Add applyset-namespace flag to kubectl apply #132527

scaliby · 2025-06-25T11:05:26Z

What type of PR is this?

/kind feature

What this PR does / why we need it:

With current implementation of ApplySet it is impossible to apply a multi-namespace configuration. This is because we are forcing user to pass --namespace parameter to the command that is used for determining in which namespace ApplySet parent configuration is supposed to be stored.

Unfortunatelly, supplying this parameter, enforces that all resources in the config to be in the same namespace.

Before the change:

$ cat config.yaml 
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    foo: bar
  name: a
  namespace: default
---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    foo: bar
  name: b
  namespace: test

$ kubectl apply -f config.yaml --applyset=testset --all --prune
error: namespace is required to use namespace-scoped ApplySet

With the newly introduced parameter, we are able to explicitly specify where, the parent configuration is supposed to live, removing the need for --namespace=testset and allowing user to create configuration that spans across multiple namespaces.

After the change:

$ kubectl apply -f config.yaml --applyset=testset --applyset-namespace=testnamespace --all --prune
configmap/a created
configmap/b created

Which issue(s) this PR is related to:

The issue indirectly solves problem described in #106284 and #555. The deviation is that we are adding support for the mentioned use case to the ApplySet instead of fixing the old prune command.

Does this PR introduce a user-facing change?

Yes, we are adding optional kubectl apply parameter. When the parameter is not supplied, the old behavior is preserved.

Added `--applyset-namespace` command line argument to `kubectl apply`.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[Usage]: kubectl apply -f file.yaml --prune --all --applyset=testapplyset --applyset-namespace=parent-config-ns

`--applyset-namespace` kubectl apply command line argument allows users to specify in which namespace should the parent ApplySet configuration object live.

linux-foundation-easycla · 2025-06-25T11:05:31Z

The committers listed above are authorized under a signed CLA.

✅ login: scaliby / name: Konrad Kaim (90d0cfd, a3ab666, fb791e5)

k8s-ci-robot · 2025-06-25T11:05:35Z

Welcome @scaliby!

It looks like this is your first PR to kubernetes/kubernetes 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/kubernetes has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

k8s-ci-robot · 2025-06-25T11:05:36Z

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot · 2025-06-25T11:05:36Z

Hi @scaliby. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot · 2025-06-25T11:05:46Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: scaliby
Once this PR has been reviewed and has the lgtm label, please assign seans3 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

staging/src/k8s.io/kubectl/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

justinsb · 2025-06-25T12:58:47Z

staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_test.go

@@ -2315,7 +2315,7 @@ func TestApplySetParentValidation(t *testing.T) {
 		"other namespaced builtin parents types are correctly parsed but invalid": {
 			applysetFlag:     "deployments.apps/thename",
 			expectParentKind: "Deployment",
-			expectErr:        "[namespace is required to use namespace-scoped ApplySet, resource \"apps/v1, Resource=deployments\" is not permitted as an ApplySet parent]",
+			expectErr:        "[namespace is required to use namespace-scoped ApplySet. You can provide it either using --applyset-namespace or --namespace parameter, resource \"apps/v1, Resource=deployments\" is not permitted as an ApplySet parent]",


I propose adding a test case here to this list for passing applysetNamespace

justinsb · 2025-06-25T13:00:25Z

staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_test.go

+	tf.FakeDynamicClient = fakeDynamicClient
+	tf.UnstructuredClient = &fake.RESTClient{
+		NegotiatedSerializer: resource.UnstructuredPlusDefaultContentConfig().NegotiatedSerializer,
+		Client: fake.CreateHTTPClient(func(req *http.Request) (*http.Response, error) {


Maybe it's time to refactor our test clients - though I suggest not in this PR.

This assumes that we can't merge with TestApplyWithPruneV2; though I would say the fact that I can't easily tell whether they are the same is itself a good argument for refactoring a common test client!

cc @soltysh as I think you were not convinced in the past.

I agree, refactoring is needed here. Probably a mock HTTP client that acts like a real server would be the best choice.

Merging with TestApplyWithPruneV2 wouldn't test what I want to test. I want to check if parent configuration was created successfully and in the correct namespace. This is not being done in that test.

