plan is agreed and implemented (e.g. chaosmonkey in a regional
135+
cluster)
139136

140137
#### Beta -> GA Graduation
141138

0 commit comments

Comments
 (0)