More and more applications are written using the new async features in Python. It would be very useful of the k8s library could support async using the same API style.

We've been seeing issues where the API-server returns errors when fiaas-deploy-daemon is deploying things:

1. Rate-limiting errors when bulk-deploying new fiaas-deploy-daemon configs for a number of namespaces
2. Errors deploying ingresses during deploys of ingress-controllers by the cluster operators

It seems like having some retry-with-backofff in these situations would be helpful. One doubt is about the level this should live at, but I think the simplest implementation will be in the HTTP client used here: with requests, it can be as simple as supplying a retry-config, that enumerates the status-codes to retry for. Something like this, in k8s.client:

session = requests.Session()
retry_statuses = [requests.codes.too_many_requests, 
                             requests.codes.internal_server_error, 
                             requests.codes.bad_gateway,
                             requests.codes.service_unavailable,
                             requests.codes.gateway_timeout]
retries = Retry(total=10, backoff_factor=1, status_forcelist=retry_statuses, method_whitelist=False)
session.mount('http://', HTTPAdapter(max_retries=retries))
session.mount('https://', HTTPAdapter(max_retries=retries))

This will retry for the listed statuses, on all HTTP methods, 10 times with a growing backoff,
starting at 0, then 2s, 4s, 8s etc. until the default max of 120s.

Does this seem reasonable?

https://semaphoreci.com/fiaas/k8s/servers/make-release/deploys/27

The watch loop in Watcher should send the newest resourceVersion it has seen when restarting the watch connection to reduce pressure on the apiserver. See https://kubernetes.io/docs/reference/using-api/api-concepts/#efficient-detection-of-changes for suggested behavior.

This mechanism should probably be extended to support the watch bookmark feature (https://kubernetes.io/docs/reference/using-api/api-concepts/#watch-bookmarks) if available (since Kubernetes 1.16).

Hello,

I was following your tutorial and tried the config.api_token but it failed to connect.
It works fine when using config.cert.

from k8s import config
from k8s.models.service import Service
config.api_server = 'https://192.168.99.102:8443'
config.verify_ssl = '/Users/x/.minikube/ca.crt'
config.api_token = '********'
Service.get('kubernetes')

Service.get('kubernetes')
Traceback (most recent call last):
File "", line 1, in
File "/Users/x/Library/Python/3.8/lib/python/site-packages/k8s-0.15.1.dev4+ge880384-py3.8.egg/k8s/base.py", line 147, in get
File "/Users/x/Library/Python/3.8/lib/python/site-packages/k8s-0.15.1.dev4+ge880384-py3.8.egg/k8s/client.py", line 112, in get
File "/Users/x/Library/Python/3.8/lib/python/site-packages/k8s-0.15.1.dev4+ge880384-py3.8.egg/k8s/client.py", line 131, in _call
File "/Users/x/Library/Python/3.8/lib/python/site-packages/k8s-0.15.1.dev4+ge880384-py3.8.egg/k8s/client.py", line 145, in _raise_on_status
k8s.client.ClientError: 401: Unauthorized for url: https://192.168.99.102:8443/api/v1/namespaces/default/services/kubernetes
Request:
GET https://192.168.99.102:8443/api/v1/namespaces/default/services/kubernetes
User-Agent: python-requests/2.22.0
Accept-Encoding: gzip, deflate
Accept: /
Connection: keep-alive
Authorization: #REDACTED#
Response:
<<< Content-Type: application/json
<<< Date: Thu, 23 Jul 2020 02:45:07 GMT
<<< Content-Length: 129
<<<
<<< {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

Thank you.

Starting from Kubernetes 1.21, the BoundServiceAccountTokenVolume feature is enabled by default. This means that the service account token at /var/run/secrets/kubernetes.io/serviceaccount/token, will be temporary and will expire after some time period. Because of this, the token must be re-read from file periodically to ensure that the client can continue to have valid authentication for requests to the apiserver. The changelog recommends reading the token every 1 minute.
Currently in-cluster configuration with this client is typically handled at the application level, i.e. applications using in-cluster configuration read the service account token from file on startup and use that to set config.api_token. To avoid having to reimplement the same token refresh mechanism in each application using the client, it probably makes sense to implement some level of support for in-cluster configuration in the client, including periodically refreshing the service account token from file.

When working with CRDs, the current design requires that you define your Model for working with objects of that CRD, but it also requires that you manually build a CustomResourceDefinition that you can save to the api-server to create your type to start with.

