KEP 2551 - kubectl exit code normalization

[rikatz]

xref Issue: #2551

[apelisse]

Note that some exit code are not actual errors. You should definitely account for that.

[rikatz]

Note that some exit code are not actual errors. You should definitely account for that.

True!! So we've discussed in todays sig-cli and I'll try to reduce the scope/amount of error codes, like having:

• An error code that represents some problem on the client side
• A small amount of error codes that might represent apiserver errors (although @soltysh pointed that some forbidden or not found errors may not be well differentiated in some parts like kubectl get, so maybe having the 'forbidden' code for write operations).
• Errors over 128 can be used to represent the sum of something forked. As an example: https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html we can use 129 (128 + 1) if some plugin, called from kubectl exists with 1 (and this may apply to diff as well!)

[sftim]

Will we also cover expectations for plugins and their exit codes? Maybe that's a non-goal at this stage.

[rikatz]

Hey Tim,

IMO we should not normalize the plugins exit codes, but plugins enter in the 'external programs' category, which we can say that the error code is 128 + the plugin exit code (same for kubectl diff, as an example).

[rikatz]

Now I'm questioning myself what happens if a plugin ends with an error code bigger then 128, which will be 128 (from the kubectl) + 128 (from the plugin).

During the design, this should be dealt like (if > 255 then return 255 or something inside the supported error range)

[soltysh]

We can recommend but that's not a hard requirement.

[soltysh]

We can recommend but that's not a hard requirement.

[soltysh]

This might actually change during the separattion of cobra from Options struct, so it would be nice to put it in a more generic way.

[soltysh]

Example: validation and execution.

[rikatz]

@deejross will take a look on this

[soltysh]

Yeah, that's a big one and how we can properly handle that.

[rosspeoples]

Should this follow the 128+exit code rule proposed for plugins?

[rosspeoples]

One other option is to start kubectl error codes at 201. This would allow exec to continue returning the pod exit code, assuming it's less than 201. If the pod exit code is 201 or greater, then set it to 255. Maybe we should apply the same logic to external commands as well, such as diff to keep it consistent. This would allow those commands to return their codes unaltered (if less than 201), and make kubectl generated error codes distinct to reduce confusion around the origin of an error. Thoughts on this approach?

[rikatz]

@soltysh wdyt about this pattern of using RC > 200? I was discussing with Ross here that this may be a good approach but not the desired by sig-cli.

[sftim]

How about having kubectl exec take a parameter --use-exit-code that defaults to true, and that you can force to false if you want success to mean “we were able to exec something”?

[soltysh]

As mentioned before I'd describe this in slightly more generic way, since this implementation might change.

[rikatz]

@deejross to take a look into this

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[rikatz]

/remove-lifecycle stale
I will still work on this :D
/lifecycle active

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[eddiezane]

/remove-lifecycle stale

[soltysh]

A couple of nits, but mostly this looks good
/hold
for you to get PRR file added and nits addressed
/lgtm
/approve

[soltysh]

Suggested change

	The developers are making a lot of changes, and they keeps asking for Bruce to look for every pipeline execution, even those that
	The developers are making a lot of changes, and they keep asking for Bruce to look for every pipeline execution, even those that

[soltysh]

Suggested change

	Bruce Wayne, the security administrator of the Gotham Inc Company is following the development of a new product. Bruce asked
	Bruce Wayne, the security administrator of the Gotham Inc company is following the development of a new product. Bruce asked

[soltysh]

I was wondering if we need to reserve all 200, if just the initial 100 isn't sufficient? But that's something we'll need to empirically figure out as we go.

[rikatz]

agreed. This was a discussion I was on with Ross, that maybe the code reservation can be something more sparse or in a "range" other than reserving all the 200

[soltysh]

Let's "close" this list before going to beta, for alpha let's leave it open.

[soltysh]

This and not found are hard to distinguish due to server returning 404 Not Found in both cases, due to security reasons.

[rikatz]

We can leave this as an UNRESOLVED tag so we are stating this is not solved yet

[soltysh]

Exactly what I said above :)

[soltysh]

I was thinking about it earlier this week and I think that implementing a set of new error codes inside kubectl where each command could use them and then having CheckErr return new error codes with that env of yours and just -1 in the backwards compatible way as it does today. Which is close with what you're describing here.

[rikatz]

sorry @soltysh is there any action on this? I'm a bit slow this latest days :)

[soltysh]

No action required, this is more like a thought for you and @deejross to consider when implementing 😉

[soltysh]

You're missing file in https://github.com/kubernetes/enhancements/blob/master/keps/prod-readiness/ and make sure to update the template with current one.

[rikatz]

PRR added
/assign @johnbelamaric

[johnbelamaric]

Minor tweaks needed to PRR but looks good in general.

[johnbelamaric]

you're missing some fields from the latest template, please update

[johnbelamaric]

I think you have an older version of the questions, please review the latest template and include any new questions as well. Thanks.

[apelisse]

I took a look thanks!

[rikatz]

@johnbelamaric fixed based on your comments, thanks :)

[soltysh]

Some minor nits, but this is good, thx!
/lgtm
/approve

[soltysh]

Nit: some of these checkboxes need to be checked.

[soltysh]

Let's "close" this list before going to beta, for alpha let's leave it open.

[soltysh]

Exactly what I said above :)

[soltysh]

No action required, this is more like a thought for you and @deejross to consider when implementing 😉

[johnbelamaric]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johnbelamaric, rikatz, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS [johnbelamaric]
• keps/sig-cli/OWNERS [johnbelamaric,soltysh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[soltysh]

/hold cancel