change DefaultGarbageCollectionPolicy to DeleteDependents for workloads controllers

[dixudx]

What this PR does / why we need it:
As part of the apps/v1 GA effort (kubernetes/enhancements#353) for v1.9. For core controllers, like Deployment, DaemonSet, ReplicaSet, and StatefulSet, changing the DefaultGarbageCollectionPolicy from OrphanDependents to DeleteDependents will make these objects consistent with the default behavior for all new objects.

For legacy API versions, the DefaultGarbageCollectionPolicy remains OrphanDependents.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
ref #55027

Special notes for your reviewer:
/cc @enisoc @caesarxuchao @kow3ns
/assign @kubernetes/sig-apps-api-reviews

Release note:

The default garbage collection policy for Deployment, DaemonSet, StatefulSet, and ReplicaSet has changed from OrphanDependents to DeleteDependents when the deletion is requested through an `apps/v1` endpoint. Clients using older endpoints will be unaffected. This change is only at the REST API level and is independent of the default behavior of particular clients (e.g. this does not affect the default for the kubectl `--cascade` flag).

If you upgrade your client-go libs and use the `AppsV1()` interface, please note that the default garbage collection behavior is changed.

[dixudx]

/unassign @derekwaynecarr @eparis
/assign @smarterclayton @janetkuo

[enisoc]

Thanks for picking this up so quickly! It looks like what I had in mind. Can you just add strategy tests and integration tests like in #50719?

[enisoc]

You can leave out extensions/v1beta1 for StatefulSet, since it never existed there.

[enisoc]

You can leave out apps/v1beta1 for DaemonSet, since it never existed there.

[enisoc]

You can leave out apps/v1beta1 for ReplicaSet, since it never existed there.

[kow3ns]

Generally LGTM but could use some unit tests.

[mbohlool]

/cc @mml

[dixudx]

@enisoc @kow3ns Updated. PTAL. Thanks.

[caesarxuchao]

@dixudx @enisoc @kow3ns this came up in our team meeting today. @lavalamp raised concerns for upgrading/downgrading the cluster. I think what he meant was that if the apiserver was downgraded to an old version, but the controller manager was not downgraded yet, was it possible that the controller manager got confused because the old apiserver didn't do cascading deletion for apps/v1/replicaset? I don't have any specific objection, but I agree that we need to think the implication through.

[enisoc]

if the apiserver was downgraded to an old version, but the controller manager was not downgraded yet, was it possible that the controller manager got confused because the old apiserver didn't do cascading deletion for apps/v1/replicaset?

If I'm understanding the scenario correctly, I think it should be ok. We aren't changing anything in the GC itself (the part that lives in controller manager). We're only changing the finalizers added by apiserver at the moment when a DELETE request comes in.

If a DELETE comes through apps/v1 after apiserver is upgraded, it sets the right finalizers for cascading. After that, the behavior of GC should depend only on the finalizers on the object (I don't see anywhere that GC fails to send an explicit DeletionPropagation policy), so downgrading apiserver during this process shouldn't have any effect.

If a DELETE comes through apps/v1 after apiserver is downgraded, it will fail because apps/v1 doesn't exist there. This is the same as any time we add a new version; it's not related to whether we change the default GC policy.

[enisoc]

The unit tests look good, but I'd like to have at least one integration test before we merge to prove this works.

Can you test that the expected finalizers get added when you delete via apps/v1beta2 vs apps/v1? To avoid racing with actual deletion, you can add your own made up finalizer that you don't remove until after you've verified the other expected values.

[enisoc]

nit: It doesn't affect the current code, but for the sake of realism I think the Resource names should be plural.

[dixudx]

Can you test that the expected finalizers get added when you delete via apps/v1beta2 vs apps/v1?

@enisoc Did find a bug. shouldDeleteDependents will not return true if we set default GC policy to DeleteDependents. Already fixed together with this PR.

[janetkuo]

Another comment on release note:

The default garbage collection policy for Deployment, DaemonSet, StatefulSet, and ReplicaSet has changed from OrphanDependents to DeleteDependents when the deletion is requested through an `apps/v1` endpoint.

apps/v1 is new in this release (1.9), so there's no need to mention previous behavior. Mentioning current behavior is enough.

Is OrphanDependents or DeleteDependents visible to users? Do we need to mention it at all, or should we instead say something like "dependent objects are deleted by default unless DeleteOptions is specified otherwise"?

We need to update documents (e.g. https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/#setting-the-cascading-deletion-policy) once this is merged.

[dixudx]

ping @janetkuo @enisoc @caesarxuchao Updated. PTAL. Thanks.

[dixudx]

apps/v1 is new in this release (1.9), so there's no need to mention previous behavior. Mentioning current behavior is enough.

@janetkuo SGTM.
@enisoc Any comments?

[enisoc]

Use updateRS just like above, so this gets retried on conflict. It's fine to do the update via extensions/v1beta1.

[enisoc]

It's better to fail if any new finalizers were added, rather than continue polling:

if newRS.DeletionTimestamp == nil {
  return false, nil
}
if got, want := newRS.Finalizers, []string{fakeFinalizer}; !reflect.DeepEqual(got, want) {
  return false, fmt.Errorf("Finalizers = %+v; want %+v", got, want)
}
return true, nil

[enisoc]

/assign @liggitt
for approval

[dixudx]

@enisoc @liggitt @janetkuo Updated. PTAL. Thanks

[enisoc]

/lgtm

[liggitt]

/approve

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dixudx, enisoc, liggitt

Associated issue: 353

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/registry/OWNERS [liggitt]
• staging/src/k8s.io/apiserver/OWNERS [liggitt]
• test/OWNERS [enisoc,liggitt]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[jberkus]

/priority critical-urgent

/remove-priority important-soon

adjusting priorities for code freeze

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request Current

@dixudx @enisoc @janetkuo @liggitt @smarterclayton

Note: This pull request is marked as priority/critical-urgent, and must be updated every 1 day during code freeze.

Example update:

ACK.  In progress
ETA: DD/MM/YYYY
Risks: Complicated fix required

Pull Request Labels

• sig/apps: Pull Request will be escalated to these SIGs if needed.
• priority/critical-urgent: Never automatically move pull request out of a release milestone; continually escalate to contributor and SIG through all available channels.
• kind/cleanup: Adding tests, refactoring, fixing old bugs.

Help

• Additional instructions
• Commands for setting labels

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 52767, 55065, 55148, 56228, 56221). If you want to cherry-pick this change to another branch, please follow the instructions here.