Updating Topology Aware Subsetting KEP for 1.21

[robscott]

This includes adding a PRR, adding a new syncs metric, and a variety of additional cleanup.

See also: #2354
Enhancement Issue: #2004

/sig network
/cc @andrewsykim @bowei @freehan
/assign @thockin @wojtek-t

[thockin]

What happens if someone enables subsetting but we have a very old kube-proxy? It may see duplicate endpoints - are we confident that old kube-proxy de-dups endpoints (from slices)? Do we have tests backing that up?

[thockin]

You say later the controller config, but can we say something here like "...the default behavior will be decided by the system." ?

Long term, this annotation becomes the escape hatch for people who need to disable it, and not something that most users specify. In fact, let's call that out as the long-term goal? "Most users should not need to specify this at all, and will get topology-aware balancing by default".

[robscott]

Should we not have a controller flag at all here? I was thinking that having a controller flag would provide a way to experiment with the default value here in advance of a k8s transition to "Auto" by default.

[thockin]

Good question. How nervous should we be about the default becoming "auto"? Thinking about the best-case timelines:

Suppose we do not add any controller flag:

• Q1 1.21 = alpha + opt-in by annotation
• Q2 1.22 = beta + opt-in by annotation
• Q3 1.23 = GA + opt-out by annotation

The riskiest change is 22->23, I think. In fact it seems so risky that we may want to drag out beta + opt-in for several releases, pushing out GA. Q4 is blech, so really GA would be Q1'22 earliest.

Suppose we decouple the controller default (via flag or just another gate):

• Q1 1.21 = alpha + opt-in by annotation
• Q2 1.22 = beta + opt-in by annotation
• Q3 1.23 = GA + opt-in by annotation
• Q1 1.25 = change default flag value to "auto"

Now we get to GA the feature without flipping the default.

As I wrote this I realized that maybe your question is whether we need a flag or just a different feature gate? I think we can start without such a flag - we can always add flags, but dropping them is hard

[robscott]

Good call, updated KEP to say any change to default behavior will be covered by a future KEP.

[thockin]

/lgtm

[thockin]

For PRR reviewers - does this include "needs a restart to flip the gate" ?

[wojtek-t]

I think what we're saying here is:

• you can enable/disable feature by feature-gate switch (above - which requires restart)
• you can enable/disable the feature for your individual single Service (on service by service basis) - and that doesn't require restart

[Assuming that was the intention, can you please make it explicit that it's on Service by Service basis?]

[thockin]

/approve

I am not PRR reviewer, but KEP body LGTM

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: robscott, thockin
To complete the pull request process, please assign wojtek-t after the PR has been reviewed.
You can assign the PR to them by writing /assign @wojtek-t in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS
• keps/sig-network/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wojtek-t]

Will do the PRR review on Monday.

[wojtek-t]

I think I don't understand this.

Doesn't this mean that we have no way to graduate both features to Beta (as we enable Beta by default)?

[wojtek-t]

[Comment to this whole subsection - not to this line].

How we're planning to reduce the churn on EndpointSlices?
Please correct me if I'm wrong, by my understanding is that this algorithm will be run each time when we will be computing slicing for a given service.

So let's say I have all my endpoints in zone A (say 30 endpoints). How you're going to achieve the situation that e.g. when adding 1 endpoint only one EndpointSlice will get updated, not potentially all 3 of them?

[This algorithm doesn't seem to take inco acount a current assignment...]

[wojtek-t]

I think what we're saying here is:

• you can enable/disable feature by feature-gate switch (above - which requires restart)
• you can enable/disable the feature for your individual single Service (on service by service basis) - and that doesn't require restart

[Assuming that was the intention, can you please make it explicit that it's on Service by Service basis?]

[wojtek-t]

Given this sentence from the above:
"When this annotation is either unspecified or not set to Auto, the Disabled behavior will be default."

The answer for this question is just "no" :)

This is a nice explanation, but I think there is a huge benefit of keeping the answers as short as possible - we don't necessary want to explain all the details here.
So let's simply change to something like:

"No - it requires to explicitly opting in for the feature by setting the annotation".

[wojtek-t]

Can we be more specific?
E.g. can we provide an upper bound on increase? (e.g. say that there will be no more than #zones times more than current operations (if that is even true)). Or something like that...

[robscott]

Thanks for all the great feedback on this PR! These discussions have encouraged me to try a slightly different approach with #2434. I will revisit this PR after the KEP freeze to get them into a deferred state and capture most of the #2434. Closing this PR temporarily to avoid any confusion.

/close

[k8s-ci-robot]

@robscott: Closed this PR.

In response to this:

Thanks for all the great feedback on this PR! These discussions have encouraged me to try a slightly different approach with #2434. I will revisit this PR after the KEP freeze to get them into a deferred state and capture most of the #2434. Closing this PR temporarily to avoid any confusion.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.