✨ Support subresource modification

[g7r]

I need to add finalizers without granting access to the entire resource. It certainly is possible in Kubernetes:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: myrole
rules:
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - get
      - watch
      - list

  - apiGroups:
      - apps
    resources:
      - deployments/finalizers
    verbs:
      - update

But I can't update finalizers using client.Client. I don't have a permission to modify entire deployment and client.Client doesn't provide an API to modify generic subresource, it only has special support for "status" subresource. In this PR I add support to other subresources.

I'm open to suggestions of course. Consider the initial PR version also as an invitation to discussion even if the implementation is totally wrong.

Fixes #172

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: g7r / name: Sergej Zagursky (03edfd3)

[k8s-ci-robot]

Welcome @g7r!

It looks like this is your first PR to kubernetes-sigs/controller-runtime 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/controller-runtime has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @g7r. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: g7r
To complete the pull request process, please assign gerred after the PR has been reviewed.
You can assign the PR to them by writing /assign @gerred in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alvaroaleman]

/ok-to-test

[alvaroaleman]

/cc @FillZpp

[joelanford]

I actually ran into this exact problem recently and was scratching my head about why it wasn't working. Thanks for submitting this!

This seems to be the solution for #172

My only small concern with this is that it might imply it handles more than CRUD (e.g. pods/logs or an arbitrary subresource of an APIService. Perhaps GoDoc is enough to document the limitations?

[joelanford]

Does this work?

Suggested change

	return &subResourceWriter{client: c, subResource: "status"}
	return SubResource("status")

[g7r]

Absolutely! Thanks for the suggestion. I've applied it here and to other similar places as well.

[alvaroaleman]

One thing I am wondering is if this should maybe be called something like SubResourceCRUDClient or some such to clarify that this can not deal with other subresources like logs and differentiate it from a potential future non-crud subresource client?

I am not sure though if it is possible to come up with a sensible non-crud subresource client, since that could basically be anything? Maybe that one would just be a standard http client? Ref #452

[alvaroaleman]

Thinking about it it again, maybe we should instead just add more verb(s) once we get there?

[FillZpp]

Some comments to this CRUD subresource client. It's nice that we can read/write more subresources in controller-runtime.

Also a non-CRUD subresource client will be great, but it is not easy to define a common interface for those subresources. It seems they are all defined for K8s built-in resources and don't support custom resources (I'm not sure). So maybe document that those could only be handled via client-go temporarily? WDYT @alvaroaleman @joelanford

[FillZpp]

We may also have to define a SubResourceReader. Sometimes ppl want to get some subresources, for example getting a Scale subresource allows us to get the expected and current replicas number of any workloads (e.g., Deployment, StatefulSet), like what podautoscaler controller and disruption controller do.

[alvaroaleman]

We could probably in the future replace the currrent SubResourceWriter interface with a SubResourceClient and then add read functionality in there?

[FillZpp]

Or we could have both SubResourceReader and SubResourceWriter, like the Reader and Writer?

And also the SubResourceWriter needs more methods other than Update and Patch, for example the subresource pods/binding has to be POST, which is actually Create.

[FillZpp]

IMHO, one obj Object in the parameters is not enough, because not all subresources (even CRUD subresources) take the original object as its request body. For subresources like Status and Finalize, yes. For subresources like Scale, no, which actually accept a autoscaling.Scale as the request body.

[alvaroaleman]

Yeah, we definitely need that, apart from Scale there is also authenticationv1.TokenRequest in the case of serviceaccount tokens...Maybe we can have a StatusUpdateOption that has a Body Object field on top of the other UpdateOptions?

[FillZpp]

SGTM, or we can have two objects in the UpdateSubResource parameters like
(ctx context.Context, obj Object, subObj Object, subResource string, opts ...UpdateOption)

If the subObj is not nil, we should take it as the update body, otherwise we will use the obj.

[alvaroaleman]

Due to the fact that it is not always mandatory I'd prefer to make it part of the opts and we can then provide a convenient wrapper, so that you can do something like:

c.UpdateSubresource(ctx, myObj, "my-subresource", client.WithSubResourceBody(mySubResource))

[alvaroaleman]

@g7r do you have the cycles to address the feedback on this?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale