This article describes how the Kubernetes provider v2 works and how it differs from other providers in Spinnaker. If you’re unfamiliar with Kubernetes terminology, see the Kubernetes documentation.
The manifest-based approach
The Kubernetes provider v2 combines the strengths of Kubernetes’s declarative infrastructure management with Spinnaker’s workflow engine for imperative steps when you need them. You can fully specify all your infrastructure in the native Kubernetes manifest format but still express, for example, a multi-region canary-driven rollout.
This is a significant departure from how deployments are managed in Spinnaker using other providers (including the Kubernetes provider v1). The rest of this doc explains the differences.
No restrictive naming policies
You can deploy existing manifests without rewriting them to adhere to Frigga. Resource relationships (for example between applications and clusters) are managed using Kubernetes annotations, and Spinnaker manages these using its Moniker library.
The policies and strategies are configurable per account. See Reserved Annotations for more details.
Accommodating level-based deployments
See the Kubernetes API conventions for a description of edge-based vs. level-based APIs.
Other providers in Spinnaker track operations that modify cloud resources. For example, if you run a resize operation, Spinnaker monitors that operation until the specified resize target is met. But because Kubernetes only tries to satisfy the desired state, and offers a level-based API for this purpose, the Kubernetes provider v2 uses the concept of “manifest stability.”
A deployed manifest is considered stable when the Kubernetes controller-manager
no longer needs to modify it, and it’s deemed “ready.” This assessment is
different, obviously, for different
kinds of manifests: a
stable when its managed pods are updated, available, and ready (running your
desired container and serving traffic). A
Service is stable once it is
created, unless it is of type
LoadBalancer, in which case it is considered
stable once the underlying load balancer has been created and bound to the
This manifest stability is how Spinnaker ensures that operations have succeeded. Because there are a number of reasons why a manifest never becomes stable (lack of CPU quota, failing readiness checks, no IP for a service to bind…) every stage that modifies or deploys a manifest waits until your affected manifests are stable, or it times out after a configurable period (30-minute default).
Using externally stored manifests
You can store and version your manifest definitions in Git (or elsewhere outside of the Spinnaker pipeline store).
With Spinnaker’s Artifact mechanism, file modifications/creations are surfaced as artifacts in pipeline executions. For example, you can configure a pipeline that triggers either when…
- a new Docker image is uploaded, or
- your manifest file is changed in Git
Several annotations are used as metadata by Spinnaker to describe a resource. Annotations listed below followed by a 📝 symbol may also be written by Spinnaker.
You can always edit or apply annotations using the
The application this resource belongs to.
This affects where the resource is accessible in the UI, and depending on your Spinnaker Authorization setup, can affect which users can read/write to this resource.
The cluster this resource belongs to.
This is purely a logical grouping for rendering resources in the UI and to help with dynamic target selection in Pipeline stages. For example, some stages allow you to select “the newest workload in cluster X”. How you set up these groupings depends on your delivery needs.
These simply provide ways to group resources using Spinnaker’s cluster filters as well as apply policies such as Traffic Guards.
When set to
'true', tells Spinnaker to ignore this resource. The resource is not cached and does not show up in the Spinnaker UI.
When set to
'false', this overrides the resource’s default “version” behavior described in the resource management policies. This can be used to force a ConfigMap or Secret to be deployed without appending a new version when the contents change, for example.
When set to
'false', this overrides the resource’s replica count with the currently deployed resource’s replica count. This is supported for Deployment, ReplicaSet or StatefulSet. This can be used to allow resizing a resource in the Spinnaker UI or with kubectl without overriding the new size during subsequent manifest deployments.
When set to a non-negative integer, this configures how many versions of a resource to keep around. When more than
max-version-historyversions of a Kubernetes artifact exist, Spinnaker deletes all older versions. Resources are sorted by the
metadata.creationTimestampkubernetes property rather than the version number.
Keep in mind, if you are trying to restrict how many copies of a ReplicaSet a Deployment is managing, that is configured by
spec.revisionHistoryLimit. If instead Spinnaker is deploying ReplicaSets directly without a Deployment, this annotation does the job.
As of Spinnaker 1.13, you can force Spinnaker to delete a resource (if it already exists) before creating it again. This is useful for kinds such as
Job, which cannot be edited once created, or must be re-created to run again.
