|
| 1 | +# Comparison with kube-bind |
| 2 | + |
| 3 | +[kube-bind](https://github.com/kube-bind/kube-bind) is another Kubernetes-based project that is seemingly |
| 4 | +all about synchronizing objects between clusters. This page is meant to explain where the two projects |
| 5 | +compliment each other. |
| 6 | + |
| 7 | +## api-syncagent |
| 8 | + |
| 9 | +The api-syncagent is a kcp-specific agent **installed by service providers** to publish CRD-based APIs |
| 10 | +from a "service cluster" to a central kcp instance. It consists of a single main component, the |
| 11 | +agent itself. |
| 12 | + |
| 13 | +* The **agent** pushes the configured APIs (CRDs) from the service cluster into a kcp APIExport, making |
| 14 | + them available for use in kcp workspaces. It then takes objects created with those APIs in kcp and |
| 15 | + syncs (copies) them into the service cluster (actually the synchronization is two-way: the intended |
| 16 | + state (usually the `spec` and `metadata`) are copied from kcp to the service cluster, and the `status` |
| 17 | + is copied back into kcp). This forms a 1:1 relationship between 1 kcp APIExport to 1 Kubernetes |
| 18 | + service cluster. |
| 19 | + |
| 20 | + The intention is that objects copied onto the service cluster are then reconciled and processed by |
| 21 | + 3rd party operators to provision the actual workload. |
| 22 | + |
| 23 | +Because api-syncagent is specific to kcp, its goal is to support kcp-specific features as closely as |
| 24 | +possible. Some of those features include API conversion rules in APIConversions (currently not |
| 25 | +functional in kcp) or the upcoming virtual resource feature. Most importantly, these features do not |
| 26 | +exist in vanilla Kubernetes and can't be replicated easily. |
| 27 | + |
| 28 | +## kube-bind |
| 29 | + |
| 30 | +kube-bind is a vendor-agnostic component, **installed by consumers** and talking to a kube-bind |
| 31 | +compatible backend. It consists of 3 components: |
| 32 | + |
| 33 | +* **Konnector Agent** – a user user-installed agent which can talk to many providers and sync object |
| 34 | + statuses back. It is intended to be used in a 1:N relationship: one consumer cluster to many |
| 35 | + provider clusters. |
| 36 | +* **Provider Cluster** – a Kubernetes or kcp cluster, from which the provider can serve objects to |
| 37 | + multiple consumers. |
| 38 | +* **Backend** – a backend is used to establish trust by checking OIDC authorization flow and creating |
| 39 | + an access-scoped kubeconfig for konnector agents to use. This can be made and distributed in |
| 40 | + other ways and so there is no one-size-fits-all backend, but instead they are built for each |
| 41 | + specific usecase/provider. |
| 42 | + |
| 43 | +## Simillarities |
| 44 | + |
| 45 | +As part of their operation, both kube-bind and the api-syncagent do in fact synchronize Kubernetes |
| 46 | +objects. Both components move the spec from the consumer to the producer and move the status back |
| 47 | +in the opposite direction. |
| 48 | + |
| 49 | +However in most other aspects, the two projects differ dramatically in scope and purpose. |
| 50 | + |
| 51 | +## Differences |
| 52 | + |
| 53 | +| Aspect | api-syncagent | kube-bind | |
| 54 | +| ------ | ------------- | --------- | |
| 55 | +| **Installation Location**<br><small>Where is the active part installed to?</small> | provider cluster | consumer cluster | |
| 56 | +| **Compatibility / Scope**<br><small>What is this software meant to be used with?</small> | synchronize objects between kcp and Kubernetes | handshake between two parties;<br>synchronize between any two Kubernetes endpoints | |
| 57 | +| **Cluster Access**<br><small>In which direction is the communication established?</small> | provider connects to kcp<br><small>(provider cluster can be firewalled off)</small> | consumer to provider<br><small>(provider cluster needs to be publicly accessible)</small> | |
| 58 | +| **Scope Support**<br><small>What kind of resources are supported?</small> | cluster scoped,<br>namespaced | cluster scoped,<br>namespaced | |
| 59 | +| **Mutations**<br><small>Changing an object's content in transit</small> | ✅ | ❌ | |
| 60 | +| **Projections**<br><small>Changing an object's group, version or kind in transit</small> | ✅ | ❌ | |
| 61 | +| **Auxiliary Objects**<br><small>Related objects (often credential Secrets) that originate on the provider side and are synced back to the consumer</small> | ✅ | ❌ | |
| 62 | + |
| 63 | +--- |
| 64 | + |
| 65 | +One major difference between the two projects is how in kube-bind, the consumer has to perform an |
| 66 | +explicit handshake with an arbitrary service provider to initiate a contract between them. During this |
| 67 | +handshake not only authentication information is exchanged, but also the list of provider APIs is |
| 68 | +made available and installed onto consumer clusters. |
| 69 | + |
| 70 | +With the api-syncagent, there is no handshake anymore, as kcp already handles this part: providers |
| 71 | +create their own APIExports in kcp and offer them to consumers, who them just have to bind to them |
| 72 | +without opening an explicit contract/connection to the provider. So in a sense, the whole API catalog |
| 73 | +(the sum of APIs available by all providers) is already known in kcp, but in kube-bind it's something |
| 74 | +that is handled out between consumer and provider individually. |
| 75 | + |
| 76 | +This also means that the api-syncagent works indiscriminately of consumers: It will process any |
| 77 | +Kubernetes object it finds in the APIExport virtual workspace in kcp, regardless of the consumer. In |
| 78 | +kube-bind however each new consumer is required to authenticate and handshake with the provider. |
| 79 | + |
| 80 | +--- |
| 81 | + |
| 82 | +Another difference is how versioning is handled. Since in kube-bind, one single konnector agent is |
| 83 | +installed on the consumer cluster, it needs to be compatible with all consumed services. However with |
| 84 | +the api-syncagent, each provider installs their own agent on their own infrastructure, completely |
| 85 | +independent from other providers. |
| 86 | + |
| 87 | +Technically, the api-syncagent is only an implementation detail. You could provide services with your |
| 88 | +own tooling to kcp, if you wanted to, without the consumers every really noticing. In kube-bind, the |
| 89 | +concrete implementation of the konnector and kubectl plugins are a fixed part of the kube-bind |
| 90 | +ecosystem, with only the backend being exchangeable. |
| 91 | + |
| 92 | +--- |
| 93 | + |
| 94 | +One could wonder if after the kube-bind handshake is complete and the APIs are installed on the local |
| 95 | +consumer cluster, whether one could not simply use the api-syncagent for the actual object |
| 96 | +synchronization. |
| 97 | + |
| 98 | +This is not possible because... |
| 99 | + |
| 100 | +* the api-syncagent requires a virtual workspace on one of the sync sides, whereas kube-bind works |
| 101 | + with any Kubernetes endpoint, |
| 102 | +* the api-syncagent is meant to run on the provider cluster and therefore considers the objects on |
| 103 | + the remote side to be authoritative (the source of truth), making the sync work in the opposite |
| 104 | + direction if consumers were to install the agent, |
| 105 | +* information like projection/mutation is not available to the agent, so it would not know if and how |
| 106 | + to change object metadata during syncing. |
| 107 | + |
| 108 | +In fact, the actual synchronization of Kubernetes objects between two clusters isn't really the |
| 109 | +major feature each of the projects implement. It's more about all the workflows and circumstances |
| 110 | +surrounding the sync than the sync itself. Copying Kubernetes objects back and forth is not the |
| 111 | +challenge. |
0 commit comments