[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
| Re: [che-dev] Add metadata.namespace to Devfile | 
- From: Lukas Krejci <lkrejci@xxxxxxxxxx>
- Date: Thu, 7 Nov 2019 10:53:57 +0100
- Autocrypt: addr=lkrejci@xxxxxxxxxx; keydata=	mQENBF2dCOgBCAD5/JOv9+R+U/WliRugBDM39G42porWn4cxg3n0XnTsAPOGw4uEycm9qyYj	PZ6Dx2/wWVFvjX1FOMFoSbiQF/7VsiafZy0g4a5J97SFTWZXwBqYqVInOfxHUFAegSqDEJ32	E7b8I/NivMl1/nIYgFogC1UJJ0TrfyjGeBKuXVPruTQeelqlQCi6Yoy43VoyZoWsYcrZQ9kc	vDGvCAC2xkk42o8ARYuWNZkan8Q+KRLnroacAV07DslgTyBo1tobNw+uVzMhsbvK1HyVfjLt	ceaBVFGy9CtTnZHY4zQ/aqjPdehZ6j53X7Mbzieckc81Rwm4PxojbWJ4pdVsjP2xHyTtABEB	AAG0IUx1a2FzIEtyZWpjaSA8bGtyZWpjaUByZWRoYXQuY29tPokBVAQTAQgAPhYhBNUZeXTR	D+fLJbwoiCLB0ImKMx/LBQJdnQjpAhsDBQkB4TOABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA	AAoJECLB0ImKMx/LNh8IAJczCeBkCcGPTj+YVGvDR4Bs5YNv9FtNlrTI7J9MPx92QJRBYWfO	REtHMBj0BaU663rJEA46Zr8rThAXWAAOKkUPWUZSqhzLSsbEeI2imtkADqDf9cpm5WtRnLoa	t5L/EYRYhZjChnrCPaP9P+F5w5VtqepohvnRQiYeBPvzkQpkz0zyP/ynLT75mv4TJiUKrgQq	zo+NRfCR/cpQna7cnT88FgDeMrI+qCBkIoLxiHjAKE9dTPHlyBPwb+f15WAOkoIYvvNWTZ5B	MRAKMmYGm1PBh7zVzKGA/DTH3/rHlgzFeyksoDhPMdwSJuxlHztHwJQR+iixhWhPuQLi24xz	F4y5AQ0EXZ0I6AEIAOKT6aZwXMRGUsU/aeuGP/i49BE9PoBXfcc94ReOHdpI7nPxH26YRras	+SoYsFUl7WZiBoxtceLnP1mxLPXqlbKRCmCx7Td7LSB6btLiT6tc8rMmZ9CZMUd86DmAaEM8	yma+che9uSPdRFSOhI1V3mvHlslQ9O3UlGUWXY/G2v0T88lXsW874RXgtpnoMVArZmnkUzma	5ykTrz8+f1f/nPaJ3sPp6bMg56zW2NI2G+3wknu6c/QmRDXQ0XQUH4ZQ6Wd/Fjz2hdIpPyw4	e1b1OCVhkLsAOM5A9bMx7FBz1BYK+mc1mF+q58oKO3+gN0IVz8SPuhwKNc5cYIuvnMuSUGEA	EQEAAYkBPAQYAQgAJhYhBNUZeXTRD+fLJbwoiCLB0ImKMx/LBQJdnQjoAhsMBQkB4TOAAAoJ	ECLB0ImKMx/LIyoH/jXT2J4T4eNcNPUeCfHMCvitWW+Zf8l4gCWnxYJL2nieguc68sPDBXuT	36gSzWSncz0g+UqRysV69zY9ZdcuZrcNWQuo5RKVXUDKGZ+2iRGvKc0k4Cce4w4cO6iMeL7N	Rm6VtmJ60bUUpQboPEzaxns5cqgRmJTsr9YVfeptrr1e9U5xIROILu4tJpK6DMgwTNC3EsVI	N9GiFy+Kb44ccz7wKhBXKZe0ghiZzlsjpEeY/aijW6I48kO7xiYFM7DWySXHP5nnK5Nf0k7p	WH2pd0YlG9IRni4Lts2ILmvZHrHN1PT75GRmVMosMrSh4Zv+r15z3Zvar0aiyoojZd3u/tc=
- Delivered-to: che-dev@xxxxxxxxxxx
- List-archive: <https://www.eclipse.org/mailman/private/che-dev>
- List-help: <mailto:che-dev-request@eclipse.org?subject=help>
- List-subscribe: <https://www.eclipse.org/mailman/listinfo/che-dev>,	<mailto:che-dev-request@eclipse.org?subject=subscribe>
- List-unsubscribe: <https://www.eclipse.org/mailman/options/che-dev>,	<mailto:che-dev-request@eclipse.org?subject=unsubscribe>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101	Thunderbird/68.1.1
Hi Mykola,
thanks for this, it gave me a lot of things to think about.
The editability of devfile is definitely a concern that we should have
in mind and I agree with you that having a read-only field is weird.
This brought me to an idea, that is actually already realized in the
prototype of the workspace CRD - devfile is not an actual kubernetes
object there, but only a "spec" section of the Workspace CR. And that CR
has the metadata, spec and status fields as usual.
That approach fits into your picture much more nicely (barring the fact
that we already have metadata.name and metadata.generateName in the
devfile, which kinda contradicts that approach). Devfile is describing
what the workspace should be comprised of but doesn't define the
workspace itself.
I think David's reply raises further valid concerns that are essentially
in line with your understanding of devfile as a recipe/spec as opposed
to the actual representation of a workspace.
On 07. 11. 19 9:28, Mykola Morhun wrote:
> Hello.
> You are working on a nice and useful feature, thanks.
> I am not an expert in Kubernetes stuff, but I have some concerns about
> suggested place of the namespace parameter storing.
> 
> First I want to mention that our devfile specification is really good
> designed (in my opinion). We combine here usage simplicity and power of
> Kubernetes/Openshift native declarations. So, if a new user comes to Che
> and wants to create a workspace it is really easy even without Kuberbetes
> knowledge (especially with hints in editor and auto-completion feature).
> Most of devfile fields are self-explaining. From the other side,
> experienced and familiar with Kubernetes concepts users might use full
> power of Kubernetes native definitions and embed them into components
> description of devfile, which is also a big plus. But these Kubernetes
> native definitions are added by experienced users on their demand. So, if a
> user wants to use this power he/she uses it. If a user prefers simplicity
> it is ok too. But if we add a Kubernetes namespace attribute into devfile
> metadata we'll force a user to use Kubernetes native stuff all the time.
> Even if the namespace attribute could be omitted on workspace creation step
> it will be present in the devfile after workspace creation as read only
> parameter, which in some way breaks the beauty of the current devfile
> definition (and its simplicity).
> On the other hand we have all the parts of devfile editable, so a user may
> change anything (including workspace name in metadata section). So,
> generally speaking, it is possible to just replace the whole content of a
> devfile at a time (corner case). But if we add a readonly field it will
> violate current statement of anything is editable.
> 
> To avoid described above possible issues we may have another section, say
> `initialization`, in devfile specification which is stored (or handled)
> separately from the main content of devfile.
> The section is considered on workspace creation step and will be ignored
> (or even invalid) for already existed workspaces. However, it would be good
> to display that readonly info in workspace details on dashboard (I mean it
> should be readable via API).
> What do you think about such approach?
> 
> On Wed, Nov 6, 2019 at 4:17 PM Lukas Krejci <lkrejci@xxxxxxxxxx> wrote:
> 
>> Hi all,
>>
>> We're adding the ability to specify the namespace in which a workspace
>> should be created and we are thinking where is the best place to put it.
>>
>> Kubernetes objects have a optional "metadata.namespace" field, that
>> defaults to "default" or whatever is supplied as -n to kubectl.
>>
>> This led us to the idea that devfile, too, should have such a field with
>> very similar semantics:
>>
>> * optional with the default determined by the Che server (using our
>> config vars for specifying the namespace)
>> * non-editable
>>
>> This has some nice consequences:
>> * it would bring devfile yet another tiny bit closer to other k8s objects
>> * because namespace would become part of the devfile model, it would be
>> consistent with all other devfile value overrides I asked about in my
>> previous email
>> (https://www.eclipse.org/lists/che-dev/msg03420.html).
>>
>> Not having the namespace in the devfile model would require special
>> handling of the namespace in our REST API - both in factory and the
>> workspace APIs, which seems a little bit ugly compared to "just override
>> it as any other devfile attribute".
>>
>> WDYT? Do you have some concerns about this idea? Do you have some
>> alternative proposals that would make workspace namespace nicely
>> integrated into our APIs?
>>
>> For those concerned about the possible security issues (like for example
>> trying to submit a malicious devfile into kube-system namespace), the
>> ability to specify a user-defined namespace can be switched off
>> completely in the che server and our service account can be configured
>> with limited ability to deploy stuff in certain namespaces.
>>
>> Thanks,
>>
>> Lukas
>>
>> _______________________________________________
>> che-dev mailing list
>> che-dev@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://www.eclipse.org/mailman/listinfo/che-dev
>>
> 
> 
> 
> _______________________________________________
> che-dev mailing list
> che-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/che-dev
> 
Attachment:
signature.asc
Description: OpenPGP digital signature