generic ephemeral volumes: beta #26801
Conversation
|
Deploy preview for kubernetes-io-vnext-staging processing. Building with commit 4021005 https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/605a248dc3c93a000732bc88 |
k8s-ci-robot
added
language/en
k8s-ci-robot
added
the
size/XS
|
/hold The actual change in Kubernetes is currently pending for review in kubernetes/kubernetes#99643 and some other PRs. |
k8s-ci-robot
added
the
do-not-merge/hold
|
cc: @reylejano |
|
Unknown CLA label state. Rechecking for CLA labels. Send feedback to sig-contributor-experience at kubernetes/community. |
k8s-ci-robot
added
the
cncf-cla: yes
|
/milestone 1.21 |
k8s-ci-robot
added
the
sig/storage
pohly
force-pushed
the
generic-ephemeral-volumes-beta
branch
from
40ffe96 to
6319a96
Compare
k8s-ci-robot
added
size/S
|
/hold cancel All k/k PRs were merged. |
k8s-ci-robot
removed
the
do-not-merge/hold
| - Explicitly disable the feature through the feature gate, to avoid | ||
| being surprised when some future Kubernetes version enables it | ||
| by default. | ||
| - Explicitly disable the feature through the feature gate. | ||
| - Use a [Pod Security |
There was a problem hiding this comment.
@pohly Pod Security Policy is tracked to be deprecated in 1.21. I recommend removing the option to use a Pod Security Policy on this page. What are @kubernetes/sig-docs-en-reviews and @kubernetes/sig-storage-pr-reviews opinions in removing recommending a PSP on this page .
There was a problem hiding this comment.
I know about the deprecation. But it's the only available option for per-pod control of this feature, so IMHO it is worth mentioning.
There was a problem hiding this comment.
SIG Auth might have an opinion here too.
There was a problem hiding this comment.
There are definitely relevant third party solutions in this area; we don't need to list them, but we can mention that various kinds of admission-time restriction on Pods can help restrict PVC creation.
There was a problem hiding this comment.
Is there already a page with PSP alternatives? If so, then we can point to that as additional options.
There was a problem hiding this comment.
I think this is OK to merge, and it's also good to highlight this to SIG Security / SIG Auth as an area to consider revising for the v1.21 docs.
There was a problem hiding this comment.
#26629 is adding PSP to the deprecation guide for 1.21.
Granular control over specific volume types is not planned for the in-tree replacement for PSP, so pointing people who want that towards the admission webhook documentation seems like a more durable recommendation.
There was a problem hiding this comment.
I added a "(deprecated in Kubernetes 1.21)" remark for the PSP bullet item and added another one for admission webhook:
* Use an [admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/)
which rejects objects like Pods that have a generic ephemeral
volume.
| - Explicitly disable the feature through the feature gate, to avoid | ||
| being surprised when some future Kubernetes version enables it | ||
| by default. | ||
| - Explicitly disable the feature through the feature gate. | ||
| - Use a [Pod Security |
There was a problem hiding this comment.
Is there already a page with PSP alternatives? If so, then we can point to that as additional options.
|
|
||
| This feature requires the `GenericEphemeralVolume` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) to be | ||
| enabled. Because this is an alpha feature, it is disabled by default. | ||
| enabled. Because this is a beta feature, it is enabled by default. | ||
|
|
||
| Generic ephemeral volumes are similar to `emptyDir` volumes, just more |
There was a problem hiding this comment.
Similar to emptyDir in what way? I can only think of lifetime as the only similarity.
There was a problem hiding this comment.
They are also empty by default because they get provisioned anew for each pod startup. That they don't have to be empty falls under "more flexible"
There was a problem hiding this comment.
I would explicitly state what aspects are similar if we're going to be comparing the two types. There's many assumptions and features around emptydir that do not apply to generic ephemeral volumes.
There was a problem hiding this comment.
Changed into:
Generic ephemeral volumes are similar to
emptyDirvolumes in the
sense that they provide a per-pod directory for scratch data that is
usually empty after provisioning. But they may also have additional
features:
| - Explicitly disable the feature through the feature gate, to avoid | ||
| being surprised when some future Kubernetes version enables it | ||
| by default. | ||
| - Explicitly disable the feature through the feature gate. | ||
| - Use a [Pod Security | ||
| Policy](/docs/concepts/policy/pod-security-policy/) where the | ||
| `volumes` list does not contain the `ephemeral` volume type. |
There was a problem hiding this comment.
For the quota discussion below, I would link to our pages for storageclass quota.
There was a problem hiding this comment.
|
Hi @pohly , thank you for having your Doc PR ready for review. Please squash your commits. Just wanted to share the upcoming doc related dates for the 1.21 release:
Just need a few lgtms after the updates: |
pohly
force-pushed
the
generic-ephemeral-volumes-beta
branch
from
476a6b1 to
4247374
Compare
There were logically separate, but okay, I squashed them. |
|
Mostly lgtm. There's still one open question on psp alternatives. |
What if there is none that we can link to? Is the text then okay? |
The feature is scheduled for becoming beta in 1.21. In addition, the commit addresses some of the review feedback.
pohly
force-pushed
the
generic-ephemeral-volumes-beta
branch
from
4247374 to
4021005
Compare
After reviewing comments from liggit and thumbsup from sftim , the text looks good /lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 5a6735bf303657f055853b93af6531100e383e7c
|
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: reylejano The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
The feature is scheduled for becoming beta in 1.21.