Currently, the user is expected to figure out the return types by inferring. Have a typed wrapper around Api (and probably change the names so that this is default) so users don't have to:

let req = foos.patch("baz", &pp, serde_json::to_vec(&patch)?)?;
let o = client.request::<Object<FooSpec, FooStatus>>(req)?;

but can just

let o = foos.patch("baz", &pp, serde_json::to_vec(&patch)?)?;

That does involve the user having to create the Api with the desired output structs out front though, and passing the client into the Api:

let api : Api<FooSpec, FooStatus> = Api::customResource("foos")
    .version("v1")
    .group("clux.dev")
    .within("dev")
    .client(client);

And it might cause us to have to think about types even more. In the first case we probably have to always wrap .status in an Option due to how when you create an instance of crd it does not return with a status object (at least if you didn't set one). Maybe this can be fixed with openapi defaults, but that doesn't sound like a nice solution.

Minimal code that causes this error is here, https://gist.github.com/vigneshsarma/426074f7e5bf76518be302bc4d8ff4ca

I am running on macos and kubernetes server is minikube and version:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T18:55:03Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.3", GitCommit:"5e53fd6bc17c0dec8434817e69b04a25d8ae0ff0", GitTreeState:"clean", BuildDate:"2019-06-06T01:36:19Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}

Sample run:

$ RUST_BACKTRACE=1 POD_NAMESPACE=test cargo run
    Finished dev [unoptimized + debuginfo] target(s) in 0.62s
     Running `target/debug/foo`
Jobs: "test-0-job"
Jobs: "test-1-job"
thread 'actix-rt:worker:0' panicked at 'called `Result::unwrap()` on an `Err` value: Error { inner: Error(BlockingClientInFutureContext, "https://192.168.198.128:8443/apis/batch/v1/namespaces/test/jobs?")

Error executing request }', src/libcore/result.rs:999:5
note: Run with `RUST_BACKTRACE=1` environment variable to display a backtrace.
Panic in Arbiter thread, shutting down system.

invoke the endpoint by calling curl http://localhost:6666/foo/.

Full stacktrace is in the gist.

As you can see the ls_jobs call works outside the actix web server context, while the exact same call fails inside.

Any idea what might be wrong?

Native objects are supported, but hard to remember prefixes, versions, groups for all of it by heart.

Fill in the ResourceType enum with all the native objects, then create Into<ApiResource> implementations for them so people get this for free.

See: https://github.com/clux/kube-rs/blob/b6f64453ecdcbbc1e0d3a216b10e06e4bcf06806/src/api/resource.rs#L16-L49

We currently use ListParams but this is technically a bit wrong. See Arnavion/k8s-openapi#46

useability. easy to do. But requires a bunch of sibling traits (option 1).

Currently API types defined in config/apis.rs are not exported from the crate. Would like to see them exported.

I am currently writing a utility to manage some kubeconfig files. Instead of redefining the types myself, would be great if I can simply use the types exported by this library.

Some Rust users in the community are not interested in having OpenSSL as a dependency. Especially just for the support of loading certificate/key data from kubeconfig files. reqwest already supports rustls as an optional feature instead of using native-tls. You would simply need to switch the cert/key loading to only use reqwest Certificate/Identity APIs, and potentially rustls::internal::pemfile if necessary, rather than the openssl crate.

• standard controller: coverd by controller-rs (uses in Controller from #148), configmapgen_controller example also exists
• finalizer controller - was blocked by #291 , and easier path in #475 - we now have an example for it
• initializer controller these are deprecated
• admission controllers - doable now with #484, see admission_controller example

Here are some weird ones:

• RoleBinding - subjects + roleRef..
• Role - rules object..
• ConfigMap - data + binary data..
• Endpoints - subsets vector..
• Event - 15 random fields..
• ServiceAccount - secrets vector + automount bool..

Not sure what to do about these, yet. They kind of break the main Object<P, U> assumption.

