From 6d741cc2865ba226ba5d3b901d34ca2772a2586a Mon Sep 17 00:00:00 2001 From: Matei David Date: Thu, 28 Mar 2024 18:57:44 +0000 Subject: [PATCH] Add subresource marker to workload CRD (#12360) * Add subresource marker to workload CRD Our ExternalWorkload resource has a status field, but the status is not marked as a subresource in the object's schema. Status patches are done in libraries through a separate interface; without marking the status as a subresource, the API Server will respond to patch requests with a 404. This makes ExternalWorkload resource statuses unpatachable from controllers. We fix the issue by marking the status as a subresource in the `v1beta1` schema. No codegen changes are necessary. The version is not bumped since this does not change the existing contract offered by an ExternalWorkload; it only allows the API Server to treat its status as a subresource when patching it (i.e. we can use the `patch_status` interface). Additional context: * In Kubernetes, each resource has its own declarative API that can be used to change its state. * Resources may optionally include other declarative APIs that are decoupled from the main resource's state; this includes `Scale` and `Status` subresources. They can be thought of as a set of shared interfaces that add additional information to a resource. * Statuses are meant to be patched through a separate interface as a result. This allows both: * A separation of concerns: either patch the spec or the status but not both to avoid overwriting or deleting fields * Principle of least privileged: fine-grained RBAC can be used to isolate spec writes from status writes. * Subresources get their own API paths, writing to a subresource means we are effectively sending a requested to a nested path (e.g. `/status` on a pod). The API server needs to know this path is available. * CRDs require that fields are marked as a subresource, without doing so, the API Server will reply with a 404 Not Found when attempting to modify a status, since the path doesn't exist (I assume). See: * [Kubernetes docs](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#scale-kubectl-patch) * [API conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status) Signed-off-by: Matei David * Golden files Signed-off-by: Matei David --------- Signed-off-by: Matei David --- charts/linkerd-crds/templates/workload/external-workload.yaml | 2 ++ cli/cmd/testdata/install_crds.golden | 2 ++ cli/cmd/testdata/install_helm_crds_output.golden | 2 ++ cli/cmd/testdata/install_helm_crds_output_ha.golden | 2 ++ 4 files changed, 8 insertions(+) diff --git a/charts/linkerd-crds/templates/workload/external-workload.yaml b/charts/linkerd-crds/templates/workload/external-workload.yaml index 56cb3bddb21e3..a60aff48b3e8d 100644 --- a/charts/linkerd-crds/templates/workload/external-workload.yaml +++ b/charts/linkerd-crds/templates/workload/external-workload.yaml @@ -163,6 +163,8 @@ spec: - name: v1beta1 served: true storage: true + subresources: + status: {} schema: openAPIV3Schema: description: >- diff --git a/cli/cmd/testdata/install_crds.golden b/cli/cmd/testdata/install_crds.golden index 486365d7cfd48..62f34e3d6e8da 100644 --- a/cli/cmd/testdata/install_crds.golden +++ b/cli/cmd/testdata/install_crds.golden @@ -10391,6 +10391,8 @@ spec: - name: v1beta1 served: true storage: true + subresources: + status: {} schema: openAPIV3Schema: description: >- diff --git a/cli/cmd/testdata/install_helm_crds_output.golden b/cli/cmd/testdata/install_helm_crds_output.golden index 2c07dc3d1321b..762c60970152c 100644 --- a/cli/cmd/testdata/install_helm_crds_output.golden +++ b/cli/cmd/testdata/install_helm_crds_output.golden @@ -10409,6 +10409,8 @@ spec: - name: v1beta1 served: true storage: true + subresources: + status: {} schema: openAPIV3Schema: description: >- diff --git a/cli/cmd/testdata/install_helm_crds_output_ha.golden b/cli/cmd/testdata/install_helm_crds_output_ha.golden index 2c07dc3d1321b..762c60970152c 100644 --- a/cli/cmd/testdata/install_helm_crds_output_ha.golden +++ b/cli/cmd/testdata/install_helm_crds_output_ha.golden @@ -10409,6 +10409,8 @@ spec: - name: v1beta1 served: true storage: true + subresources: + status: {} schema: openAPIV3Schema: description: >-