When set to
'true'for a versioned resource, this will only re-create your resource if no edits have been made since the last deployment (i.e. the same version of the resource is redeployed).
The default behavior is
As of Spinnaker 1.14, you can force Spinnaker to use
replaceinstead of of
applywhile deploying a Kubernetes resource. This may be useful for resources such as
ConfigMapwhich may exceed the annotation size limit of 262144 characters.
When set to
'true'for a versioned resource, this will update your resources using
replace. Refer to Kubernetes Object Management for more details on object configuration and trade-offs.
The default behavior is
As of Spinnaker 1.10, you can specify which load balancers (Services) a workload is attached to at deployment time. This will automatically set the required labels on the workload’s Pods to match that of the Services’ label selectors.
This annotation must be supplied as a list of
<kind> <name>pairs where
namerefer to the load balancer in the same namespace as the resource. For example:
traffic.spinnaker.io/load-balancers: '["service my-service"]'attaches to the Service named
traffic.spinnaker.io/load-balancers: '["service my-service", "service my-canary-service"]'attaches to the Services named
As of Spinnaker 1.14, instead of manually adding the
traffic.spinnaker.io/load-balancersannotation, you can select which load balancers to associate with a workload from the Deploy (Manifest) stage. Spinnaker will then add the appropriate annotation for you.
In accordance with Kubernetes’ recommendations on common labels, Spinnaker applies the following labels as of release 1.9:
This is the name of the Spinnaker application this resource is deployed to, and matches the value of the
moniker.spinnaker.io/applicationannotation desribed here.
Always set to
This labeling behavior can be disabled by setting the property
How Kubernetes resources are managed by Spinnaker
Resource mapping between Spinnaker and Kubernetes constructs, as well as the introduction of new types of resources, is a lot more flexible in the Kubernetes provider V2 than for other providers, because of how many types of resources Kubernetes supports. Also the Kubernetes extension mechanisms—called Custom Resource Definitions (CRDs)—make it easy to build new types of resources, and Spinnaker accommodates that by making it simple to extend Spinnaker to support a user’s CRDs.
It is worth noting that the resource mapping exists primarily to render resources in the UI according to Spinnaker conventions. It does not affect how resources are deployed or managed.
There are three major groupings of resources in Spinnaker:
- server groups
- load balancers
These correspond to Kubernetes resource kinds as follows:
- Server Groups ≈ Workloads
- Load Balancers ≈ Services, Ingresses
- Firewalls ≈ NetworkPolicies
Resource management policies
How you manage the deployment and updates of a Kubernetes resource is dictated by its kind, via the policies that apply to a particular kind. Below are descriptions of these policies, followed by a mapping of kinds to policies.
There are several operations that can be implemented by each kind:
Can this resource be deployed and redeployed? It’s worth
mentioning that all deployments are carried out using
kubectl applyto capitalize on
kubectl’s three-way merge on deploy. This is done to accommodate running against your cluster, alongside Spinnaker, other tools that rely on the three-way merge semantics.
- Delete: Can this resource be deleted?
- Scale: For workloads only, can this resource be scaled to a desired replica count?
- Undo Rollout: For workloads only, can this resource be rolled back/forward to an existing revision?
- Pause Rollout: For workloads only, when rolling out, can the rollout be stopped?
- Resume Rollout: For workloads only, when the rollout is paused, can it be started again?
- Deploy: Can this resource be deployed and redeployed? It’s worth mentioning that all deployments are carried out using
If a resource is “versioned”, it is always deployed with a new sequence number
vNNN, unless no change has been made to it. This is important for resources like
ReplicaSets, which don’t have their own built-in update policy like
StatefulSetsdo. Making an edit to the resource in place, rather than redeploying, can have unexpected results and can delete history. Regardless, whatever the policy is, it can be overriden during a deploy manifest stage.
This policy can be overriden per-manifest using the
strategy.spinnaker.io/versionedannotation described here.
This describes under what conditions this kind is considered stable after a new
spechas been submitted.
Anything classified as a Spinnaker server group is rendered on the Clusters tab in Spinnaker. If possible, any pods owned by the workload are rendered as well.
|Resource||Deploy||Delete||Scale||Undo Rollout||Pause Rollout||Resume Rollout||Versioned||Stability|
||Yes||Yes||No||No||No||No||Yes||The pod must be scheduled, and pass all probes.|