Would like to have something akin to kubectl VERB RESOURCE -v=9 where it prints the corresponding curl command with all headers at trace level:

curl -k -v -XGET  -H "Accept: application/json" -H "User-Agent: kubectl/v1.13.3 (linux/amd64) kubernetes/721bfa7" -H "Authorization: Bearer TOKENHERE" 'https://MYCLUSTER/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/foos.clux.dev'
GET https://MYCLUSTER/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/foos.clux.dev 200 OK in 17 milliseconds
Response Headers:
    Date: Mon, 27 May 2019 00:14:51 GMT
    Audit-Id: 8cf2d917-b232-4ec6-9798-090c9c3b051c
    Content-Type: application/json
    Content-Length: 1445
Response Body: {"kind":"CustomResourceDefinition","apiVersion":"apiextensions.k8s.io/v1beta1","metadata":{"name":"foos.clux.dev","selfLink":"/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/foos.clux.dev","uid":"700afb9e-8014-11e9-9779-02a8860543ec","resourceVersion":"75406382","generation":1,"creationTimestamp":"2019-05-27T00:14:47Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"apiextensions.k8s.io/v1beta1\",\"kind\":\"CustomResourceDefinition\",\"metadata\":{\"annotations\":{},\"name\":\"foos.clux.dev\"},\"spec\":{\"group\":\"clux.dev\",\"names\":{\"kind\":\"Foo\",\"listKind\":\"FooList\",\"plural\":\"foos\",\"singular\":\"foo\"},\"scope\":\"Namespaced\",\"version\":\"v1\",\"versions\":[{\"name\":\"v1\",\"served\":true,\"storage\":true}]}}\n"}},"spec":{"group":"clux.dev","version":"v1","names":{"plural":"foos","singular":"foo","kind":"Foo","listKind":"FooList"},"scope":"Namespaced","versions":[{"name":"v1","served":true,"storage":true}],"conversion":{"strategy":"None"}},"status":{"conditions":[{"type":"NamesAccepted","status":"True","lastTransitionTime":"2019-05-27T00:14:47Z","reason":"NoConflicts","message":"no conflicts found"},{"type":"Established","status":"True","lastTransitionTime":null,"reason":"InitialNamesAccepted","message":"the initial names have been accepted"}],"acceptedNames":{"plural":"foos","singular":"foo","kind":"Foo","listKind":"FooList"},"storedVersions":["v1"]}}

We're using client.execute now rather than send, so there SHOULD be more info, but the default headers set in the client module does not seem to be printed.

Canonical Reason is probably also useful here.

we always clone this for passing between threads/informers anyway so might as well hide the clone call

There's a couple of special resources that need to be handled in less generic ways. E.g. just on pods alone:

pods/attach
pods/portforward
pods/eviction
pods/exec
pods/log

and maybe some node specific stuff. Don't see drain + cordon in the openapi.
We could allow customising these, but maybe the list is short enough to just have it as a feature.

Certainly nice to have so we don't have to impersonate service accounts with their tokens directly outside the cluster.

I can see there's some partial support upstream via:

• ynqa/kubernetes-rust#16
• ynqa/kubernetes-rust#15
• ynqa/kubernetes-rust#17

and will try to port it. That said:

It would be really awesome to have a dedicated crate for the kubeconfig. Preferably one that doesn't export a http client to use with api calls. That way this library can be purely an API abstraction and a completely disjoint approach to ynqa's version.

Conditions are kind of core to .status objects even if there was great uncertainty around them.

Need to investigate what the best way of doing this is. Atm, it's probably just a patch_status call, but it's possible that the conditions struct we tell people to use need a particular serde annotation to fit in correctly (type keyword is used as map key).

I need to read the labels and annotations on a CRD. Is there a way to get that information out of the cache? It looks like maybe only the spec is cached.

https://github.com/clux/kube-rs/blob/master/src/api/reflector.rs#L138

Currently Api::patch and similar only support --type=merge (i.e. .header("Content-Type", "application/merge-patch+json")).

Would be good to support the 3 strategies.

Note that CRDs doesn't seem to support strategic merge atm, so need better tests. See kubernetes/kubernetes#52772.

Rather than exposing ResourceType::Node, we should expose ResourceType::v1Node, to have a sensible interface to apiVersions.

It would require us actually having done #8 first though.

