KEP-4944: Kustomize Wasm Plugin #4946
Conversation
koba1t
commented
Nov 4, 2024
koba1t
commented
- One-line PR description: Kustomize Wasm Plugin
- Issue link: Kustomize Wasm Plugin #4944
- Other comments:
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
kind/kep
koba1t
force-pushed
the
kep/kustomize_add_wasm_plugin
branch
4 times, most recently
from
936ebc5 to
82b898a
Compare
koba1t
force-pushed
the
kep/kustomize_add_wasm_plugin
branch
from
82b898a to
fb77246
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/reopen |
|
@koba1t: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: koba1t The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/reopen |
|
@koba1t: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| isolation. | ||
|
|
||
| And promote kustomize KRM plugins to GA with the addition and stability of Wasm | ||
| KRM Function. |
There was a problem hiding this comment.
There's #2953 which was targetting krm graduation. I think, it's best to split the graduation from wasm plugins.
The one question I have is how you're planning to handle the relationship between wasm plugins and krm plugins? Wasm will be alpha and KRM GA?
| 1. The Wasm OCI Artifact specification is a relatively new standard in the OCI | ||
| ecosystem. Maybe not mature enough. | ||
| 1. Containaized KRM function is alpha feature but that used some user. | ||
| - Provide container to exec conversion tools. |
There was a problem hiding this comment.
Not sure I understand how this is a risk. I believe you've mentioned earlier (and I also suggested to split this out) to promote KRM functions to GA, so the only risk is that we haven't done it yet and we have users relying on it, right?
| image: ghcr.io/koba1t/krm-fn-app:v0.0.3-wasm | ||
| spec: | ||
| port: 8080 | ||
| ``` |
There was a problem hiding this comment.
I'm not sure I follow, what the above files are meant for.
| implementing this enhancement to ensure the enhancements have also solid foundations. | ||
| --> | ||
|
|
||
| ##### Unit tests |
There was a problem hiding this comment.
For kustomize, I'm certain we can just skip interrogation and e2e tests, but listing units would be reasonable.
Something like:
- sigs.k8s.io/kustomize/kustomize/v5/commands/build - 2025-06-01 - 79.4
- sigs.k8s.io/kustomize/kustomize/v5/commands/create - 2025-06-26 - 84.9
etc...
Just make sure to list only the directories you'll be modifying as part of this functionality. There's no need to list all of them 😉
|
|
||
| Below are some examples to consider, in addition to the aforementioned [maturity levels][maturity-levels]. | ||
|
|
||
| #### Alpha |
There was a problem hiding this comment.
Clear graduation criteria will be needed. In the risks section you've mentioned that WASI is still not fully stable, is there a plan when it will be? Should we block GA promotion of this functionality until it does?
| stable: TBD | ||
| # # The following PRR answers are required at alpha release | ||
| # # List the feature gate name and the components for which it must be enabled | ||
| # feature-gates: |
There was a problem hiding this comment.
Are you planning on gating the access to this functionality through an environment variable, like we do with kubectl or in any other way?
| 1. Implement Wasm plugin support in the Kustomize KRM framework | ||
| 1. Provide a secure sandboxed environment for executing custom transformations | ||
| 1. Improve portability of custom transformers across different platforms | ||
| 1. Enhance performance of resource transformations through WebAssembly |
There was a problem hiding this comment.
Nowhere in this document there's a clear information how this new mechanism will affect the kustomize version that is available in kubectl? IIRC the KRM functions are NOT available in kubectl, so I believe this one is also not going to be available, is that right assumption?
There was a problem hiding this comment.
Honesty, Exec KRM functions is disabled by kubectl, but the Container KRM functions is available for kustomize in kubectl now.
(We can use with kubectl kustomize --enable-alpha-plugins ...)
kubernetes-sigs/kustomize#4556 (comment)
According to my understanding, the Exec KRM functions mechanism, which directly executes binaries, raises security concerns and was disabled in kubectl. With the Wasm Plugin, since the execution environment is sandboxed, I thought it seemed reasonable to make it available in the same way as current Container functions.
Co-authored-by: Maciej Szulik <[email protected]>
Co-authored-by: Maciej Szulik <[email protected]>
Co-authored-by: Maciej Szulik <[email protected]>
|
@koba1t: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
