Proposal: ns-scoped resources for brokers, services, and plans#1826
Proposal: ns-scoped resources for brokers, services, and plans#1826pmorie wants to merge 1 commit intokubernetes-retired:masterfrom
Conversation
k8s-ci-robot
added
cncf-cla: yes
As part of the Prosopal for Namespaced Resources (kubernetes-retired#1826), this extracts the common elements from the ClusterServicePlanSpec into a SharedServicePlanSpec that can be embedded in both the ClusterServicePlanSpec and a new namesapced plan
|
There were some comments on the current PRs about the use of "Shared" as the prefix on these extracted objects. Do we want to revise the proposal before we get too deep into the refactor? cc: @n3wscott |
|
|
||
| To extract the shared fields, we will: | ||
|
|
||
| - Extract the identified shared fields onto embedable types: `SharedServiceBrokerSpec`, `SharedServiceClassSpec`, and `SharedServicePlanSpec`. |
There was a problem hiding this comment.
I am questioning Shared, how about Common or Core
There was a problem hiding this comment.
Paul suggested SharedServerFooFields and I like that.
There was a problem hiding this comment.
These don't show up to the user, do they?
As long as the notation is consistent and there is documentation describing what they are, I'm probably fine with most suggested names.
There was a problem hiding this comment.
Nope, the names of these types never surface to users.
* Extracting common plan spec elements into embeddable struct As part of the Prosopal for Namespaced Resources (#1826), this extracts the common elements from the ClusterServicePlanSpec into a SharedServicePlanSpec that can be embedded in both the ClusterServicePlanSpec and a new namesapced plan * Cleaned up comments on shared fields to remove "Cluster" from description. * Cleaned up comments on shared fields to remove "Cluster" from description. * Refactored ClusterPlanStatus to match proposal * Revert "Refactored ClusterPlanStatus to match proposal" This reverts commit 6b36cf7.
docs/proposals/ns-scoped-catalog.md
Outdated
|
|
||
| Next, we will make the required changes to the binding controller loop to make it possible to create bindings against service instances that are associated with the ns-scoped variants of serviceclasses and plans. | ||
|
|
||
| ### Remove feature flag |
There was a problem hiding this comment.
This is the first time feature flag is mentioned in this proposal, i.e. there is no "add feature flag" anywhere.
Also, I'm not even sure we need feature flag at all, given that the proposed changes are backward compatible. Is that to be able to iteratively implement this proposal, i.e. having it merged without enabling for a first couple iterations until we get MVP? I would probably prefer to have an MVP in the first PR.
There was a problem hiding this comment.
I think he means feature gate
docs/proposals/ns-scoped-catalog.md
Outdated
|
|
||
| ### Use Case: Developing new services | ||
|
|
||
| Similar to to highly privileged services, there are a class of users who are service developers, and would be interested in publishing their services via a broker to the rest of the cluster. As part of their development cycle, they would like to work within their own private namespace while iterating on their service. |
docs/proposals/ns-scoped-catalog.md
Outdated
| - Create a policy that adds certain services and plans to multiple namespaces | ||
| - Creating a virtual resource that allows users to see all services or plans available to them across the cluster and namespace scopes | ||
|
|
||
| We should take care to acheive the goals of this proposal without preventing further progress on other issues that are out of scope. |
docs/proposals/ns-scoped-catalog.md
Outdated
|
|
||
| ## Goals and non-goals | ||
|
|
||
| There are many related problems in service-catalog that users are interested in solutions for, but we need to keep the scope of this proposal controlled. In that light, let's establish the goals of this proposal: |
There was a problem hiding this comment.
service-catalog -> Service Catalog
docs/proposals/ns-scoped-catalog.md
Outdated
|
|
||
| Adding namespaced resources for brokers, services and plans is necessary but not sufficient to control access to services and plans. A single broker may offer a mix of services that all users should be able to access and services that should only be usable by some users. | ||
|
|
||
| In order to prevent a broker that offers a mix of unprivileged and privileged services to the cluster-scoped catalog, there must be a way to filter the services and plans exposed by a broker. This can be accomplished through the use of white/black lists that control which services and plans in a broker's catalog have service-catalog resources created for them. For example: |
There was a problem hiding this comment.
As I said before in person, I think that the entire Filtering services and plans from a broker paragraph is unrelated to the proposal, and should be just briefly mentioned in the The following are valid goals but outside the scope of this proposal: list instead.
The initial proposal should be about namespace-local services/plans only without support for mix of services with different access level.
There was a problem hiding this comment.
I would like to leave it in because it's an important part of the story we're trying to make possible here. Is it really necessary to rewrite it out of this PR?
There was a problem hiding this comment.