See https://docs.rs/k8s-openapi/0.4.0/src/k8s_openapi/v1_13/api/apps/v1/deployment.rs.html#138-190

Thought, you'd might need its own DeleteCollectionParams or something, but it looks like it's just straight GetParams

~/.kube/config content

apiVersion: v1
clusters:
- cluster:
    server: https://<api-server>:8443
  name: <cluster_name>
contexts:
- context:
    cluster: <cluster_name>
    namespace: default
    user: ops/<cluster_name>
  name: default/<cluster_name>/ops
current-context: default/<cluster_name>/ops
kind: Config
preferences: {}
users:
- name: ops/<cluster_name>
  user:
    token: <token>

backtrace infomation

thread 'main' panicked at 'failed to load kubernetes config: ErrorMessage { msg: "Failed to get data/file with base64 format" }

stack backtrace:
   0: backtrace::backtrace::libunwind::trace::h8de4fdf219a770b7 (0x107ad819d)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.32/src/backtrace/libunwind.rs:88
      backtrace::backtrace::trace_unsynchronized::ha6afc095d9332ab9
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.32/src/backtrace/mod.rs:66
   1: backtrace::backtrace::trace::h4fac325b7e05066a (0x107ad8123)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.32/src/backtrace/mod.rs:53
   2: backtrace::capture::Backtrace::create::h7b587b6a1d993b62 (0x107acbc47)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.32/src/capture.rs:165
   3: backtrace::capture::Backtrace::new_unresolved::h34e2772506327d29 (0x107acbbc8)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.32/src/capture.rs:159
   4: failure::backtrace::internal::InternalBacktrace::new::hb9d17a2bf6aee8db (0x107ac9940)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/failure-0.1.5/src/backtrace/internal.rs:44
   5: failure::backtrace::Backtrace::new::h1031a9f1486e8c9a (0x107aca7ef)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/failure-0.1.5/src/backtrace/mod.rs:111
   6: <failure::error::error_impl::ErrorImpl as core::convert::From<F>>::from::h7e1a433a37ac03a7 (0x107503b6d)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/failure-0.1.5/src/error/error_impl.rs:19
   7: <failure::error::Error as core::convert::From<F>>::from::hcb6d1cf3345130d1 (0x1074d7f88)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/failure-0.1.5/src/error/mod.rs:36
   8: failure::error_message::err_msg::h19bb9fd7e57228fe (0x107502de0)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/failure-0.1.5/src/error_message.rs:12
   9: kube::config::utils::data_or_file_with_base64::hb84a4552025028d7 (0x107500f2f)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/kube-0.10.0/src/config/utils.rs:34
  10: kube::config::apis::Cluster::load_certificate_authority::h73c27af072a2c87f (0x1074bed0b)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/kube-0.10.0/src/config/apis.rs:118
  11: kube::config::kube_config::KubeConfigLoader::ca::h7e4f13e496e7b9e9 (0x1074fd83d)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/kube-0.10.0/src/config/kube_config.rs:59
  12: kube::config::load_kube_config::h076b913f2d127e18 (0x1074e2689)
             at /Users/liber/.cargo/registry/src/github.com-1ecc6299db9ec823/kube-0.10.0/src/config/mod.rs:47
  13: controller::main::hd20ffe3bd6b3e6cb (0x10749d396)
             at src/main.rs:22
  14: std::rt::lang_start::{{closure}}::ha8e06417b2f85ecb (0x10749d202)
             at /rustc/5d20ff4d2718c820632b38c1e49d4de648a9810b/src/libstd/rt.rs:64
  15: {{closure}} (0x107cec488)
             at src/libstd/rt.rs:49
      do_call<closure,i32>
             at src/libstd/panicking.rs:293
  16: __rust_maybe_catch_panic (0x107cf059f)
             at src/libpanic_unwind/lib.rs:85
  17: try<i32,closure> (0x107cecf6e)
             at src/libstd/panicking.rs:272
      catch_unwind<closure,i32>
             at src/libstd/panic.rs:388
      lang_start_internal
             at src/libstd/rt.rs:48
  18: std::rt::lang_start::hfac9a9dfbdf902c2 (0x10749d1e2)
             at /rustc/5d20ff4d2718c820632b38c1e49d4de648a9810b/src/libstd/rt.rs:64
  19: controller::main::hd20ffe3bd6b3e6cb (0x10749d482)', src/libcore/result.rs:999:5
stack backtrace:
   0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
             at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:39
   1: std::sys_common::backtrace::_print
             at src/libstd/sys_common/backtrace.rs:71
   2: std::panicking::default_hook::{{closure}}
             at src/libstd/sys_common/backtrace.rs:59
             at src/libstd/panicking.rs:197
   3: std::panicking::default_hook
             at src/libstd/panicking.rs:211
   4: <std::panicking::begin_panic::PanicPayload<A> as core::panic::BoxMeUp>::get
             at src/libstd/panicking.rs:474
   5: std::panicking::continue_panic_fmt
             at src/libstd/panicking.rs:381
   6: std::panicking::try::do_call
             at src/libstd/panicking.rs:308
   7: <T as core::any::Any>::type_id
             at src/libcore/panicking.rs:85
   8: core::result::unwrap_failed
             at /rustc/5d20ff4d2718c820632b38c1e49d4de648a9810b/src/libcore/macros.rs:18
   9: core::result::Result<T,E>::expect
             at /rustc/5d20ff4d2718c820632b38c1e49d4de648a9810b/src/libcore/result.rs:827
  10: controller::main
             at src/main.rs:22
  11: std::rt::lang_start::{{closure}}
             at /rustc/5d20ff4d2718c820632b38c1e49d4de648a9810b/src/libstd/rt.rs:64
  12: std::panicking::try::do_call
             at src/libstd/rt.rs:49
             at src/libstd/panicking.rs:293
  13: panic_unwind::dwarf::eh::read_encoded_pointer
             at src/libpanic_unwind/lib.rs:85
  14: std::panicking::update_count_then_panic
             at src/libstd/panicking.rs:272
             at src/libstd/panic.rs:388
             at src/libstd/rt.rs:48
  15: std::rt::lang_start
             at /rustc/5d20ff4d2718c820632b38c1e49d4de648a9810b/src/libstd/rt.rs:64
  16: controller::main

