You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-api-machinery/1965-kube-apiserver-identity/README.md
+10-7Lines changed: 10 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -201,11 +201,12 @@ N/A
201
201
202
202
-[X] Feature gate (also fill in values in `kep.yaml`)
203
203
- Feature gate name: APIServerIdentity
204
-
- Components depending on the feature gate: kube-apiserver
204
+
- Components depending on the feature gate: kube-apiserver, kube-controller-manager
205
205
206
206
###### Does enabling the feature change any default behavior?
207
207
208
-
A namespace "kube-apiserver-lease" will be used to store kube-apiserver identity Leases.
208
+
A namespace `kube-apiserver-lease` will be created to store kube-apiserver identity Leases.
209
+
Old leases will be actively garbage collected by kube-controller-manager.
209
210
210
211
###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?
211
212
@@ -217,7 +218,8 @@ Stale Lease objects will be garbage collected.
217
218
218
219
###### Are there any tests for feature enablement/disablement?
219
220
220
-
Yes, see [apiserver_identity_test.go](https://github.com/kubernetes/kubernetes/blob/24238425492227fdbb55c687fd4e94c8b58c1ee3/test/integration/controlplane/apiserver_identity_test.go).
221
+
There are some tests that require enabling the feature gate in [apiserver_identity_test.go](https://github.com/kubernetes/kubernetes/blob/24238425492227fdbb55c687fd4e94c8b58c1ee3/test/integration/controlplane/apiserver_identity_test.go).
222
+
However, there are no tests validating feature enablement/disablement based on the gate. These tests should be added prior to Beta.
221
223
222
224
### Rollout, Upgrade and Rollback Planning
223
225
@@ -253,14 +255,14 @@ the Lease object to see if workloads or other controllers are relying on this fe
253
255
- Event Reason:
254
256
-[X] API .status
255
257
- Condition name:
256
-
- Other field:
258
+
- Other field:`.spec.holderIdentity`, `.spec.acquireTime`, `.spec.renewTime`, `.spec.leaseTransitions`
257
259
-[X] Other (treat as last resort)
258
260
- Details: audit logs for clients that are reading the Lease objects
259
261
260
262
###### What are the reasonable SLOs (Service Level Objectives) for the enhancement?
261
263
262
-
A rough SLO here is that kube-apiserver updates leases at the same frequency as kubelet node heart beats,
263
-
since the same mechanism is being used.
264
+
A rough SLO here is that healthy kube-apiservers has a lease which is not older than 2 times the frequency of
265
+
the lease heart beat 95% of time.
264
266
265
267
###### What are the SLIs (Service Level Indicators) an operator can use to determine the health of the service?
266
268
@@ -271,7 +273,8 @@ since the same mechanism is being used.
271
273
272
274
###### Are there any missing metrics that would be useful to have to improve observability of this feature?
273
275
274
-
Yes, heart beat latency could be useful.
276
+
A metric measuring the last updated time for a lease could be useful, but it could introduce cardinality problems
277
+
since the lease is changed on every restart of kube-apiserver.
0 commit comments