mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-07-18 13:57:38 +00:00
Around the 1.31 release, we discovered that a change introduced in 1.27 allowead clients to open WATCH requests directly to etcd. This had detrimental consequences, enabling abusive clients to bypass caching and overwhelm etcd. Unlike the API server, etcd lacks protection against such behavior. To mitigate this, we redirected all WATCH requests to be served from the cache. The WatchFromStorageWithoutResourceVersion feature gate was retained as an escape hatch. However, since we have no plans to allow direct WATCH requests to etcd again, this flag is now obsolete. Direct WATCH requests to etcd offer no advantage, as they don't provide stronger consistency guarantees. WATCH operations are inherently inconsistent; unlike LIST operations, they do not confirm the resource version with a quorum. While Kubernetes uses the WithRequireLeader option on WATCH requests to prevent maintaining connections to isolated etcd members, the API server provides the same level of guarantee through its health checks, which fail if it cannot connect to etcd member. Therefore, the WatchFromStorageWithoutResourceVersion feature gate can be deprecated and removed.