my certifcate authority is not private, so there is no ca info in ~/.kube/config

Follow up from #36
Currently Status and ErrorResponse are the same underlying object in kube AFAIKT, but are returned in different contexts:

• ErrorResponse when !request.is_success() (and you need to grab it out of the Error)
• Status when request.is_success() and is_right()

We should standardise this to reduce duplication.

Copied the most important parts of ObjectMeta but with better serde default attrs to https://github.com/clux/kube-rs/blob/b6f64453ecdcbbc1e0d3a216b10e06e4bcf06806/src/api/resource.rs#L201-L211

Should add more.

Should have those structs fully in the library, and should probably flatten typemeta into Object.
ObjectList should get a ListMeta rather than ObjectMeta (rename), ApiStatus (rename to Status), should have ListMeta (ref) - probably also join ApiStatus and ApiError (same underlying object)

Ultimately small cleanups, but helps keep things consistent.

Where is this?
https://kubernetes.io/docs/reference/using-api/client-libraries/#community-maintained-client-libraries

Hi!

I was using this library and I found that Reflector indexes the objects by name. If a reflector is used without within method, as keys are indexed by name, if a name is shared among distinct namespaces, some objects gets overwritten on the Cache.

For example, with the given code:

    let config = kube_config::load_kube_config().expect("failed to load kubeconfig");
    let client = APIClient::new(config);
    let resource = Api::v1Pod(client);
    let rf = Reflector::new(resource).init().unwrap();

    let cache = rf.read().unwrap();
    for c in cache.iter() {
        println!("KEY: {} {:?}", c.0, c.1.metadata.namespace);
    } 

I get the following results:

KEY: hello-node Some("default")
KEY: hello-node-55b49fb9f8-dcfdp Some("default")
KEY: hello-node-never-restart Some("test")

With kubectl get pod --all-namespaces I get:

default       hello-node                         0/1     CrashLoopBackOff   236        10d
default       hello-node-55b49fb9f8-dcfdp        1/1     Running            0          11d
default       hello-node-never-restart           1/1     Running            0          10d
test          hello-node-never-restart           1/1     Running            0          33m

I was expecting this cache to be indexed by both name and namespace, which I think is a unique identifier for objects (but I'm not sure about this).

We had assumed that delete could be modelled as:

pub fn delete(&self, name: &str, dp: &DeleteParams) -> Result<Object<P, U>>;

but turns out kube sends:

{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Success","details":{"name":"baz","group":"clux.dev","kind":"foos","uid":"XXX"}}

on a successful delete.

See #28 for more details. Fix client.request to fix this.

Edit: same is true for delete_collection (when it's not backgrounded).

Currently it's hard to act on errors without knowing the code.

