KEP-4764: Kubectl supports WatchList to list resources

[xuzhenglun]

• One-line PR description: kubectl supports WatchList to list resources

• Issue link: kubectl supports WatchList to list resources #4764

• Other comments:

[xuzhenglun]

/hold

I just found that WatchList method has been merged into client-go in kubernetes/kubernetes#122657, so maybe we can dependent on it and avoid to implement it again.

But there is a problem(see kubernetes/kubernetes#126206) with the current implementation, that is, when ServerPrint is enabled, the k8s.io/initial-events-end=true annotation is on the metav1.Table.Rows instead of the top metav1.Table object. Maybe we should wait for a fix on the api side?

[sftim]

Thanks. Here are some suggestions for the text.

I've matched the style guide we use for documentation; our logical API verbs, such as watch, are usually written in lowercase bold.

(the HTTP-level verbs, such as HEAD or POST, or GET at HTTP level, are written uppercase without bold)

[sftim]

💭 Is there a way for the denial of the watch to include a hint that a list would also fail;
for example, this hint could be included whenever sendInitialEvents is set and the API server is able to dry-run
check the equivalent list verb.

[xuzhenglun]

I don't quite understand what you mean by hint?

When watchlist failed, we can give a warning message and then fallback to list. And When rolling back to list, the behavior of kubectl should be consistent with the existing behavior, that is, the results of list are returned. I'm not sure about what this hint used to tell user?

[xuzhenglun]

oh I see the point now. you mean when the watchlist fails, the error is returned with a hint, to tell the client list would also fail. so it's unnecessary for client to try list again. Did I understand correctly?

I don't believe that we have a easy solution for this. As in my understand, this case can only happen when user have no permission to list resource. however, URL query parameters are decoded in the Handler, but authz happens before that, in the Filters.

A simpler and feasible solution is to initiate a SubjectAccessReview during watchlist and return the result as Hint. However, this will bring additional consumption to all watchlist, and it seems to be not much different from the client re-initiating the list request. After all, if the failure is caused by authz, the list has not actually started processing at this time, and it will not consume too many resources.

[xuzhenglun]

or we can consider the watch permission as a superset of the list permission. After all, users with the watch permission actually already have the list permission. In this case, as long as the user can pass the watch authz, they will be able to perform subsequent list operations for sure.

However, this is an incompatible change. I am not sure it is appropriate to discuss it in this KEP.

[sftim]

Kind of. WatchList is a client method not a logical API verb, though (so WatchList calls either watch or list).

[sftim]

Let's resolve this. I used the 💭 emoji in #4767 (comment) to try to imply that this was an aside, rather than any kind of blocking feedback.

[xuzhenglun]

oh, I see. thanks for your explanation. 😊

What do you think that if the API server only initiates "SubjectAccessReview" when "WatchList" is disabled or permission is denied? this could minimize the extra authz query.

[sftim]

Yes, that's how I'd imagined it.

[xuzhenglun]

OK, I will update KEP later to describe this. But let's focus this the basic feature in alpha, and make sure finish this enhancement this before Beta? After all, I think this feature needs to be in alpha for at least several versions. :)

[xuzhenglun]

What we discussed earlier have been updated into the KEP. PTAL

[wojtek-t]

kube-apiserver will support LIST requests forever for backward compatibility reasons.

But we expect that most clients (and libraries) will actually evolve towards using watchlist once this is graduated to GA.

[xuzhenglun]

I understand that API server will support List forever, but I'm not sure should we use List in client-side forever? or in far far future, client-go and kubectl will not send List to API Server, but only Watch?

[wojtek-t]

Yes - I think the things like kubectl should eventually migrate to WatchList

[wojtek-t]

Instead of managing the appropriate parameters in kubectl, you should rely on internal client-go implementation that can decide itself whether watchlist can be usef for a given request.
And you achieve it effectively by setting client-go feature gate.

