KEP 2775: kubectl delete interactivity and delay

[eddiezane]

ref: #2775

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eddiezane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-cli/OWNERS [eddiezane]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[eddiezane]

/hold

[eddiezane]

/cc @liggitt @deads2k @soltysh @thockin

[briantopping]

Looks good! One request, the KEP is currently oriented toward kubectl when I believe it ought to be a system-wide initiative to stop existentially destructive behaviors. kubeadm reset is in this realm, but not all resets are existential. When such a situation is detected, the same behavior ought to be used. Are there other systems of this nature that should also be covered?

[briantopping]

I'd like to see the same behavior with kubeadm reset when the node being acted upon would remove etcd quorum.

[neolit123]

kubeadm reset shows a confirmation prompt, unless the user passes -f.

$ kubeadm reset 
[reset] Reading configuration from the cluster...
[reset] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[reset] WARNING: Changes made to this host by 'kubeadm init' or 'kubeadm join' will be reverted.
[reset] Are you sure you want to proceed? [y/N]: 

its phases are documented, can be executed on demand or skipped:
https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-reset/

[briantopping]

Maybe the resolution to this is after the user presses 'y' and the cluster is determined to go unstable after such a request, a second warning is displayed alerting to such.

[thockin]

I'd like to entertain the idea of API-side delete-inhibition. Do you think that should be here or a different KEP?

[thockin]

suggest default to N. e.g. Are you sure? (y/N)

[eddiezane]

Good call. Changed and explicitly called out.

[Goclipse27]

Is y/N is the standard across Kubernetes ? In some places, we do use Yes/No.

[eddiezane]

I'll check for precedent.

[Goclipse27]

Just tried locally, how initial development looks like (pardon for the verbose/warning :) )

@thockin @liggitt @eddiezane - If the interactive flag is not given, it suppose to go for delay. we can delay it using ticker but every second is expect to log as a line like ( Ignore the Order ascending or descending )

->resources will be deleted in 9 sec
->resources will be deleted in 8 sec... ??

Not sure if it is possible to do like state changes/clock in node/UI - resources will be delete in (9..8..7.....) ?

[eddiezane]

I'd like to entertain the idea of API-side delete-inhibition. Do you think that should be here or a different KEP?

I think that should be in a different KEP. I liked what @brendandburns shared about the locking Azure does.

We can add an annotation ("k8s.io/confirm-delete: true") to a Pod and if that annotation is present, prompt for confirmation of the delete. We might also consider "k8s.io/lock" which actively blocks the delete.

We could also support those annotations at a namespace level if we wanted to.

This is similar to Management Locks that we introduced in Azure (https://docs.microsoft.com/en-us/rest/api/resources/managementlocks) for similar reasons to prevent accidental deletes and force an explicit action (remove the lock) for a delete to proceed.

[Goclipse27]

I agree with the statement - intent not to delete resource but accidentally being deleted. However, there are things that cannot be deleted are at different levels in Kubernetes like Kube-* namespaces, default namespaces if you try to delete it using the same kubectl command, it is 403 forbidden.

Do you think is it worth re-phrasing not that there are things that should never be deleted ?

[liggitt]

how does this interact with other consumers of stdin in kubectl (e.g. client-go credential plugins that make use of stdin, or manifest reading from stdin like -f -)

[eddiezane]

I think it will matter where in the call stack we read stdin. The client-go credential plugins probably happen early the flow? I see this living near the end right inside the delete command.

Will need to play around with it with. We can have some integration tests for these.

What would you like to see about it in the KEP?

[liggitt]

The client-go credential plugins probably happen early the flow?

I think it depends on where the client config is constructed.

What would you like to see about it in the KEP?

Describing specific places we use stdin in conjunction with kubectl delete calls today (-f -, exec plugins, etc), and that this --interactive option cannot be used in combination with those (and exercising the behavior when both are attempted with a testcase)

[liggitt]

is this being proposed for delete invocations for:

• all --all invocations
• cluster-scoped resources
• namespacesd

[eddiezane]

is this being proposed for delete invocations for:

• all --all invocations

Yes.

• cluster-scoped resources
• namespacesd

Not specifically. Only when deleted with --all or --all-namespaces.

[liggitt]

Scripts will see an x second delay unless they explicitly set -i=false.

I expected us to attempt to detect interactive invocations and only delay in those cases. That would limit the delay for scripts to environments which mimic interactive terminals, which seems better.

[eddiezane]

These were @thockin's thoughts.

I think I'd rather they set -i false explicitly
that is obvious AT THE CALL SITE as opposed to looking for ${CI} being set somewhere else
it's a big declaration of "I meant to do that"
When it comes to scary stuff I'll take "annoyingly explicit" every time
e.g. there's not a ${UNSAFE_RM} variable that implies -f

I did digging on detecting a TTY and it's a pretty mixed bag. A handful of CI/CD providers spoof a TTY to get nicer color output. I don't think we can reliably go that route.

[liggitt]

A handful of CI/CD providers spoof a TTY to get nicer color output. I don't think we can reliably go that route.

If the issue is false positive detection of interactive invocations, introducing delays to those false positives seems ok to me

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[mkimuram]

Could you check this comment and give feedback?
I think that this KEP shares some use cases and motivations with KEP-2839 (In-use protection KEP), so I would appreciate it if the people involved to this KEP also feedback to KEP-2839.

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[MadhavJivrajani]

/remove-lifecycle rotten
/lifecycle frozen

[k8s-ci-robot]

@MadhavJivrajani: The lifecycle/frozen label cannot be applied to Pull Requests.

In response to this:

/remove-lifecycle rotten
/lifecycle frozen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[eddiezane]

Going back to the drawing board on this.

[ardaguclu]

For the people interested on this KEP, there was an another attempt in this proposed KEP #3896. That would be great, if you can give your insights on it too. Thanks.