It's currently easier to just json! in an object than using Object<P, U> atm:

let f = json!({
    "apiVersion": "clux.dev/v1",
    "kind": "Foo",
    "metadata": { "name": "baz" },
    "spec": { "name": "baz", "info": "old baz" },
});

vs

let f : Object<FooSpec, FooStatus> = Object {
    apiVersion: Some("clux.dev/v1".into()),
    kind: Some("Foo".into()),
    metadata: Metadata: { "name": Some("baz".into()), ..Default::default() }
    spec: FooSpec { "name": "baz".into(), "info".into() },
}

would be nice if Api structs had a way to at least provide the base at least. If you really needed to change labels or something in metadata you could do that later.

a 1.15ism. See https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/20190206-watch-bookmark.md

Cannot be fetched out of .status on other objects, so need to be listened for separately.

Unfortunately, it's a special native object that does not implement a .spec: https://docs.rs/k8s-openapi/0.4.0/k8s_openapi/api/core/v1/struct.Event.html
A bit annoying.

In go, the Informer is meant to be the thing to handle events, and if you're handling events yourself, you might not need the internal state - and maybe you want to aggregate it yourself.

An Informer could just follow the current Reflector logic, but defer entirely to the user to handle .events(). I.e. we'd split watch_for_resource_updates into two functions:

• a default reconcile (to propagate the ResourceMap)
• the two lines that actually fetch the WatchEvents

https://github.com/nokia/memory-profiler

Being a bit liberal with allocations everywhere because it's not that critical. Just wanna make sure the reflectors/informers aren't leaking memory when running for a long time.

I get this error when running cargo build --example pod_openapi after cloning this repo.

This is odd, because I can clearly see the implementation in my IDE.

Server side?

FEATURE STATE: Kubernetes v1.14 alpha

Server Side Apply allows clients other than kubectl to perform the Apply operation, and will eventually fully replace the complicated Client Side Apply logic that only exists in kubectl. If the Server Side Apply feature is enabled, the PATCH endpoint accepts the additional application/apply-patch+yaml content type. Users of Server Side Apply can send partially specified objects to this endpoint. An applied config should always include every field that the applier has an opinion about.

Looks useful. Clearly related to #24 with an extra application/apply-patch+yaml content-type.

Perhaps an Api::apply(name: &str, data: Vec<u8>) would be a better alias for a patch with this.
Check what client-go does.

However the field management notes is a scary read.

Client side?

We could also do the client-side approach which the ruby client did. See Building and Maintaining a Client Library - Stories From the Trenches - Jussi Nummelin, Kontena Inc.

Sounds even worse. I'd rather just wait with this support for now until I get to test server side.

k8s-openapi only allows one feature to be enabled. If a crate's dep graph contains multiple crates like kube that decide to enable features in their direct deps, Cargo will union the features and enable multiple of them simultaneously, which will not compile.

(It's mentioned in a little detail at the top of https://docs.rs/k8s-openapi/0.4.0/k8s_openapi/ , but I'm planning to expand that and the build script panic messages in Arnavion/k8s-openapi#44 )

Basically I would like binary crates to enable a specific feature depending on what minimum version of API server they want to run against. So for something like your controller-rs crate it's okay to enable the v1_13 feature there.

But for library crates like kube, my ask is:

• Don't enable any features in your k8s-openapi direct dep.

• Do enable it in your k8s-openapi dev-dep for your crate's tests and examples.

• Use the k8s_* version detection macros to limit what versions you want your crate to compile with. For example you can use compile_error like in the docs example.

It does mean that controller-rs would need to add a dependency on k8s-openapi just to enable the feature, even though all its interaction with Kubernetes is through kube.

Please tell me if you have any objections. (I have not received any feedback positive or negative to this design decision.)

I know this goes against Cargo's general idea that features should be additive. The original implementation of this in 0.3.0 and earlier did have additive features, by having the crate's API exposed under a module of the same name. Eg the v1_13 feature enabled the k8s_openapi::v1_13 module.

But it meant you had to write imports like this:

https://github.com/Arnavion/k8s-openapi/blob/v0.3.0/k8s-openapi-tests/src/pod.rs#L3-L20

which was a PITA, and still wouldn't have worked if more than one feature was enabled. See Arnavion/k8s-openapi#18 for more details.

