Remove helm mode setting #3628
Remove helm mode setting #3628
Conversation
Codecov Report
@@ Coverage Diff @@
## main #3628 +/- ##
=======================================
Coverage 27.13% 27.13%
=======================================
Files 137 137
Lines 19265 19265
=======================================
Hits 5227 5227
Misses 13399 13399
Partials 639 639 Continue to review full report at Codecov.
|
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
There was a problem hiding this comment.
I just wrote documentation on the mode switch and so I strongly suggest keeping it. Reason being that mode should influence all the other resources and configurations based on either ha or standalone. For example, if mode=ha it should create the PDB, Pod anti-affinity, set replicas, etc. And for mode=standalone it would just set replicas. See this PR to get a sense for what I added. Idea was to link to that Security vs Operability section.
|
This is IMHO quite confusing to have settings for both In practice |
The PDB should probably be created when there is more than 1 replica, regardless of |
|
As an example, this is how |
I agree. Let's just remove |
So the only instance in which the PDB should be created is when |
Why not use replicaCount directly instead of hard coding it to 3 ? I don’t understand the advantage of the |
|
Because there are only two "valid" values of replicaCount: either 1 or 3. So rather than letting users potentially shoot themselves in the foot by configuring, for example, 2, which isn't supported, why not give them easy buttons for "standalone" installation or "ha" installation? All the other Kubernetes resources, parameters, configurations etc would then be driven off of those two values. |
|
Why 2 is not a valid value ? How about 4 or 5 or using an HPA ? |
|
Because it breaks the leader election process. We need an odd number and right now only 3 has been tested and marked as supported. |
|
Are we really using leader election ? |
|
@realshuting can you comment here? What's your feeling if we force either 1 or 3 replicas? We've had problems in the past with an even number (mainly 2) to the point where we don't support 2. |
|
I don't often see "meta" parameters that modify behavior of multiple things but aren't directly used in a template but what is more common more direct values like If we do stick with |
@eddycharly - there was an issue when running Kyverno with 2 replicas, please see #2053. We are still investigating the issue, please chime in if you've seen this issue before.
This is true, but note that the webhook server does not run leader election, all instances are active to serve admission requests. For HA, Kyverno must be configured with 3 or more replicas. It is not required to configure Kyverno with an odd number of instances, but this is something recommended even for Kubernetes (cc @mritunjaysharma394): https://discuss.kubernetes.io/t/high-availability-host-numbers/13143 |
|
Thanks for correcting me, Shuting. So can we go with the |
I think that might be confusing and also could lead to issues with Helm chart where some places use mode and some use replicaCount. Since replicaCount can be more than 1 or 3 (ie 5), I'd lean towards just using replicaCount only. We could easily produce a failure in the Helm chart if the value is 2 to avoid people doing something unsupported. |
|
So here's what I'd recommend:
Is this too complex? The whole goal is to provide a simpler path for users to deploy Kyverno based on two most common profiles while also letting them know about the risks associated with webhooks. If there's a better way to control the experience, let's put it on the table. |
|
Again, the Saying in the docs that for production usage replicas count should be at least 3 and that pods should be spread across hosts/azs is clear and easy to understand. IMHO talking about quorum is misleading as it’s not related to kyverno. Talking about leases and how we use them could be useful though. |
|
Ok, see this flow chart. How does this look? Ignore the "Optional" box on the far left for now.
The problem is most users won't read the documentation and we should try and provide some sane defaults according to our best practices based upon things like replicas.