Much of the information used in CustomResourceDefinition is also used in the URLs needed in the models Meta.

It would make things smoother to work with if we extend Meta so that it also describes the fields in CRD. When present, MetaModel will add a method to create a CustomResourceDefinition object, ready for saving to the api-server.

This could also auto generate the URLs in Meta for this type, and the apiVersion and kind fields which are required on custom models today.

hi, i am a newbie of k8s. and i were using kubectl recently until i saw this library

were there any method to read those config from kubectl from its configure file located at ~/.kube/config

because i am not familiar with kubectl's config format, so i dont know which of it refer to the cert file in your tutorials

It seems the k8s library thinks maxSurge is an int and explodes if you set it to a string:

self = Field(name=maxSurge, type=<type 'int'>, default_value=None, alt_type=<type 'unicode'>)
value = '25%'

    def _from_dict(self, value):
        if value is None:
            return self.default_value
        try:
            return self.type.from_dict(value)
        except AttributeError:
            if isinstance(value, self.type) or (self.alt_type and isinstance(value, self.alt_type)):
                return value
            if self.type is datetime:
                return pyrfc3339.parse(value)
>           return self.type(value)
E           ValueError: invalid literal for int() with base 10: '25%'

../../.local/share/virtualenvs/fiaas-deploy-daemon/lib/python2.7/site-packages/k8s-0.9.0-py2.7.egg/k8s/fields.py:88: ValueError

The description of the RollingUpdateDeployment object says:

The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).

The same applies to maxUnavailable.

The watch list API endpoints prefixed with /watch are deprecated since Kubernetes 1.12. Watch operations should use the list API endpoints with a ?watch=true parameter. The k8s models that support watch list all use these deprecated endpoints. These should be changed to use the list endpoint with the watch parameter set. Maybe it makes sense to solve this via #55 ?

We should migrate the build to the new Semaphore setup, to get away from the deprecated Classic mode. It seems Classic is not getting much updates, so Python 3.7 isn't available as far as I can tell. Hopefully that will be available in 2.0.

Pydantic has a model concept that I think maps really well to our models, with the exception of the api methods.

If we switch to Pydantic, it would be a lot less code to maintain, and a lot less magic to deal with (it would all be in Pydantic instead).

On the other hand, our model internals have been quite stable for some time now, there really isn't that much maintenance going on and most bugs seem to have been squashed in that part of the code, so maybe it's just not worth the time.

Thoughts?

Our Models has a find method, which does a label query. It only supports label equality selectors, so no label inequality, and no sets, and it doesn't support field selecting at all.
We should consider extending it to at least support other kinds of label selectors.

ingresses have been available in the networking.k8s.io/v1 api version for some time now, and the older extensions/v1beta1 ingress version has been deprecated for some time and is being removed in v1.22. The k8s library should have this newer API version at least available to be used by FDD

The following code will not do what you expect:

class MyModel(Model):
    list_field = ListField()

my_model1 = MyModel()
my_model1.list_field.append("first")

my_model2 = MyModel()
my_model2.list_field.append("second")

assert my_model1.list_field == ["first"]
assert my_model2.list_field == ["second"]

On read the docs, we get "latest" and "stable", but they seem to be the same. We should probably look into why we don't get versioned docs.

The beta api version for customresourcedefinition is being removed in kubernetes v1.22. The stable version should be added to the k8s library as an option to be used by Skipper and FDD

I met an issue, when run Deployment.get('deployment-name','namespace-name') and deployment.save() , deployment-name's hostPath volume lost.

I support to add following codes to support volume of hostPath type on definition of deployment.

code file: k8s/models/pod.py

class HostPathVolumeSource(Model):
path = Field(six.text_type)

class Volume(Model):
name = Field(six.text_type)
secret = Field(SecretVolumeSource)
configMap = Field(ConfigMapVolumeSource)
emptyDir = Field(EmptyDirVolumeSource)
hostPath = Field(HostPathVolumeSource)

I have tested these code work fine for hostPath volume.

Right now I dont see the code coverage is 100 %.

CRDs in the cluster can have an attached JSON-Schema.
If the CRD is from some other project, working with it using k8s requires that you define a Model in your own code.

It would be very useful if k8s had a generator that could create the Model from a JSON-Schema, which you could use in such projects.

The same generator could with some small adjustments be used to generate models from the standard Kubernetes API, replacing our hand crafted models.