A couple of options, not sure what's the nicest interface yet:

• On demand events since last "reconcile"
• Events as they occur through callbacks

First is easy to do, just queue up, then pop and return on demand.
Latter would probably block the polling thread/owner (since that's the thing that runs the watcher).

Currently all Reflector::read calls do a full copy:

https://github.com/clux/kube-rs/blob/3b14161baefe64ba308344e886b186aa4fbb0c7f/src/api/reflector.rs#L133-L149

this is probably not what all users want (see #57).

Alternatives so far:

• wrap self.cache in an Arc and hand out clones of that
• make read be the equivalent of into_iter and expose an alternative iter equivalent

The first sounds tricky to get right depending on how people drive the reflector (borrow-checking might get harder to satisfy) when one thread polls and other threads want to read. Attempts at making this better is welcome.

We got core::v1 covered AFAIKT. But a quick peek at the openapi spec shows there's still tons of uncovered resources.

As a starting point, let's aim to cover the normal kubectl api-resources output:

NAME                              SHORTNAMES   APIGROUP                             NAMESPACED   KIND
bindings                                                                            true         Binding
componentstatuses                 cs                                                false        ComponentStatus
configmaps                        cm                                                true         ConfigMap
endpoints                         ep                                                true         Endpoints
events                            ev                                                true         Event
limitranges                       limits                                            true         LimitRange
namespaces                        ns                                                false        Namespace
nodes                             no                                                false        Node
persistentvolumeclaims            pvc                                               true         PersistentVolumeClaim
persistentvolumes                 pv                                                false        PersistentVolume
pods                              po                                                true         Pod
podtemplates                                                                        true         PodTemplate
replicationcontrollers            rc                                                true         ReplicationController
resourcequotas                    quota                                             true         ResourceQuota
secrets                                                                             true         Secret
serviceaccounts                   sa                                                true         ServiceAccount
services                          svc                                               true         Service
mutatingwebhookconfigurations                  admissionregistration.k8s.io         false        MutatingWebhookConfiguration
validatingwebhookconfigurations                admissionregistration.k8s.io         false        ValidatingWebhookConfiguration
customresourcedefinitions         crd,crds     apiextensions.k8s.io                 false        CustomResourceDefinition
apiservices                                    apiregistration.k8s.io               false        APIService
controllerrevisions                            apps                                 true         ControllerRevision
daemonsets                        ds           apps                                 true         DaemonSet
deployments                       deploy       apps                                 true         Deployment
replicasets                       rs           apps                                 true         ReplicaSet
statefulsets                      sts          apps                                 true         StatefulSet
tokenreviews                                   authentication.k8s.io                false        TokenReview
localsubjectaccessreviews                      authorization.k8s.io                 true         LocalSubjectAccessReview
selfsubjectaccessreviews                       authorization.k8s.io                 false        SelfSubjectAccessReview
selfsubjectrulesreviews                        authorization.k8s.io                 false        SelfSubjectRulesReview
subjectaccessreviews                           authorization.k8s.io                 false        SubjectAccessReview
horizontalpodautoscalers          hpa          autoscaling                          true         HorizontalPodAutoscaler
cronjobs                          cj           batch                                true         CronJob
jobs                                           batch                                true         Job
certificatesigningrequests        csr          certificates.k8s.io                  false        CertificateSigningRequest
leases                                         coordination.k8s.io                  true         Lease
events                            ev           events.k8s.io                        true         Event
ingresses                         ing          extensions                           true         Ingress
nodes                                          metrics.k8s.io                       false        NodeMetrics
pods                                           metrics.k8s.io                       true         PodMetrics
networkpolicies                   netpol       networking.k8s.io                    true         NetworkPolicy
poddisruptionbudgets              pdb          policy                               true         PodDisruptionBudget
podsecuritypolicies               psp          policy                               false        PodSecurityPolicy
clusterrolebindings                            rbac.authorization.k8s.io            false        ClusterRoleBinding
clusterroles                                   rbac.authorization.k8s.io            false        ClusterRole
rolebindings                                   rbac.authorization.k8s.io            true         RoleBinding
roles                                          rbac.authorization.k8s.io            true         Role
priorityclasses                   pc           scheduling.k8s.io                    false        PriorityClass
storageclasses                    sc           storage.k8s.io                       false        StorageClass
volumeattachments                              storage.k8s.io                       false        VolumeAttachment

That's what a 1.13 cluster supports (but took out some extensions == v1beta versions of workloads api).

