Relax TriggerTemplate limitation of only creating Tekton resources #482
Comments
|
/kind feature |
tekton-robot
added
the
kind/feature
|
@disposab1e do you currently have any workaround/hack way you create these PVCs dynamically before a PipelineRun invokes? care to share? |
|
Due to security considerations, we want to make sure we do this right and that the use case is warranted. Auto workspaces might be able to support your use case. We will continue to look at this. |
|
@vtereso What are your security concerns? Where is a auto workspace feature? |
|
@disposab1e auto workspace is there : tektoncd/pipeline#1986 |
|
@vdemeester Perhaps it will be there? Still open, nothing to use right now. |
On auto-workspace, yeah, there is no auto-workspace yet, which makes using |
|
I do not agree! I can use workspace feature with dynamically provisioned PVCs. Ok it's harder without error handling and without lifecycle management. Still two features I'm really mssing in a professionell environment. |
My comment above says that it's hard as of today (not being able to create |
|
I think there must be "something" when you remove PipelineResources in the future. I totally understand the discussions about not to pin tekton-pipelines to a specific way to store data between tasks. But it's a common use case "the need for storage". I had this discussion in mind when I was asking for PVCs in TriggerTemplates. I don't think this will break your design decissions. But when you create something, you also have to remove something. That's why error handling and/or lifecycle management will be very important in the furture. And to be honest for me it's not understandable that these use cases are NOT part of any design so far. |
An existing PersistentVolumeClaim can currently be used as a Workspace volume source. There is two ways of using an existing PVC as volume: - Reuse an existing PVC - Create a new PVC before each PipelineRun. There is disadvantages by reusing the same PVC for every PipelineRun: - You need to clean the PVC at the end of the Pipeline - All Tasks using the workspace will be scheduled to the node where the PV is bound - Concurrent PipelineRuns may interfere, an artifact or file from one PipelineRun may slip in to or be used in another PipelineRun, with very few audit tracks. There is also disadvantages by creating a new PVC before each PipelineRun: - This can not (easily) be done declaratively - This is hard to do programmatically, because it is hard to know when to delete the PVC. The PipelineRun can not be set as OwnerReference since the PVC must be created first This commit adds 'volumeClaimTemplate' as a volume source for workspaces. This has several advantages: - The syntax is used in k8s StatefulSet and other k8s projects so it is familiar in the kubernetes ecosystem - It is possible to declaratively declare that a PVC should be created for each PipelineRun, e.g. from a TriggerTemplate. - The user can choose storageClass (or omit to get the cluster default) to e.g. get a faster SSD volume, or to get a volume compatible with e.g. Windows. - The user can adapt the size to the job, e.g. use 5Gi for apps that contains machine learning models, or 1Gi for microservice apps. It can be changed on demand in a configuration that lives in the users namespace e.g. in a TriggerTemplate. - The size affects the storage quota that is set on the namespace and it may affect billing and cost depending on the cluster environment. - The PipelineRun or TaskRun with the template is created first, and is used as OwnerReference on the PVC. That means that the PVC will have the same lifecycle as the PipelineRun. Related to tektoncd#1986 See also: - tektoncd#2174 - tektoncd#2218 - tektoncd/triggers#476 - tektoncd/triggers#482 - kubeflow/kfp-tekton#51
|
@disposab1e @vdemeester @vtereso I agree with you all! This is a blocker before using Tekton in a professional environment. I spent some time and submitted tektoncd/pipeline#2326 for the solution I proposed in the auto workspace issue. |
|
@jlpettersson Looks wonderful! I like the idea that the PVC is deleted when TaskRun, PipelineRun is deleted! |