@pmorie it seems that you have removed it already, but I will still reply :)
I didn't want to be part of this proposal, as it addresses a different concern, and it's harder to sell/buy 2 proposals bundled into one. Unless your plan was to silently slip the black/whitelist proposal as part of the bigger one haha :)
docs/proposals/ns-scoped-catalog.md
Outdated
| There are many related problems in service-catalog that users are interested in solutions for, but we need to keep the scope of this proposal controlled. In that light, let's establish the goals of this proposal: | ||
|
|
||
| - Make it possible to keep the cluster-scoped catalog limited to services and plans that everyone should be able to use | ||
| - Make it possible to add privileged services and plans into specific namespaces |
There was a problem hiding this comment.
strike the word privileged.
not sure if add is the correct word, but that is a nit.
| 1. Not all authorizers are able to provide a list of subjects with access to a resource | ||
| 2. An external authorizer may have its state changed at any time out of band to kubernetes, making it impossible to do implement a correct `LIST` or `WATCH` operation from a certain resource version | ||
|
|
||
| Since ACL-filtering the cluster-scoped list of services and plans is not a realistic option, we must find another method of controlling read/write access to resources. In Kubernetes, namespaces are the defacto way of performing this type of access control. |
There was a problem hiding this comment.
I don't run or operate an application in a cluster. Any documentation on this use of namespaces? Blogs or official guidance. I've never understood the original use case for namespaces.
There was a problem hiding this comment.
| There are two ingredients to successfully controlling access to services and plans: | ||
|
|
||
| - Namespaced versions of these resources are required to control access to services along the boundaries of namespaces | ||
| - API surfaces to allow black/whitelisting which services and plans from a broker's catalog have k8s resources created for them |
There was a problem hiding this comment.
From the rest of the proposal, this seems outside the boundaries. Limit this to resources, management later.
There was a problem hiding this comment.
That's addressed later in the doc
There was a problem hiding this comment.
black/whitelisting was removed from the doc, so probably remove this paragraph as well.
|
|
||
| The API for the `ServiceBroker` resource should differ from `ClusterServiceBroker` in exactly one area: | ||
|
|
||
| - A user should only be able to specify a secret within the same namespace to hold the auth information |
There was a problem hiding this comment.
Does this mean a localref of some sort? It would mean a special version of AuthInfo structs. Otherwise this is more of a policy thing done by either an admission controller or the controller proper.
There was a problem hiding this comment.
This is handled directly by kubernetes I believe. Nothing special we need to do here as long as bindings are namespaced.
There was a problem hiding this comment.
@MHBauer you're right; the plan was to introduce a LocalObjectRefthat only contains the name, since the namespace is implied. There is ClusterServiceBrokerAuthInfo with ClusterBasicAuthConfig and ClusterBearerTokenAuthConfig. This is in service of making room for namespaced variants without the Cluster prefix that use the LocalObjectRef.
|
|
||
| Differences between `ClusterServiceClass` and `ServiceClass`: | ||
|
|
||
| - `ServiceClass.Spec` should have `ServiceBrokerName` instead of `ClusterServiceBrokerName` |
There was a problem hiding this comment.
Should we genericize this field to share it in struct data representation? To me it would seem 'obvious' that the cluster scoped class one should look for a cluster scoped broker, and that a namespace scoped one should look in the same namespace.
There was a problem hiding this comment.
That's dealt with later, in the implementation plan.
|
|
||
| To extract the shared fields, we will: | ||
|
|
||
| - Extract the identified shared fields onto embedable types: `SharedServiceBrokerSpec`, `SharedServiceClassSpec`, and `SharedServicePlanSpec`. |
There was a problem hiding this comment.
These don't show up to the user, do they?
As long as the notation is consistent and there is documentation describing what they are, I'm probably fine with most suggested names.
| - Minor controller changes to reflect the fact that these fields now belong to an embedded type. | ||
| - Required updates to the fuzzer, validations, and defaults where necessary. | ||
|
|
||
| This PR will result in no behavioral changes, and should remain entirely transparent to users. It is effectively a no-op. |
docs/proposals/ns-scoped-catalog.md
Outdated
|
|
||
| Next, we will make the required changes to the binding controller loop to make it possible to create bindings against service instances that are associated with the ns-scoped variants of serviceclasses and plans. | ||
|
|
||
| ### Remove feature flag |
There was a problem hiding this comment.
I think he means feature gate
| type ServiceBrokerSpec struct { | ||
| SharedServiceBrokerSpec `json:",inline"` | ||
|
|
||
| AuthInfo *ServiceBrokerAuthInfo `json:"authInfo,omitempty"` |
There was a problem hiding this comment.
I think this is what I mean by localref version of struct above.
There was a problem hiding this comment.
This is the old name, but the content needs to switch to some kind of localref.
There was a problem hiding this comment.