[xuzhenglun]

I agree with that we should rely on internal client-go implementation to decide. However, due to current implementation issue, kubectl cannot directly use this feature-gate, which is what this KEP attempts to solve.

as we can see https://github.com/kubernetes/kubernetes/blob/fe3772890f650f9bcf020b43dc5a51fab0fa17f4/staging/src/k8s.io/cli-runtime/pkg/resource/helper.go#L108, kubectl use Do and Get method to list resource, not List. so the auto switch mechanism in client-go seems will not work here.

I described the introduction of a new environment variable earlier because I thought kubectl needed an independent switch to control it. If this is not necessary, I completely agree to reuse the environment variable switch in client-go to achieve this purpose. I will update KEP soon later.

[xuzhenglun]

I just updated the KEP to clarify this part. PTAL

[wojtek-t]

/cc @p0lyn0mial @deads2k

[p0lyn0mial]

does kubectl have a concept of feature gates ?
would it be more practical to set an env var or a command line option to disable a faulty feature ?

[xuzhenglun]

Yes, It has its own env feature-gate mechanism. But the basic idea is the same, relying on an env vairble to decide which code path to run. so in my understand, the key point is what the env name we should use.

[p0lyn0mial]

As I user of kubectl how do I disable faulty KUBE_FEATURE_WatchListClient ?

[xuzhenglun]

In alpha stage, this feature is disabled by default. User who want to enable it need to set env variable KUBE_FEATURE_WatchListClient=true to enable this feature.

In the future, when it enables by default in beta stage, user can disable this feature by set env variable KUBE_FEATURE_WatchListClient=false explicitly.

[p0lyn0mial]

could kubectl actually use client-go instead of the raw rest client ?

[xuzhenglun]

I wish it could, but in my understanding, there is no easy way to do so. kubectl uses resource names instead of kinds to fetch resources. Even if it's possible, it will still be a big change.

[xuzhenglun]

@wojtek-t @p0lyn0mial @deads2k @sftim

Hi 👋 ,
Is anything else I need to do yet? It's will be nice if this proposal could reach the next 1.32 dev cycle.

Any suggestion I will be really appreciate.

[xuzhenglun]

/reopen

[k8s-ci-robot]

@xuzhenglun: Failed to re-open PR: state cannot be changed. There are no new commits on the xuzhenglun:master branch.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[xuzhenglun]

/reopen

[k8s-ci-robot]

@xuzhenglun: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: xuzhenglun
Once this PR has been reviewed and has the lgtm label, please assign eddiezane for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-cli/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: xuzhenglun
Once this PR has been reviewed and has the lgtm label, please assign eddiezane for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-cli/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xuzhenglun]

sorry for the noise of closing and reopening, there was a slight problem when I was doing rebase.

I was thinking about the environment variable naming thing. As a kubectl feature, I still feel it will be better to use KUBECTL_ prefix and follow the customs of kubectl feature-gate.

PTAL is there anything need to do, I really want to make this happen in the next release cycle.

/cc @mpuckett159 @eddiezane @soltysh @p0lyn0mial

[p0lyn0mial]

@xuzhenglun Hey, I think we should hold off on this KEP until the streaming feature graduates to Beta. There are still things that need to be fixed, which might slightly change the code, especially on the client side. For the streaming API, we are targeting 1.32.

[xuzhenglun]

sure, as the conclusion in the last sig-cli meeting, this KEP will not merge any code only until watchlist is promoted into beta.  https://docs.google.com/document/u/0/d/1I1UFGHMDO7mMbDbioQp52DEJXEhk1qymch3qL5-EN10/mobilebasic Please take your time to deal with that, and I will continue this enhancement once it’s resolved. Thank you.

[xuzhenglun]

hi @soltysh,
since WatchList has been promoted into Beta in kubernetes/kubernetes#128053, would you kindly review this enhanment please? 🙏

[soltysh]

hi @soltysh,
since WatchList has been promoted into Beta in kubernetes/kubernetes#128053, would you kindly review this enhanment please? 🙏

I'll try to find some time in the next weeks, but most likely after KubeCon NA.