design-proposal: Feature configurables

jcanocan · jcanocan · commit a825f813c9f8 · 2024-09-03T13:56:03.000+02:00
This design document states how features that require to have a
mechanism to change it's state, e.g., enabled/disabled should be
implemented in KubeVirt.

Signed-off-by: Javier Cano Cano &lt;jcanocan@redhat.com&gt;
diff --git a/design-proposals/configurable-features.md b/design-proposals/configurable-features.md
@@ -0,0 +1,233 @@
+# Overview
+
+With the introduction
+of [KubeVirt Feature Lifecycle](https://github.com/kubevirt/community/blob/main/design-proposals/feature-lifecycle.md)
+policy, features reaching General Availability (GA) need to drop their use of feature gates. This applies also to
+configurable features that we may want to disable.
+
+## Motivation
+
+Users may want certain features to be in a given state, for example to make the best use out of given
+resources or for compliance reasons features may expose sensitive information from the host to the virtual machines
+instances (VMI) or add additional containers to the launcher pod, which are not required by the user. 
+
+The downward metrics feature is a good example of why some clusters may want to have it enabled or disabled.
+The downward metrics feature exposes some metrics about the host node where the VMI is running to the guest. This
+information may be considered sensitive information.
+If there is no mechanism to disable the feature, any VMI could request the metrics and inspect information that, in some
+cases, the admin would like to hide, creating a potential security issue.
+
+The behavior of other features might be changed by editing configurables, e.g. the maximum of CPU sockets allowed for
+each VMI can be configured.
+
+Before the introduction
+of [KubeVirt Feature Lifecycle](https://github.com/kubevirt/community/blob/main/design-proposals/feature-lifecycle.md)
+policy, many feature gates remained after feature's graduation to GA with the sole purpose of acting as a switch for the
+feature. Generally speaking, this is a bad practice, because feature gates should be reserved for controlling a feature
+until it reaches maturity. i.e., GA. Therefore, in the case that a developer wants to provide the ability to tune/change
+the state of the feature, configurables exposed in the KubeVirt CR should be provided. This should be
+accomplished while achieving [eventually consistency](https://en.wikipedia.org/wiki/Eventual_consistency). This forces
+us to avoid the feature state control checking on webhooks and moving the feature state control closer to the
+responsible code. Moreover, it has to be decided how the system should behave if a VMI is
+requiring a feature in a state different from what was configured in the KubeVirt CR, or what should happen if the
+configuration of a feature in use is changed. (see matrix below).
+
+## Goals
+
+- Get a clear understanding about the features configuration status.
+- Establish how the feature configurables should work.
+- Describe how the system should react in these scenarios in the case that the VMI exposes an API field to configure the
+  feature status:
+    - A feature in KubeVirt is set to state A and a VMI requests the feature to be in state B.
+    - A feature in KubeVirt is set to state A, there are running VMIs using the feature in state A, and the feature is 
+      changed in KubeVirt to state B.
+    - A feature in KubeVirt is set to state A, and pending VMIs want to use it.
+    - A feature in KubeVirt is set to state A, and running VMIs using the feature in state B wants to live migrate.
+- Graduate features status swapping from features gates to configurables.
+
+## Non Goals
+
+- Describe how features protected with features gates should work.
+- Change how feature gates are managed. Feature gating and configuration are two completely distinct issues.
+
+## Definition of Users
+
+Development contributors.
+
+Cluster administrators.
+
+## User Stories
+
+* As a cluster administrator, I want to be able to change the cluster-wide state of a feature by editing configurables.
+
+* As VMI owner, I want to use a given feature.
+
+* As a VMI owner / cluster admin, I want to understand what's the current configuration of the various features.
+
+## Repos
+
+Kubevirt/Kubevirt
+
+# Design
+
+The feature status swapping must be done by adding new fields to the KubeVirt CR under
+`spec`:
+
+```yaml
+apiVersion: kubevirt.io/v1
+kind: KubeVirt
+[...]
+spec:
+  certificateRotateStrategy: {}
+  feature-A:  {}
+  feature-C:
+    configA: integer
+    configB: string
+[...]
+```
+Please note that if the feature spec field is not present, the feature status is assumed to be completely disabled.
+For instance, in the KubeVirt CR manifest provided above, `feature-B` is not enabled.
+
+The VMI object may or may not include a configuration field inside the relevant spec.
+
+> **NOTE:** The inclusion of these new KubeVirt API fields should be carefully considered and justified. The feature
+> configurables should be avoided as much as possible.
+
+Moreover, the KubeVir CR `status` field should clearly indicate the current state of each feature, providing a
+comprehensive overview of the operational status of these features:
+
+```yaml
+apiVersion: kubevirt.io/v1
+kind: KubeVirt
+[...]
+status:
+  featureStatus:
+    featureA:
+      status: Enabled
+    featureB:
+      status: Disabled
+    featureC:
+      status: 0.5GiB
+[...]
+```
+
+Current feature gates will require an evaluation to determine if they need to be dropped or graduated to a configurable.