Yeah, that's what's implied. I can add the type description here if people think it's necessary
| type ClusterServiceBrokerSpec struct { | ||
| SharedServiceBrokerSpec `json:",inline"` | ||
|
|
||
| AuthInfo *ClusterServiceBrokerAuthInfo `json:"authInfo,omitempty"` |
There was a problem hiding this comment.
This is new and needs to be defined as the existing spec.
pmorie
force-pushed
the
ns-scoped-resources-proposal
branch
from
648d0c0 to
157f9f5
Compare
|
Addressed comments |
|
LGTM |
|
EDIT: Updated s/SCOPE/NAMESPACE to match agreement below. At the F2F, @eriknelson @jeremyrickard and I talked about what svcat would look like with namespaced scoped brokers.
$ svcat get classes
NAME NAMESPACE DESCRIPTION
+------------------+-------------+---------------------+
azure-mysql test-ns mysql on azure
$ svcat describe class azure-mysql
Name: azure-mysql
Namespace: test-ns
... TRUNCATED
$ svcat get classes --namespace qa-ns
NAME NAMESPACE DESCRIPTION
+------------------+-------------+---------------------+
google-mysql qa-ns mysql on google
$ svcat get classes --cluster
NAME NAMESPACE DESCRIPTION
+------------------+-------------+---------------------+
rando-mysql mysql on rando cloud
$ svcat describe class rando-mysql --cluster
Name: rando-mysql
... TRUNCATED
$ svcat get classes --cluster --all-namespaces
NAME NAMESPACE DESCRIPTION
+------------------+-------------+---------------------+
rando-mysql mysql on rando cloud
google-mysql qa-ns mysql on google
azure-mysql test-ns mysql on azure
|
What is the convention in k8s? It might just make sense to call it NAMESPACE |
|
If we label that field namespace, would we leave the cluster scoped resources blank in that column? |
yeah, it has no namespace. |
|
yeah, it has no namespace. @n3wscott Ok, that's what I assumed when I read your reply. I think I would vote in favor of the following:
and I think it's clear from absence of a value in the |
|
|
|
||
| ## Design | ||
|
|
||
| In this proposal we'll focus on adding the namespaced `ServiceBroker`, `ServiceClass`, and `ServicePlan` resources. For details on filtering which services and plans in a broker's catalog have k8s resources created for them, see https://github.com/kubernetes-incubator/Service Catalog/pull/1773. |
There was a problem hiding this comment.
@pmorie I have a general question about namespaced brokers.
Does it mean I can register same service-broker many times? For example Azure Broker as ClusterServiceBroker, and then as ServiceBroker twice for particular namespaces.
There was a problem hiding this comment.
Also have the same question. Seems it should be possible to have the same broker as a CSB and a SB but would be good to know for sure
There was a problem hiding this comment.
Yes, you can absolutely do that. I'd be happy to make that explicit if people care about the design proposal beyond this PR.
There was a problem hiding this comment.
@pmorie If user can register the same service-broker for many times, such as for clusterservicebroker and then as ServiceBroker for a namespace, how about the serviceclass fetched from the broker ?
As I can see, the for a particular apb, the class ID the unique, but it can be fetched by the clusterservicebroker and servicebroker, how to distinguish the two ?
There was a problem hiding this comment.
I was also thinking about this. Would this perhaps be handled by the catalog restrictions filter on the broker? IE if using the same broker for a service broker and cluster broker then set a filter https://github.com/kubernetes-incubator/service-catalog/pull/1773/files#diff-316f664334f2a9051f4897bee901c5f5R135 to filter out what you want to expose as a ServiceClass and what you want to expose as a ClusterServicePlan. An example of doing this would be very useful I think (If this is the way it would be done)
There was a problem hiding this comment.
@zihantang-rh, IMO when getting list of service classes you will use different API to distinguish same class with same uuid by SB or CSB API. During provisioning you always provide clusterServiceClassExternalName or serviceClassExternalName.
carolynvs
added
do-not-merge/hold
|
|
||
| ## Design | ||
|
|
||
| In this proposal we'll focus on adding the namespaced `ServiceBroker`, `ServiceClass`, and `ServicePlan` resources. For details on filtering which services and plans in a broker's catalog have k8s resources created for them, see https://github.com/kubernetes-incubator/Service Catalog/pull/1773. |
There was a problem hiding this comment.
The link here looks incorrect should it be https://github.com/kubernetes-incubator/service-catalog/pull/1773
There was a problem hiding this comment.
That does look like a more correct link :)
|
@pmorie Since namespaced brokers is implemented, and documented, what's the end state for this PR? Can I merge/close it? |
|
We discussed this at the SIG meeting today. Since this doc is going to go stale fast (if it isn't already), we decided to close the proposal, and then create follow-up issues to mine the proposal for any missing docs that should be added to our website. There a few features yet to be implemented, but they are all on the svcat cli side, and we have people working on them already. |
11 participants
Proposal to resolve #1200