KEP-3926: handling undecryptable resources

[stlaz]

• One-line PR description: Improve the identification of resources that won't decrypt. Make it possible to remove undecryptable resources by using the API.

• Issue link: Handling undecryptable resources #3926

• Other comments: Enable deleting API objects even when storage-level decryption is not working properly kubernetes#86489

[stlaz]

/cc @ibihim @deads2k @enj

[stlaz]

kubernetes/kubernetes#116943 shows a proof of concept for the list options proposed in this KEP.

[liggitt]

it's unclear what this API lets you skip... I would not expect to be allowed to skip admission or finalizers if the existing persisted object can be decoded successfully

[wojtek-t]

+1 - I thikn it should only allow deleting objects (with all the consequences) that we cannot decode. Nothing else should be allowed.

[stlaz]

Just to get our lingo synchronized - I would consider decoding and transforming two separate cases (you'll see why in code ref below).

What about objects we cannot retrieve from storage for other reasons?

The generic storage Get implementation fails in one additional case, that is if key cannot be constructed - https://github.com/kubernetes/kubernetes/blob/3cf9f66e90d560ac080687610933c712bcf37b39/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store.go#L756-L769

The etcd3 store implementation fails in 6 other cases:
https://github.com/kubernetes/kubernetes/blob/3cf9f66e90d560ac080687610933c712bcf37b39/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go#L132-L166

Most of the cases indeed seem like errors we may not want to ignore. Should we focus solely on the transformation error, then?

[liggitt]

Should we focus solely on the transformation error, then?

I don't think so... transformation and decoding failures have almost identical implications, symptoms, and considerations for deleting anyway. Solving both problems together and consistently makes sense to me

[stlaz]

@liggitt @wojtek-t @dgrisonnet The addressable comments were addressed, please take a look when you get a chance

[liggitt]

the mechanics of this seem to belong more to api-machinery (who owns the list and delete functionality that would be modified as part of this) ... there are multiple reasons a resource could fail to decode from storage, decryption is only one of them (e.g. kubernetes/kubernetes#69579)

[liggitt]

Should we focus solely on the transformation error, then?

I don't think so... transformation and decoding failures have almost identical implications, symptoms, and considerations for deleting anyway. Solving both problems together and consistently makes sense to me

[stlaz]

I squashed the previous changes and addressed all the most recent comments in the "address comments" commit.

[soltysh]

#prr-shadow
lgtm - thx :)

[deads2k]

/label tide-merge-method-squash
/approve

[k8s-ci-robot]

@deads2k: The label(s) /label tide-merge-method-squash cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor, lead-opted-in, tracked/no, tracked/out-of-tree, tracked/yes. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/label tide-merge-method-squash
/approve

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS [deads2k]
• keps/sig-auth/OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stlaz]

(I squashed the changes to a single commit in the latest force push)

[deads2k]

/label tide/merge-method-squash

[sttts]

can we align these two words, the option and the verb?

[sttts]

@tkashem this is still open in the implementation.

[sttts]

could this be withoutReadingFromStorage, i.e. a mode of deletion that has nothing to do with errors but is just highly unconditional deletion? (disclaimer: have only read the kep briefly, maybe I missed it)

[sttts]

Looking at today's DeleteOptions, this could even be called unconditional or force.

[sttts]

xref old thread around this topic #3927 (comment)

[sttts]

worth to summarize as a non-goal:

• give clients control over skipping other steps of a delete request flow than decoding errors

[deads2k]

worth to summarize as a non-goal:

• give clients control over skipping other steps of a delete request flow than decoding errors

Agree.

[deads2k]

/lgtm