Feature and extension flags

This document introduces two concepts:

Feature

A way to stage the introduction of features to the Knative API.

Extension

A way to extend Knative beyond the portable concepts of the Knative API.

Features and extensions are controlled by flags.

You can define flags in the ConfigMap in the knative-serving namespace.

Flags can have the following values:

Enabled

The feature or extension is enabled and currently in use.

Allowed

The feature or extension is enabled and can be used, for example, by using an additional annotation or spec configuration for a resource.

Disabled

The feature cannot be used.

Lifecyle

When features and extensions are introduced to Knative, they follow a lifecycle of three stages:

Alpha stage

Might contain bugs.

Support for the feature might be dropped at any time without notice.

The API might change in a later software release in ways that make it incompatible with older releases without notice.

Recommended for use only in short-lived testing clusters, due to increased risk of bugs and lack of long-term support.

Beta stage

Support for the overall feature will not be dropped, though details might change.

The schema and semantics of objects might change in incompatible ways in a subsequent beta or stable release. If this happens, instructions are provided for migrating to the next version. These types of changes might require you to delete, modify, or re-create API objects, and might require downtime for applications that rely on the feature.

Recommended for only non-business-critical uses because of the potential for incompatible changes in subsequent releases. If you have multiple clusters that can be upgraded independently, you might be able to relax this restriction.

General Availability (GA) stage

Stable versions of the feature or extension are included in official, stable Knative releases.

Features use flags to safely introduce new changes to the Knative API. The following definitions explain the default implementation for features at different stages:

Alpha stage

The feature is disabled by default, but you can manually enable it.

Beta stage

The feature is enabled by default, but you can manually disable it.

GA stage

The feature is always enabled; you cannot disable it.

The corresponding feature flag is no longer needed and is removed from Knative.

Extension lifecycle stages

An extension surfaces details of a specific Knative implementation, or features of the underlying environment.

Note

Extensions are never included in the core Knative API due to their lack of portability.

Each extension is always controlled by a flag and is never enabled by default.

Alpha stage

The feature is disabled by default, but you can manually enable it.

Beta stage

The feature is allowed by default.

Available Flags

Multiple containers

Type: Feature
ConfigMap key: multi-container

This flag allows specifying multiple user containers in a Knative Service spec.

Only one container can handle requests, so exactly one container must have a port specified.

EmptyDir

Type: Extension
ConfigMap key: kubernetes.podspec-volumes-emptydir

This extension controls whether volumes can be specified.

apiVersion: serving.knative.dev/v1
kind: Service
...
spec:
  template:
    spec:
      containers:
          ...
          volumeMounts:
            - name: cache
              mountPath: /cache
      volumes:
        - name: cache
          emptyDir: {}

Kubernetes node affinity

Type: Extension
ConfigMap key: kubernetes.podspec-affinity

This extension controls whether can be specified.

apiVersion: serving.knative.dev/v1
kind: Service
...
spec:
  template:
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/e2e-az-name
                operator: In
                values:
                - e2e-az2

Type: Extension
ConfigMap key: kubernetes.podspec-hostaliases

This flag controls whether host aliases can be specified.

apiVersion: serving.knative.dev/v1
kind: Service
...
spec:
  template:
    spec:
      hostAliases:
      - ip: "127.0.0.1"
        hostnames:
        - "bar.local"

Kubernetes node selector

Type: Extension
ConfigMap key: kubernetes.podspec-nodeselector

This flag controls whether node selector can be specified.

Kubernetes toleration

Type: Extension
ConfigMap key: kubernetes.podspec-tolerations

This flag controls whether tolerations can be specified.

apiVersion: serving.knative.dev/v1
kind: Service
...
spec:
  template:
    spec:
      tolerations:
      - key: "example-key"
        operator: "Exists"
        effect: "NoSchedule"

Kubernetes Downward API

Type: Extension
ConfigMap key: kubernetes.podspec-fieldref

This flag controls whether the Downward API (environment variable based) can be specified.

apiVersion: serving.knative.dev/v1
kind: Service
...
spec:
  template:
    spec:
      containers:
        - name: user-container
          image: gcr.io/knative-samples/helloworld-go
          env:
            - name: MY_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName

Kubernetes priority class name

Type: extension
ConfigMap key: kubernetes.podspec-priorityclassname

This flag controls whether the priorityClassName can be specified.

apiVersion: serving.knative.dev/v1
kind: Service
...
spec:
  template:
    spec:
...

Type: Extension
ConfigMap key: kubernetes.podspec-dryrun

This flag controls whether Knative attempts to validate the Pod spec derived from a Knative Service spec, by using the Kubernetes API server before accepting the object.

When this extension is enabled, the server always runs this validation.

When this extension is allowed, the server does not run this validation by default.

When this extension is allowed, you can run this validation for individual Services, by adding the features.knative.dev/podspec-dryrun":"enabled" annotation:

Kubernetes runtime class

Type: Extension
ConfigMap key: kubernetes.podspec-runtimeclass

This flag controls whether the runtime class can be used.

apiVersion: serving.knative.dev/v1
kind: Service
spec:
  template:
    spec:
      runtimeClassName: myclass
...

Kubernetes security context

Type: Extension
ConfigMap key: kubernetes.podspec-securitycontext

This flag controls whether a subset of the security context can be used.

When set to enabled or allowed, the following PodSecurityContext properties are permitted:

FSGroup
RunAsGroup
RunAsNonRoot
SupplementalGroups
RunAsUser

When set to enabled or allowed, the following container SecurityContext properties are permitted:

RunAsNonRoot (also allowed without this flag only when set to true)
RunAsGroup
RunAsUser (already allowed without this flag)

Warning

Use this flag with caution. PodSecurityContext properties can affect non-user sidecar containers that come from Knative or your service mesh.

apiVersion: serving.knative.dev/v1
kind: Service
...
spec:
  template:
    spec:
      securityContext:
        runAsUser: 1000
...

Kubernetes security context capabilities

Type: Extension
ConfigMap key: kubernetes.containerspec-addcapabilities

This flag controls whether users can add capabilities on the securityContext of the container.

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-go
spec:
 template:
  spec:
   containers:
     - image: gcr.io/knative-samples/helloworld-go
       env:
         - name: TARGET
           value: "Go Sample v1"
       securityContext:
         capabilities:
           add:
             - NET_BIND_SERVICE

Tag header based routing

Type: Extension
ConfigMap key:

This flags controls whether is enabled.