KEP 2775: kubectl delete interactivity and delay #2777
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: eddiezane The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
sig/cli
eddiezane
force-pushed
the
ez/2775-init
branch
5 times, most recently
from
e5d7318
to
0f32113
Compare
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
Looks good! One request, the KEP is currently oriented toward kubectl when I believe it ought to be a system-wide initiative to stop existentially destructive behaviors. kubeadm reset is in this realm, but not all resets are existential. When such a situation is detected, the same behavior ought to be used. Are there other systems of this nature that should also be covered?
|
|
||
| ## Proposal | ||
|
|
||
| 1. `kubectl delete [--all | --all-namespaces]` will warn about the destructive action that will be performed and artificially delay for x seconds allowing users a chance to abort. |
There was a problem hiding this comment.
I'd like to see the same behavior with kubeadm reset when the node being acted upon would remove etcd quorum.
There was a problem hiding this comment.
kubeadm reset shows a confirmation prompt, unless the user passes -f.
$ kubeadm reset
[reset] Reading configuration from the cluster...
[reset] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[reset] WARNING: Changes made to this host by 'kubeadm init' or 'kubeadm join' will be reverted.
[reset] Are you sure you want to proceed? [y/N]:
its phases are documented, can be executed on demand or skipped:
https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-reset/
There was a problem hiding this comment.
Maybe the resolution to this is after the user presses 'y' and the cluster is determined to go unstable after such a request, a second warning is displayed alerting to such.
|
|
||
| ``` | ||
| kubectl delete namespace prod -i | ||
| Are you sure? (y/n) |
There was a problem hiding this comment.
suggest default to N. e.g. Are you sure? (y/N)
There was a problem hiding this comment.
Good call. Changed and explicitly called out.
There was a problem hiding this comment.
Is y/N is the standard across Kubernetes ? In some places, we do use Yes/No.
There was a problem hiding this comment.
I'll check for precedent.
There was a problem hiding this comment.
Just tried locally, how initial development looks like (pardon for the verbose/warning :) )
@thockin @liggitt @eddiezane - If the interactive flag is not given, it suppose to go for delay. we can delay it using ticker but every second is expect to log as a line like ( Ignore the Order ascending or descending )
->resources will be deleted in 9 sec
->resources will be deleted in 8 sec... ??
Not sure if it is possible to do like state changes/clock in node/UI - resources will be delete in (9..8..7.....) ?
Signed-off-by: Eddie Zaneski <eddiezane@gmail.com>
I think that should be in a different KEP. I liked what @brendandburns shared about the locking Azure does.
|
| https://groups.google.com/g/kubernetes-dev/c/y4Q20V3dyOk/m/LOe7Id1DBgAJ | ||
| https://groups.google.com/g/kubernetes-dev/c/y4Q20V3dyOk/m/W0y2fD-NAAAJ | ||
|
|
||
| During RFC discussion several ideas were shared. One of them was a locking mechanism for resources that would prevent deletion. This is considered orthogonal to this KEP because users don't intend to delete the resources they are accidentally deleting - not that there are things that should never be deleted. |
There was a problem hiding this comment.
I agree with the statement - intent not to delete resource but accidentally being deleted. However, there are things that cannot be deleted are at different levels in Kubernetes like Kube-* namespaces, default namespaces if you try to delete it using the same kubectl command, it is 403 forbidden.
Do you think is it worth re-phrasing not that there are things that should never be deleted ?
|
|
||
| 1. `kubectl delete [--all | --all-namespaces]` will warn about the destructive action that will be performed and artificially delay for x seconds allowing users a chance to abort. | ||
|
|
||
| 2. Add a new `--interactive | -i` flag to `kubectl delete` that will require confirmation before deleting resources imperatively (i.e. not `-f`). This flag will be false by default. If this flag is explicitly set to false it will not prompt or artificially delay. |
There was a problem hiding this comment.
how does this interact with other consumers of stdin in kubectl (e.g. client-go credential plugins that make use of stdin, or manifest reading from stdin like -f -)
There was a problem hiding this comment.
I think it will matter where in the call stack we read stdin. The client-go credential plugins probably happen early the flow? I see this living near the end right inside the delete command.
Will need to play around with it with. We can have some integration tests for these.
What would you like to see about it in the KEP?
There was a problem hiding this comment.
The client-go credential plugins probably happen early the flow?
I think it depends on where the client config is constructed.
What would you like to see about it in the KEP?
Describing specific places we use stdin in conjunction with kubectl delete calls today (-f -, exec plugins, etc), and that this --interactive option cannot be used in combination with those (and exercising the behavior when both are attempted with a testcase)
|
|
||
| ## Proposal | ||
|
|
||
| 1. `kubectl delete [--all | --all-namespaces]` will warn about the destructive action that will be performed and artificially delay for x seconds allowing users a chance to abort. |
There was a problem hiding this comment.
is this being proposed for delete invocations for:
- all
--allinvocations - cluster-scoped resources
- namespacesd
There was a problem hiding this comment.
is this being proposed for delete invocations for:
- all
--allinvocations
Yes.
- cluster-scoped resources
- namespacesd
Not specifically. Only when deleted with --all or --all-namespaces.
|
|
||
| 2. Add a new `--interactive | -i` flag to `kubectl delete` that will require confirmation before deleting resources imperatively (i.e. not `-f`). This flag will be false by default. If this flag is explicitly set to false it will not prompt or artificially delay. | ||
|
|
||
| These two changes introduce significant protections for users and do not break backwards compatibility. Scripts will see an x second delay unless they explicitly set `-i=false`. |
There was a problem hiding this comment.
Scripts will see an x second delay unless they explicitly set
-i=false.
I expected us to attempt to detect interactive invocations and only delay in those cases. That would limit the delay for scripts to environments which mimic interactive terminals, which seems better.
There was a problem hiding this comment.
These were @thockin's thoughts.
I think I'd rather they set
-i falseexplicitly
that is obvious AT THE CALL SITE as opposed to looking for${CI}being set somewhere else
it's a big declaration of "I meant to do that"
When it comes to scary stuff I'll take "annoyingly explicit" every time
e.g. there's not a${UNSAFE_RM}variable that implies-f
I did digging on detecting a TTY and it's a pretty mixed bag. A handful of CI/CD providers spoof a TTY to get nicer color output. I don't think we can reliably go that route.
There was a problem hiding this comment.
A handful of CI/CD providers spoof a TTY to get nicer color output. I don't think we can reliably go that route.
If the issue is false positive detection of interactive invocations, introducing delays to those false positives seems ok to me
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
Could you check this comment and give feedback? |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
@MadhavJivrajani: The In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Going back to the drawing board on this. |
|
For the people interested on this KEP, there was an another attempt in this proposed KEP #3896. That would be great, if you can give your insights on it too. Thanks. |
ref: #2775