Page MenuHomePhabricator
Create Task
Maniphest T303744

Keep track of teams responsible for namespaces inside kubernetes
Open, MediumPublic
Actions

Description

In multiple occasions (like T274262 and fleet wide envoy updates) we had the to figure out the team responsible for development/deployment of a certain service.

While there are ways of getting a good enough result (like looking at helm chart maintainers or the task from above) it would be nice to have a standardized way which does not involve pinging a particular person.

The initial idea we already bounced at some point is that a phabricator tag must be added then creating new namespaces in Kubernetes (with the expectation that the owning team/person would pick up tasks created with that tag).

Related Objects

Event Timeline

JMeybohm created this task.Mar 14 2022, 4:10 PM
JMeybohm triaged this task as Low priority.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 14 2022, 4:10 PM
RLazarus subscribed.Mar 14 2022, 6:09 PM
jijiki moved this task from Incoming 🐫 to 🙈🙉🙊Backlog on the serviceops board.Sep 28 2022, 2:19 PM
jijiki moved this task from 🙈🙉🙊Backlog to ⎈Kubernetes on the serviceops board.Nov 9 2022, 2:14 PM
JMeybohm mentioned this in T398073: Ensure DPE SRE can receive alerts for applications hosted in wikikube.Jul 1 2025, 8:40 AM
bking subscribed.Jul 1 2025, 3:25 PM
taavi renamed this task from Keep track of teams responsible for namespaces inside kubernetes to Keep track of teams responsible for namespaces inside kubernetes.Jul 1 2025, 7:06 PM
BTullis subscribed.Jul 8 2025, 8:46 AM
CDanis subscribed.Sep 11 2025, 1:32 PM
bking mentioned this in T408640: OpenSearch on K8s: Create Alerts.Oct 28 2025, 9:11 PM
bking mentioned this in T412447: OpenSearch on K8s: Monitor and rotate TLS certificates.Jan 9 2026, 11:34 PM
bking mentioned this in T414037: Consider enabling Blackbox K8s autodiscovery on dse-k8s Prometheus instance.Jan 9 2026, 11:43 PM
MLechvien-WMF raised the priority of this task from Low to Medium.Fri, Jan 23, 1:50 PM
MLechvien-WMF edited projects, added ServiceOps new, ServiceOps-good-first-task; removed serviceops.
MLechvien-WMF subscribed.

Raising the priority as this got mentioned in various places. We don't have the capacity to take that on this quarter so moving it to backlog.

MLechvien-WMF moved this task from Inbox to Backlog on the ServiceOps new board.Fri, Jan 23, 1:51 PM
MLechvien-WMF edited projects, added Serviceops-easywins; removed ServiceOps-good-first-task.Fri, Jan 23, 6:06 PM
jijiki closed this task as a duplicate of T412693: Ensure all Chart.yaml files include required metadata fields.Wed, Feb 4, 3:49 PM
jijiki subscribed.

This work will be done in T412693

JMeybohm reopened this task as Open.Thu, Feb 5, 4:02 PM

I disagree this being a duplicate of T412693: Ensure all Chart.yaml files include required metadata fields as that one aims at chart ownership while this task aims at ownership for k8s namespaces (or groups of deployments if that makes more sense). Those might contain deployments of charts maintained by the same group/team - but that's not a requirement.

jijiki added a comment.Fri, Feb 6, 11:21 AM
In T303744#11588126, @JMeybohm wrote:

I disagree this being a duplicate of T412693: Ensure all Chart.yaml files include required metadata fields as that one aims at chart ownership while this task aims at ownership for k8s namespaces (or groups of deployments if that makes more sense). Those might contain deployments of charts maintained by the same group/team - but that's not a requirement.

What comes to mind would be to add a "namespaces" key in chart.yaml, sort of

<snip>
home: https://wikitech.wikimedia.org/wiki/Memcached_for_MediaWiki
sources:
  - https://gerrit.wikimedia.org/r/admin/repos/operations/docker-images/production-images
team: https://wikitech.wikimedia.org/wiki/SRE/Service_Operations
maintainers:
  - name: Effie Mouzeli
    email: effie@wikimedia.org
namespaces:
  - mw-mcrouter: "SRE/ServiceOps"

Which could work for the things we can easily identify. I am in two minds regarding adding a CI check for this as well, but it is not something we need to think about now.

How does that sound?

JMeybohm added a comment.Fri, Feb 6, 4:32 PM

I don't think it makes much sense to maintain a list of namespaces where something is deployed inside the artifact that is being deployed.
My aim here was to add an annotation or label to the namespace objects in kubernetes. This could easily be done during namespace creation in https://gerrit.wikimedia.org/r/plugins/gitiles/operations/deployment-charts/+/refs/heads/master/helmfile.d/admin_ng/values/main.yaml#14 and https://gerrit.wikimedia.org/r/plugins/gitiles/operations/deployment-charts/+/refs/heads/master/helmfile.d/admin_ng/helmfile_namespaces.yaml. The hard part is to figure out the identifier to add add (phab tag, team name, .. ideally not something that changes every quarter) and the actually responsible group (as usual).

Blake subscribed.Tue, Feb 10, 3:49 PM
Blake added a comment.Tue, Feb 10, 4:00 PM

I think it might make sense for the identifier to add to match a 'team' in the context of alerting receivers. For instance, it would be useful to associate the mw-api-int namespace alerts with teams in alertmanager, because that is a reference we know points at humans who care to receive alerts.

Clement_Goubert subscribed.Fri, Feb 13, 10:55 AM
In T303744#11602583, @Blake wrote:

I think it might make sense for the identifier to add to match a 'team' in the context of alerting receivers. For instance, it would be useful to associate the mw-api-int namespace alerts with teams in alertmanager, because that is a reference we know points at humans who care to receive alerts.

+1

In T303744#11592146, @JMeybohm wrote:

I don't think it makes much sense to maintain a list of namespaces where something is deployed inside the artifact that is being deployed.
My aim here was to add an annotation or label to the namespace objects in kubernetes. This could easily be done during namespace creation in https://gerrit.wikimedia.org/r/plugins/gitiles/operations/deployment-charts/+/refs/heads/master/helmfile.d/admin_ng/values/main.yaml#14 and https://gerrit.wikimedia.org/r/plugins/gitiles/operations/deployment-charts/+/refs/heads/master/helmfile.d/admin_ng/helmfile_namespaces.yaml. The hard part is to figure out the identifier to add add (phab tag, team name, .. ideally not something that changes every quarter) and the actually responsible group (as usual).

+1 to this being namespace-bound, as well as it being orthogonal to T412693. However we should use the same identifying mechanism for clarity.

JMeybohm added a comment.Fri, Feb 13, 12:38 PM
In T303744#11602583, @Blake wrote:

I think it might make sense for the identifier to add to match a 'team' in the context of alerting receivers. For instance, it would be useful to associate the mw-api-int namespace alerts with teams in alertmanager, because that is a reference we know points at humans who care to receive alerts.

I agree. I was just afraid to use team names since those unfortunately change quire frequently within the WMF. But we probably need to do some maintenance on the identifiers no matter what we choose. So the only really important thing is that we use the same everywhere (routing, namespaces, charts,container images) and that we have a reliable way to contact the people behind the identifier (that's why I initially thought of phab tags).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits