✨ Use watchList in typed and unstructured client if WatchListClient is enabled #3136
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sbueringer The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
|
/hold Otherwise ready for review |
k8s-ci-robot
added
the
do-not-merge/hold
| @@ -2199,1464 +2205,1759 @@ U5wwSivyi7vmegHKmblOzNVKA5qPO8zWzqBC | |||
| }) | |||
| }) | |||
|
|
|||
There was a problem hiding this comment.
I had to move the List tests out, but with a bit of creative diff'ing it should be okay'ish to review
sbueringer
force-pushed
the
pr-api-streaming
branch
from
9b8b4c1 to
44cbac6
Compare
| }) | ||
|
|
||
| // TODO(seans): get label selector test working | ||
| It("should filter results by label selector", func() { |
There was a problem hiding this comment.
Added this test as it was not implemented for unstructured before
There was a problem hiding this comment.
Yup. Copied this from another case and forgot to look up why the TODO was there. Apparently when the TODO was added the test was commented out. Dropped the TODOs
| deleteNamespace(ctx, clientset, tns4) | ||
| }) | ||
|
|
||
| It("should filter results using limit and continue options", func() { |
There was a problem hiding this comment.
Added this test as it was not implemented for unstructured before
|
|
||
| It("should fetch unstructured collection of objects, even if scheme is empty", func() { |
There was a problem hiding this comment.
Moved to the unstructured section
|
|
||
| It("should fetch unstructured collection of objects", func() { |
There was a problem hiding this comment.
This test was redundant with the one in the unstructured section, so I deleted it
|
/assign @alvaroaleman @vincepri |
sbueringer
force-pushed
the
pr-api-streaming
branch
from
44cbac6 to
ae53a80
Compare
|
/hold cancel Rebased on top of main, now that #3135 is merged |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/cc @p0lyn0mial @sttts (just fyi) |
|
@sbueringer: GitHub didn't allow me to request PR reviews from the following users: p0lyn0mial. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| if err == nil { | ||
| return nil | ||
| } | ||
| log.FromContext(ctx).Error(err, fmt.Sprintf("Warning: The watchlist request for %s ended with an error, falling back to the standard LIST semantics", r.resource())) |
There was a problem hiding this comment.
If I understand it correctly, this failing is expected if the KAS is too old, right? If yes, then this i IMHO a debug log. The other log re preparing watchlist opts however seems like an actual error log because that is never expected to happen or am I missunderstanding things?
There was a problem hiding this comment.
Took another look.
The other log re preparing watchlist opts however seems like an actual error log because that is never expected to happen
I agree. PrepareWatchListOptionsFromListOptions only returns an error if scheme.Convert fails.
this failing is expected if the KAS is too old, right? If yes, then this i IMHO a debug log.
This error will happen whenever the WatchList feature is disabled in KAS (either because KAS is too old to have the feature or because it's explicitly disabled).
I personally would never enable the WatchListClient client-side feature gate if I"m not 100% sure that I'm communicating with a v1.32 apiserver. The reason for that is that the fallback behavior means that every single List call will fail with a WatchList first. That's pretty disastrous if it happens in my opinion, so I thought it's good if in these cases the log message shows up so they can fix their config (basically it surfaces a client-side configuration error).
There was a problem hiding this comment.
I personally would never enable the WatchListClient client-side feature gate if I"m not 100% sure that I'm communicating with a v1.32 apiserver
Right but this will be enabled by default in 1.33 client-go or not? So its not something people will be aware of.
There was a problem hiding this comment.
Right but this will be enabled by default in 1.33 client-go or not? So its not something people will be aware of.
Hm no idea when it will be enabled per default, it's currently not enabled per default in k/k main: https://github.com/kubernetes/kubernetes/blob/a9aab298b4738f4ea9111131cdf193a3b1ba14e5/staging/src/k8s.io/client-go/features/known_features.go#L83
But that's actually a good point. As soon as this is enabled per default, folks will hit these failure cases if they hit an apiserver which is too old which is not great (I think the log message is the smallest problem here :))
@p0lyn0mial I couldn't find a tracking issue for WatchListClient. What are the current plans regarding enabling this per default? Or is the idea to keep it of for the forseeable future to avoid that folks are implicitly hitting these error cases with old apiservers simply by bumping client-go?
There was a problem hiding this comment.
Found the tracking issue: kubernetes/enhancements#3157 Still not sure about when WatchListClient would be enabled per default though :)
There was a problem hiding this comment.
The plan is to enable the feature (WatchListClient) by default on 1.34 (next release). The issue is quite outdated :)
There was a problem hiding this comment.
Okay, I think that means a lot of folks will have to expliclity set the feature gate to false starting with client-go v1.34 to not run into problems.
| }) | ||
|
|
||
| // TODO(seans): get label selector test working | ||
| It("should filter results by label selector", func() { |
sbueringer
added
the
tide/merge-method-squash
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
is it possible we can have a one-shot global check for whether we have WATCH permission at the controller-runtime start? |
In general roughly yes, although I would implement it differently. But we're going to wait to see what will be done in client-go: https://kubernetes.slack.com/archives/C0EG7JC6T/p1741283769908819?thread_ts=1741283769.908819&cid=C0EG7JC6T |
sbueringer
force-pushed
the
pr-api-streaming
branch
from
65a10e2 to
ea98b9a
Compare
|
(just rebased onto main & added a commit to ensure all unstructured & partialobjectmeta tests use a client with an empty scheme) |
Signed-off-by: Stefan Büringer [email protected]
Fixes #3055