Add RuntimeClassName feature flag #9072
Conversation
knative-prow-robot
added
the
size/L
|
Welcome @ianlewis! It looks like this is your first PR to knative/serving 🎉 |
|
Hi @ianlewis. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
knative-prow-robot
added
needs-ok-to-test
| @@ -161,6 +161,9 @@ func PodSpecMask(ctx context.Context, in *corev1.PodSpec) *corev1.PodSpec { | |||
| if cfg.Features.PodSpecNodeSelector != config.Disabled { | |||
| out.NodeSelector = in.NodeSelector | |||
| } | |||
| if cfg.Features.PodSpecRuntimeClassName != config.Disabled { | |||
There was a problem hiding this comment.
worth adding a test for this, along same lines as the one for PodSpecTolerations?
|
/ok-to-test |
knative-prow-robot
added
ok-to-test
|
@ianlewis out of interest, Im wondering whether using a PodSecurityPolicy to default RuntimeClass would fit your use case? Are there cases where you want the user to explicitly select runtimeClass for their ksvc, rather than having it implicit in a security policy (or an operator-set default)? |
There was a problem hiding this comment.
@ianlewis out of interest, Im wondering whether using a PodSecurityPolicy to default RuntimeClass would fit your use case? Are there cases where you want the user to explicitly select runtimeClass for their ksvc, rather than having it implicit in a security policy (or an operator-set default)?
Thanks. That's a good question. I think adding the feature flag is the best option for a few reasons:
- I am trying to meet the needs of a broad set of customer use cases which may require sandboxed workloads to run alongside non-sandboxed workloads.
- PodSecurityPolicy is in beta and has had some growing pains IIRC. I don't feel comfortable right now asking customers to rely on it.
- Some customers will want to use PSP for validation rather than defaulting. i.e. set desired state explicitly themselves and validate using PSP, rather than setting the default for a namespace.
- PSP can be used as an alternative to, or in addition to this feature flag. i.e. they don't interfere with each other so it provides more flexibility and covers more use cases.
| @@ -161,6 +161,9 @@ func PodSpecMask(ctx context.Context, in *corev1.PodSpec) *corev1.PodSpec { | |||
| if cfg.Features.PodSpecNodeSelector != config.Disabled { | |||
| out.NodeSelector = in.NodeSelector | |||
| } | |||
| if cfg.Features.PodSpecRuntimeClassName != config.Disabled { | |||
|
The following jobs failed:
Automatically retrying due to test flakiness... |
|
The following jobs failed:
Automatically retrying due to test flakiness... |
|
The following jobs failed:
Automatically retrying due to test flakiness... |
|
/retest |
knative-prow-robot
added
the
needs-rebase
Allow users to set runtimeClassName on services via the runtimeclassname feature flag. Issue knative#5306
knative-prow-robot
removed
lgtm
|
The following is the coverage report on the affected files.
|
| @@ -543,6 +550,8 @@ func TestPodSpecMultiContainerValidation(t *testing.T) { | |||
| } | |||
|
|
|||
| func TestPodSpecFeatureValidation(t *testing.T) { | |||
| runtimeClassName := "test" | |||
There was a problem hiding this comment.
I assume there is no good way to validate the values passed (besides podspec dry run?), since it varies so much vendor to vendor...
There was a problem hiding this comment.
I suppose the controller could validate that the RuntimeClass with that name exists and add to the knative service's status and emit an event if it doesn't. Currently the controller will fail to create pods and users will see that the service didn't create and see the detailed reason in events already so I'm not sure it would be a much better UX.
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ianlewis, mattmoor The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow-robot
added
the
approved
Allow users to set runtimeClassName on services via the runtimeclassname
feature flag.
Issue #5306
Release Note