Also, this test has no support for creation of resources other than the Namespace resource, and I need to create other, scoped resource (ConfigMap in my case).

justinsb · 2025-06-25T13:06:15Z

staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_test.go

@@ -2874,6 +2874,229 @@ metadata:
 `, string(updatedCRYaml))
 }

+func TestApplyWithPruneV2ApplySetNamespace(t *testing.T) {


Could we add this to TestApplyWithPruneV2 ? It's hard to tell how similar it is / is not :-)

The behavior I want to test here is slightly different compared to TestApplyWithPruneV2. As described in the comment above, it would be hard to merge that and preserve the behavior I want to get tested.

justinsb · 2025-06-25T13:11:27Z

Quibbles about the test code, this lgtm.

For context, @scaliby found that applyset does not always work with namespace-scoped parent objects when applying a multi-namespace manifest. We can't pass --namespace with a multi-namespace manifest. But we need a namespace for the parent object, and we can't always infer it from kubeconfig. Arguably inferring it from kubeconfig is "magic" anyway, so I suggested a flag. It's clearer UX, and though it's a little less convenient for the user, we do want to nudge users away from multi-namespace manifests based on real-world experience.

…e applyset-namespace flag

janetkuo · 2025-06-25T16:14:23Z

/ok-to-test

scaliby · 2025-06-26T10:06:29Z

/retest

k8s-ci-robot · 2025-06-26T10:26:38Z

@scaliby: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubernetes-linter-hints	`fb791e5`	link	false	`/test pull-kubernetes-linter-hints`

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

scaliby · 2025-06-26T11:22:58Z

/test pull-kubernetes-unit

lmktfy · 2025-06-26T11:33:03Z

Changelog suggestion

-Added applyset-namespace flag to kubectl apply.
+Added `--applyset-namespace` command line argument to `kubectl apply`.

(Outside of the Go ecosystem, flag means a boolean typed command line parameter)

feat: add applyset-namespace apply flag

90d0cfd

k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 25, 2025

k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 25, 2025

k8s-ci-robot added the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Jun 25, 2025

k8s-ci-robot requested review from brianpursley and soltysh June 25, 2025 11:05

k8s-ci-robot added area/kubectl sig/cli Categorizes an issue or PR as relevant to SIG CLI. labels Jun 25, 2025

github-project-automation bot added this to SIG CLI Jun 25, 2025

k8s-ci-robot removed the do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jun 25, 2025

github-project-automation bot moved this to Needs Triage in SIG CLI Jun 25, 2025

k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jun 25, 2025

justinsb reviewed Jun 25, 2025

View reviewed changes

k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 25, 2025

test: add test checking for parent namespace when supplied through th…

a3ab666

…e applyset-namespace flag

scaliby changed the title ~~[WIP] Add applyset-namespace flag to kubectl apply~~ Add applyset-namespace flag to kubectl apply Jun 25, 2025

scaliby marked this pull request as ready for review June 25, 2025 13:57

k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 25, 2025

k8s-ci-robot requested a review from mpuckett159 June 25, 2025 13:57

k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 25, 2025

test: remove redundant test

fb791e5

k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 26, 2025

Add applyset-namespace flag to kubectl apply #132527

Are you sure you want to change the base?

Add applyset-namespace flag to kubectl apply #132527

Conversation

scaliby commented Jun 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR is related to:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Uh oh!

linux-foundation-easycla bot commented Jun 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

k8s-ci-robot commented Jun 25, 2025

Uh oh!

k8s-ci-robot commented Jun 25, 2025

Uh oh!

k8s-ci-robot commented Jun 25, 2025

Uh oh!

k8s-ci-robot commented Jun 25, 2025

Uh oh!

justinsb Jun 25, 2025

Choose a reason for hiding this comment

Uh oh!

scaliby Jun 25, 2025

Choose a reason for hiding this comment

Uh oh!

justinsb Jun 25, 2025

Choose a reason for hiding this comment

Uh oh!

scaliby Jun 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

justinsb Jun 25, 2025

Choose a reason for hiding this comment

Uh oh!

scaliby Jun 25, 2025

Choose a reason for hiding this comment

Uh oh!

justinsb commented Jun 25, 2025

Uh oh!

janetkuo commented Jun 25, 2025

Uh oh!

scaliby commented Jun 26, 2025

Uh oh!

k8s-ci-robot commented Jun 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

scaliby commented Jun 26, 2025

Uh oh!

lmktfy commented Jun 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

scaliby commented Jun 25, 2025 •

edited

Loading

linux-foundation-easycla bot commented Jun 25, 2025 •

edited

Loading

scaliby Jun 25, 2025 •

edited

Loading

k8s-ci-robot commented Jun 26, 2025 •

edited

Loading

lmktfy commented Jun 26, 2025 •

edited

Loading