Watch requests to etcd are mapped to a single stream that has a limited throughput.
By opening a lot of concurrent watch requests to single resource, users
could starve other watches from getting any events.
Separating the RPC was meant to protect the watch opened by cache.
However, as we are no longer planning to allow users to open watch directly to etcd,
the flag is not needed.
Kubernetes-commit: 4a5bbc4c159ec7d185d5fc39b95c48dbf3fab7d9
Around the 1.31 release, we discovered that a change introduced in 1.27 allowead
clients to open WATCH requests directly to etcd. This had detrimental consequences,
enabling abusive clients to bypass caching and overwhelm etcd.
Unlike the API server, etcd lacks protection against such behavior.
To mitigate this, we redirected all WATCH requests to be served from the cache.
The WatchFromStorageWithoutResourceVersion feature gate was retained as an escape hatch.
However, since we have no plans to allow direct WATCH requests to etcd again,
this flag is now obsolete.
Direct WATCH requests to etcd offer no advantage, as they don't provide stronger
consistency guarantees. WATCH operations are inherently inconsistent; unlike LIST
operations, they do not confirm the resource version with a quorum. While Kubernetes
uses the WithRequireLeader option on WATCH requests to prevent maintaining connections
to isolated etcd members, the API server provides the same level of guarantee through
its health checks, which fail if it cannot connect to etcd member. Therefore,
the WatchFromStorageWithoutResourceVersion feature gate can be deprecated and removed.
Kubernetes-commit: 065bf2004d27e5e3f1be3c0f128347d4060d8954
- implement unsafe deletion, and wire it
- aggregate corrupt object error(s) from the storage LIST operation
- extend storage error:
a) add a new type ErrCodeCorruptObj to represent a corrupt object:
b) add a new member 'InnerErr error' to StorageError to hold
the inner error
- add API status error
Kubernetes-commit: 5d4b4a160dc551dc8979012eeabea1a098945603
For alpha, there is one apiserver feature gate and two client-go feature gates controlling
CBOR. They were initially wired to separate test-only feature gate instances in order to prevent
them from being configurable at runtime via command-line flags or environment variables (for
client-go feature gates outside of Kubernetes components). All of the integration tests required by
the KEP as alpha criteria have been implemented. This adds the feature gates to the usual feature
gate instances and removes the temporary code to support separate test-only feature gate instances.
Kubernetes-commit: 072dfcb416fd4e1ddab0a89ac4faf519e268bc96
To mitigate the risk of introducing a new protocol, integration tests for CBOR will be written using
a test-only feature gate instance that is not wired to runtime options. On alpha graduation, the
test-only feature gate instance will be replaced by a normal feature gate in the existing apiserver
feature gate instance.
Kubernetes-commit: 0cad1a89b6721308746cc1a12f12de31a259a0d3
These have been GA since v1.29 and can be safely removed.
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: 6398b8a19fe0e113cf250c13b0639dea258a174f
This reverts commit 0c0e19b343d48d4bea0e7fa735e3781c70298a34.
During stress test for SVM controller, the controller is unable to
make a list call due to following error:
resourceversion.go:155: I0716 21:49:26.973127] storage-version-migrator-controller: Error syncing SVM resource, retrying svm="crdsvm" err="error getting latest resourceVersion for stable.example.com/v1, Resource=testcrds: Timeout: Too large resource version: 28976, current: 20349"
With the feature disabled, the stress test passes.
Signed-off-by: Monis Khan <mok@microsoft.com>
Kubernetes-commit: aeb51a16e369d5b823a8ae6488d1d5e12c683516
Marek Siarkowicz
yongruilin
Paco Xu
Wojciech Tyczyński
Siyuan Zhang
modulitos
Stanislav Láznička
Abu Kashem
Ben Luddy
Joe Betz
carlory
Jordan Liggitt
Lukasz Szaszkiewicz
AmarNathChary
Cici Huang
Jefftree
Omer Aplatony
Adarsh-verma-14
Vinayak Goyal
Monis Khan
Marek Siarkowicz
David Eads