An existing PersistentVolumeClaim can currently be used as a Workspace volume source. There is two ways of using an existing PVC as volume: - Reuse an existing PVC - Create a new PVC before each PipelineRun. There is disadvantages by reusing the same PVC for every PipelineRun: - You need to clean the PVC at the end of the Pipeline - All Tasks using the workspace will be scheduled to the node where the PV is bound - Concurrent PipelineRuns may interfere, an artifact or file from one PipelineRun may slip in to or be used in another PipelineRun, with very few audit tracks. There is also disadvantages by creating a new PVC before each PipelineRun: - This can not (easily) be done declaratively - This is hard to do programmatically, because it is hard to know when to delete the PVC. The PipelineRun can not be set as OwnerReference since the PVC must be created first This commit adds 'volumeClaimTemplate' as a volume source for workspaces. This has several advantages: - The syntax is used in k8s StatefulSet and other k8s projects so it is familiar in the kubernetes ecosystem - It is possible to declaratively declare that a PVC should be created for each PipelineRun, e.g. from a TriggerTemplate. - The user can choose storageClass (or omit to get the cluster default) to e.g. get a faster SSD volume, or to get a volume compatible with e.g. Windows. - The user can adapt the size to the job, e.g. use 5Gi for apps that contains machine learning models, or 1Gi for microservice apps. It can be changed on demand in a configuration that lives in the users namespace e.g. in a TriggerTemplate. - The size affects the storage quota that is set on the namespace and it may affect billing and cost depending on the cluster environment. - The PipelineRun or TaskRun with the template is created first, and is used as OwnerReference on the PVC. That means that the PVC will have the same lifecycle as the PipelineRun. Related to tektoncd#1986 See also: - tektoncd#2174 - tektoncd#2218 - tektoncd/triggers#476 - tektoncd/triggers#482 - kubeflow/kfp-tekton#51
An existing PersistentVolumeClaim can currently be used as a Workspace volume source. There is two ways of using an existing PVC as volume: - Reuse an existing PVC - Create a new PVC before each PipelineRun. There is disadvantages by reusing the same PVC for every PipelineRun: - You need to clean the PVC at the end of the Pipeline - All Tasks using the workspace will be scheduled to the node where the PV is bound - Concurrent PipelineRuns may interfere, an artifact or file from one PipelineRun may slip in to or be used in another PipelineRun, with very few audit tracks. There is also disadvantages by creating a new PVC before each PipelineRun: - This can not (easily) be done declaratively - This is hard to do programmatically, because it is hard to know when to delete the PVC. The PipelineRun can not be set as OwnerReference since the PVC must be created first This commit adds 'volumeClaimTemplate' as a volume source for workspaces. This has several advantages: - The syntax is used in k8s StatefulSet and other k8s projects so it is familiar in the kubernetes ecosystem - It is possible to declaratively declare that a PVC should be created for each PipelineRun, e.g. from a TriggerTemplate. - The user can choose storageClass (or omit to get the cluster default) to e.g. get a faster SSD volume, or to get a volume compatible with e.g. Windows. - The user can adapt the size to the job, e.g. use 5Gi for apps that contains machine learning models, or 1Gi for microservice apps. It can be changed on demand in a configuration that lives in the users namespace e.g. in a TriggerTemplate. - The size affects the storage quota that is set on the namespace and it may affect billing and cost depending on the cluster environment. - The PipelineRun or TaskRun with the template is created first, and is used as OwnerReference on the PVC. That means that the PVC will have the same lifecycle as the PipelineRun. Related to #1986 See also: - #2174 - #2218 - tektoncd/triggers#476 - tektoncd/triggers#482 - kubeflow/kfp-tekton#51
|
The use case mentioned in this issue is now possible using |
|
Stale issues rot after 30d of inactivity. /lifecycle rotten Send feedback to tektoncd/plumbing. |
|
Rotten issues close after 30d of inactivity. /close Send feedback to tektoncd/plumbing. |
tekton-robot
added
the
lifecycle/rotten
|
@tekton-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Expected Behavior
It should be possible to create a PersistentVolumeClaim resource in TriggerTemplate
spec.resourcetemplates:.Actual Behavior
Only Tekton resources are allowed.
Steps to Reproduce the Problem
We would like to have a possibilty to dynamically create a PVC within TriggerTemplate.
We don't think this will break any design decisions but can be very helpful in some dynamic scenarios.
In this context we really miss "support" for workspace lifecycle management. For example cleaning up a workspace (and optional PVC) after:
We also follow the Auto Workspaces discussion.
Additional Info
This issue has its roots here.
The text was updated successfully, but these errors were encountered: