Add Design Proposal To Extend Resource Policy With Field Selector Filter #5842
Conversation
ihcsim
force-pushed
the
design_resource_filter_field_selectors
branch
from
3b94981 to
1f59bed
Compare
|
@qiuming-best Apologies for the delay. I have updated the proposal to use the |
ihcsim
force-pushed
the
design_resource_filter_field_selectors
branch
2 times, most recently
from
c62ec87 to
7d81a4a
Compare
| ``` | ||
|
|
||
| ### Code Design | ||
|
|
There was a problem hiding this comment.
@ihcsim
The API above looks good, and could you please give more details in code design, how and where to filter resources when doing backup in Velero
There was a problem hiding this comment.
Sure thing - I will take a stab at it. I am still unfamiliar with Velero code base, might take slightly longer.
|
|
||
| ## Compatibility | ||
|
|
||
| The field selector mechanism only works with the new `ResourcePolicies` API. |
There was a problem hiding this comment.
Please add the conflict resolution about the FieldSelectorPolicy with current existing rules.
such as if the FieldSelectorPolicy selected one resource and Action is Skip but the user used --include-resources when backup
There was a problem hiding this comment.
Is it necessary for field selector policy to support action? At the moment, action seems to be specific to volume policy. Also, like labels, the K8s field selector API only works with = and !=. It doesn't support the equivalence of Skip.
| ## Background | ||
|
|
||
| The current mechanism to include cluster-scoped resources in backups via the `IncludeResources`, `IncludeClusterResources` and `IncludeClusterScopedResources` API filters the resources by their [`ResourceGroup`][3]. | ||
| This is insufficent for operator backup use cases, where specific Custom Resource Definition (CRD) must be included in order for the restored operator to work. |
There was a problem hiding this comment.
This is awesome. Restore of operators have been requested rather frequently.
| velero backup create --include-cluster-scoped-resources="customresourcedefinitions" --resource-policies-configmap=backup-policy-nginx-crd | ||
| ``` | ||
|
|
||
| Although the supported field selectors vary across Kubernetes resource types, all resource types support the `metadata.name` and `metadata.namespace` fields. |
There was a problem hiding this comment.
Are we suggesting that we only allow these two in our API?
If we allow others that a given resource type supports if there is an error, do we error the backup at that point? Is there someway to validate the request during backup resource creation vs during runtime?
There was a problem hiding this comment.
The goal is to let K8s tells us which field selectors are supported for a particular resource group, by e.g., specifying the field selectors in the metav1.ListOptions. Velero shouldn't need to maintain any knowledge of which field selectors are supported server-side.
As for error handling, not sure if it's worth doing more upfront client-side validation, since K8s already has a well-defined API for field selections. I think we can just let Kubernetes handle it, like how kubectl get works. If we got an error from K8s, Velero should fail the backup.
There was a problem hiding this comment.
I am not super worried about the syntax, either. I am worried about someone attempting to use a FiieldSelector that is not valid, a backup or schedule is created, and until the code makes that specific call, it is not known that it is broken. For instance, kubectl get will tell you right away if the field selector you are using is invalid.
I was hoping that a list with/ the ListOption, when the resource is requested, or some other type of admission thing would give the user much quicker feedback on the invalid FieldSelector.
Maybe this is too much work for this one enhancement, but I do start to wonder if we are getting to the point when the admission plugin/webhook is going to help with the overall user experience.
There was a problem hiding this comment.
Or some form of dry run option for the overall resource policy may help too? Personally, I am not a fan of admission webhooks because they can be disabled ignored from the webhook configuration, they can go down, they don't load-balance correctly in HA etc.
There was a problem hiding this comment.
dry run to validate valid spec sounds good to me.
There was a problem hiding this comment.
I think that a dry-run command could take the CR and validate the FieldSelectors against a given cluster, would make sense as an option, and would give you a similar feel to the kubectl get.
At some point, I do wonder if the project is going to have to consider a webhook, but for this, I think the proposed idea of a dry run makes sense and would alleviate my concerns
ihcsim
changed the title
qiuming-best
added
the
kind/changelog-not-required
Codecov Report
@@ Coverage Diff @@
## main #5842 +/- ##
==========================================
+ Coverage 61.00% 61.03% +0.03%
==========================================
Files 252 251 -1
Lines 26898 26837 -61
==========================================
- Hits 16409 16381 -28
+ Misses 9326 9303 -23
+ Partials 1163 1153 -10 |
…Policies configuration Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
Fix typo Re-add changelog Signed-off-by: Ivan Sim <[email protected]>
ihcsim
force-pushed
the
design_resource_filter_field_selectors
branch
from
6627712 to
2c40c25
Compare
Signed-off-by: Ivan Sim <[email protected]>
|
Is there expectation to merge it in v1.13 timeframe, please be reminded this was not on our radar during v1.13 planning and we've passed v1.13 Feature Freeze milestone. Unless we decide this is very important, this will be left in backlog. Also there are other work planned for v1.13 around the resource policy.. |
|
@reasonerjt No, this is not needed for v1.13, unless others feel otherwise. |
|
Closing this for now, as I am no longer sure if this is the right approach to backup an operator. Ideally, we want a way to identify and backup all resources required by an operator. The proposed approach is a bit too granular. |
Please add a summary of your change
This design proposal extends the new ResourcePolicies resource with field selector properties so that users can define filter criteria based on resource properties like resource name.
Does your change fix a particular issue?
Fixes #5152
Fixes #5118
Please indicate you've done the following:
/kind changelog-not-requiredas a comment on this pull request.site/content/docs/main.