+This is current list of GA'd features present in KubeVirt/KubeVirt which are still using feature gates and are shown as
+[configurables in HCO](https://github.com/kubevirt/hyperconverged-cluster-operator/blob/main/controllers/operands/kubevirt.go#L166-L174):
+
+- DownwardMetrics
+- Root (not sure about this one)
+- DisableMDEVConfiguration
+- PersistentReservation
+- AutoResourceLimitsGate
+- AlignCPUs
+
+This is the current list of GA'd features present in KubeVirt/KubeVirt which are still using feature gates and are [always
+enabled by HCO](https://github.com/kubevirt/hyperconverged-cluster-operator/blob/main/controllers/operands/kubevirt.go#L125-L142):
+
+- CPUManager
+- Snapshot
+- HotplugVolumes
+- GPU
+- HostDevices
+- NUMA
+- VMExport
+- DisableCustomSELinuxPolicy
+- KubevirtSeccompProfile
+- HotplugNICs
+- VMPersistentState
+- NetworkBindingPlugins
+- VMLiveUpdateFeatures
+
+Please note that only feature gates included in KubeVirt/KubeVirt are listed here.
+
+Section [Interactions with the VMIs requests](#interactions-with-the-vmis-requests) details how the system should
+react to the different scenarios different to scenarios where the VMI feature status is different from what it is
+configured in the KubeVirt CR. Also, Section [Update/Rollback Compatibility](#updaterollback-compatibility) explains how
+feature gates should be graduated to configurables.
+
+## Interactions with the VMIs requests
+
+In case that, the VMI exposes a configuration field to request the feature as well as the KubeVirt CRD, the system may
+encounter some inconsistent states that should be handled in the following way:
+
+- If the feature is set to state A in the KubeVirt CR and the VMI is requesting the feature in state B, the VMIs must
+  stay in Pending state. The VMI status should be updated, showing a status message, highlighting the reason(s) for the
+  Pending state. For instance, in the following KubeVirt CR, `feature-B` is not enabled:
+```yaml
+apiVersion: kubevirt.io/v1
+kind: KubeVirt
+[...]
+spec:
+  certificateRotateStrategy: {}
+  feature-A:  {}
+```
+but a given VMI is requesting it:
+
+```yaml
+apiVersion: kubevirt.io/v1
+kind: VirtualMachineInstance
+metadata:
+  name: vmi-feature-b
+spec:
+  domain:
+    feature-B: {}
+[...]
+```
+Therefore, the VMI PHASE should stay in `Pending` until `feature-B` is enabled in KubeVirt CR:
+
+```bash
+$ kubectl get vmis
+NAME           AGE    PHASE     IP    NODENAME   READY
+vmi-feature-b   2s    Pending                    False
+```
+Moreover, the VMI status should reflect the specific feature configuration that is preventing VMI to start:
+```bash
+$ kubectl get vmis vmi-feature-b
+[...]
+status:
+  conditions:
+  - lastProbeTime: "2024-08-28T10:16:57Z"
+    lastTransitionTime: "2024-08-28T10:16:57Z"
+    message: virtual machine is requesting the disabled feature: feature-B 
+    reason: FeatureNotEnabled
+    status: "False"
+    type: Synchronized
+```
+
+- Feature status checks should only be performed during the VMI reconciliation process, and not at runtime if the changes
+  cannot be applied without restarting the VMI. Therefore, the
+  feature status changes in the KubeVirt CR should not affect running VMIs. Moreover, the VMI should still be able to
+  live migrate, preserving its original feature state. However, as stated before, if the changes can be applied without 
+  restarting VMI, it can be done at runtime.
+- Optionally, it could enable the possibility to reject the KubeVirt CR change request if running VMIs are using the
+  feature in a given state. However, by the default the request should be accepted.
+
+## Scalability
+
+The feature state swapping should not affect in a meaningful way the cluster resource usage.
+
+## Update/Rollback Compatibility
+
+The feature state swapping should not affect forward or backward compatibility once the feature GA. A given feature,
+after 3 releases in Beta, all feature gates must be dropped. Those features that need a configurable should define it ahead
+of time.
+
+## Functional Testing Approach
+
+The unit and functional testing frameworks should cover the relevant scenarios for each feature.
+
+# Implementation Phases
+
+The feature status check should be placed in the VMI reconciliation loop. In this way, the feature status evaluation is
+close to the VMI scheduling process, as well as allowing KubeVirt to reconcile itself if it is out of sync temporally.
+
+Regarding already existing features transitioning from feature gates as a way to set the feature status to configurable
+fields, this change is acceptable, but it should be marked as a breaking change and documented. Moreover, all feature
+gates should be evaluated to determine if they need to be dropped and transitioned to configurables.
+
+## About implementing the checking logic in the VM controller
+
+The checking in the VM controller could be added to let the user know if a VM has requested a feature in a state which 
+is different from what it is specified in the KubeVirt CR. The VM will update the VM status, showing a status message 
+highlighting the misconfiguration.