There's many ways of finding the Api values for a resource. One way is to browse to the openapi spec for a resource - here Service as an example. Then view src on the first create request which should easily show a __url of the form:

let __url = format!("/api/v1/namespaces/{namespace}/services?", namespace = namespace);

In this case we can infer the resource is:

RawApi {
    resource: "services".into(),
    group: "".into(),
    ..Default::default()
}

(note the v1 version + apis prefix and unset namespace defaults).

It would need a v1Service constructor in RawApi.

It would also need the following entry for the "openapi" users:

use k8s_openapi::api::core::v1::{ServiceSpec, ServiceStatus};
impl Api<Object<ServiceSpec, ServiceStatus>> {
    pub fn v1Service(client: APIClient) -> Self {
        Api {
            api: RawApi::v1Service(),
            client,
            phantom: PhantomData,
        }
    }
}

Did a full cargo test --all-features after having bumped the k8s-openapi dependency and memory use is almost 8GB with parallelism. Looks like it takes >4GB just compiling the dependency itself. This blocks CircleCI from building it (on the free account), and travis just seems to time out. Need a better CI solution..

https://github.com/clux/kube-rs/blob/c14ef965af7d68d37e6acb343d02ef5841c5bf37/src/api/metadata.rs#L27
struct ObjectMeta 's namespace should be pub, when the k8s operator is cluster scope, operator can get CR's namespace info.

We often need a way to distinguish from CREATED, ACCEPTED, and OK as these often map to kube notions such as "configured", "created", "unchanged".

Document the common results in .create(), .replace() etc.

It's getting annoying in crates where you need to propagate the non_snake_case allow flag.

We should probably just be consistent with rust style even if it is inconsistent with the underlying API. Even go renames their fields anyway..

EDIT: updated with comment below:
Remove all allow(non_snake_case) and get library + examples to compile without warnings.

Remove allow(non_snake_case) from some files:

• api/resources.rs
• api/metadata.rs
• client/mod.rs

Leave the constructor types alone for now.

At the moment you can only list and watch non-core objects in the Kubernetes API - e.g. CRDs. Core object should be watchable too, e.g. Pods, Deployments, Ingresses etc.

Maybe we can expand ApiResource in https://github.com/clux/kube-rs/blob/master/src/api/resource.rs#L11 to have a base field which specifies the url base to use so core objects are supported?

Excerpt from Best practices for building Kubernetes Operators and stateful app point 5:

5. Use asynchronous sync loops
   If an operator detects an error (e.g., failed pod creation) when reconciling the current cluster state to the desired state, it should immediately terminate the current sync call and return the error. The work queue should then schedule a resync at a later time; the sync call should not block the application by continuing to poll the cluster state until the error is resolved. Similarly, controllers that initiate and monitor long-running operations should not synchronously wait for the
   operations. Instead, the controllers should go back to sleep and check again later.

That's something worth exposing better. Whether it's something we can hook into actix' actor system in a more native rust way, or whether we should have better queuing built in. Not sure. Leaving an issue here for now.

In my initial sketch of update_ actions that takes a Patch object, I'm just handing in the towel and asking for a u8 array. The openapi version of handling this is weird

It would be better to have just something that implements Serialize.

Unfortunately, it's not merely json:

• https://kubernetes.io/docs/tasks/run-application/update-api-object-kubectl-patch/
• https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md

even if json is the most common form of a patch.

(and even if we were to only support that, you can't put Serialize as a trait object without some difficulty)

currently they are not exported, and it leads to funny issues where you need them in the signatures, but don't have them => you have to grab openapi yourself.

Not sure how much we actually need to expose, but dropping down some notes:

An initializer controller should list and watch for uninitialized objects, by using the query parameter ?includeUninitialized=true. (Kubernetes Initializers Deep Dive)

maybe timeoutSeconds if wanting to poll more frequently than every 10s?

rationale: we don't necessarily want to receive events when the .status object changes

client-go encourages RetryOnConflict which is a reasonable pattern - code's also not that advanced.

Rust has:

• backoff
• retry - with tokio version

We could probably make wrappers around that..

AFAIKT it's just a wrapper around a deliberate error match case, where the backoff continues. That should be easy to emulate now that we've exposed api error helpers on our Error type. Backoff seems like a good fit atm.