Yes, it was my mistake. There is no leader election in Kyverno like there is for the control plane (because of RAFT used by etcd). |
|
Still not convinced that having a I understand the desire to simplify the configuration but I feel like it makes things more confusing, less customisable and introduces unnecessary complexity. Our discussions here make me think that we have something too complex and hard to understand (for us and for end users), using |
|
Look at the flow chart. There is no |
|
That new flow chart looks fine. |
|
@chipzoller it looks good. |
|
I can update the warning messages in a follow up PR. This one is more about removing |
|
Yes, that's fine, but since you have these files "open" might as well polish what's here. |
|
I think it's fine to merge, I just want to make sure I understand:
|
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
When |
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>
* feat: mutate existing, replace GR by UR in webhook server (#3601) * add attributes for post mutation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR informer to webhook server Signed-off-by: ShutingZhao <shuting@nirmata.com> * - replace gr with ur in the webhook server; - create ur for mutateExsiting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace gr by ur across entire packages Signed-off-by: ShutingZhao <shuting@nirmata.com> * add YAMLs Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs & fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR deletion handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * add api docs for v1beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix clientset method Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix v1beta1 client registration Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing - generates UR for admission requests (#3623) Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace with UR in policy controller generate rules (#3635) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * - enable mutate engine to process mutateExisting rules; - add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * implemented ur background reconciliation for mutateExisting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix webhook update error Signed-off-by: ShutingZhao <shuting@nirmata.com> * temporary comment out new unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing, replace GR by UR in webhook server (#3601) * add attributes for post mutation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR informer to webhook server Signed-off-by: ShutingZhao <shuting@nirmata.com> * - replace gr with ur in the webhook server; - create ur for mutateExsiting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace gr by ur across entire packages Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix missing policy.kyverno.io/policy-name label (#3599) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * refactor cli code from pkg to cmd (#3591) * refactor cli code from pkg to cmd Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes in imports Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes tests Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixed conflicts Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * moved non-commands to utils Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> * add YAMLs Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs & fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR deletion handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * add api docs for v1beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix clientset method Signed-off-by: ShutingZhao <shuting@nirmata.com> * add-kms-libraries for cosign (#3603) * add-kms-libraries Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * Shifted providers to cosign package Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add support for custom image extractors (#3596) Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Update vulnerable dependencies (#3577) Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix v1beta1 client registration Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing - generates UR for admission requests (#3623) Signed-off-by: ShutingZhao <shuting@nirmata.com> * updating version in Chart.yaml (#3618) * updatimg version in Chart.yaml Signed-off-by: Prateeknandle <prateeknandle@gmail.com> * changes from, make gen-helm Signed-off-by: Prateeknandle <prateeknandle@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Allow kyverno-policies to have preconditions defined (#3606) * Allow kyverno-policies to have preconditions defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix docs Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace with UR in policy controller generate rules (#3635) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * - enable mutate engine to process mutateExisting rules; - add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * implemented ur background reconciliation for mutateExisting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix webhook update error Signed-off-by: ShutingZhao <shuting@nirmata.com> * temporary comment out new unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Image verify attestors (#3614) * fix logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * support multiple attestors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rm CLI tests (not currently supported) Signed-off-by: Jim Bugwadia <jim@nirmata.com> * apply attestor repo Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix entryError assignment Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add intermediary certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Allow defining imagePullSecrets (#3633) * Allow defining imagePullSecrets Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use dict for imagePullSecrets Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Simplify how imagePullSecrets is defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Fix race condition in pCache (#3632) * fix race condition in pCache Signed-off-by: ShutingZhao <shuting@nirmata.com> * refact: remove unused Run function from generate (#3638) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * Remove helm mode setting (#3628) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * refactor: image utils (#3630) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * -resolve lift comments; -fix informer sync issue Signed-off-by: ShutingZhao <shuting@nirmata.com> * refact the update request cleanup controller Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * - fix delete request for mutateExisting; - fix context variable substitution; - improve logging Signed-off-by: ShutingZhao <shuting@nirmata.com> * - enable events; - add last applied annotation Signed-off-by: ShutingZhao <shuting@nirmata.com> * enable mutate existing on policy creation Signed-off-by: ShutingZhao <shuting@nirmata.com> * update autogen code Signed-off-by: ShutingZhao <shuting@nirmata.com> * merge main Signed-off-by: ShutingZhao <shuting@nirmata.com> * add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * address list comments Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix "Implicit memory aliasing in for loop" Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove unused definitions Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com> Co-authored-by: Shubham Gupta <shubham.gupta2956@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Prateek Nandle <56027872+Prateeknandle@users.noreply.github.com> Co-authored-by: treydock <tdockendorf@osc.edu> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This PR removes helm mode setting.
The
havsstandalonemode can be replaced with a simpler replicas count (thehamode only influenced replicas count, making it hard to understand).It also adds a couple of warnings in
NOTES.TXTwhen deployed in non-ha and/or without namespace exclusions.