Skip to content

A new controller adds/removes finalizer to VAC for protection #123549

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 5, 2024
Merged

A new controller adds/removes finalizer to VAC for protection #123549

merged 1 commit into from
Nov 5, 2024

Conversation

carlory
Copy link
Member

@carlory carlory commented Feb 28, 2024
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #119298

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Added a new controller, volumeattributesclass-protection-controller, into the kube-controller-manager.
The new controller manages a protective finalizer on VolumeAttributesClass objects.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/issues/3751

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Feb 28, 2024
@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/storage Categorizes an issue or PR as relevant to SIG Storage. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Feb 28, 2024
@sftim
Copy link
Contributor

sftim commented Feb 28, 2024

Changelog suggestion (early feedback)

-kube-controller-manager adds a new controller named volumeattributesclass-protection-controller which adds/removes finalizer to VAC for protection.
+Added a new controller, volumeattributesclass-protection-controller, into the kube-controller-manager.
+The new controller manages a protective finalizer on VolumeAttributesClass objects.

@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 28, 2024
@carlory carlory force-pushed the kep-3751-finalizer branch from 6f04107 to 8eecd8b Compare March 4, 2024 08:03
@carlory carlory marked this pull request as ready for review March 4, 2024 08:13
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 4, 2024
@k8s-ci-robot k8s-ci-robot requested a review from feiskyer March 4, 2024 08:13
@carlory
Copy link
Member Author

carlory commented Mar 4, 2024

/cc @sunnylovestiramisu @msau42

@carlory carlory force-pushed the kep-3751-finalizer branch 2 times, most recently from 9da1a23 to 66de684 Compare March 4, 2024 09:07
@k8s-ci-robot k8s-ci-robot removed the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Mar 4, 2024
@carlory
Copy link
Member Author

carlory commented Jul 24, 2024

/cc @mikedanese

@k8s-ci-robot k8s-ci-robot requested a review from mikedanese July 24, 2024 02:25
@carlory carlory force-pushed the kep-3751-finalizer branch from 2969147 to fbd3650 Compare August 29, 2024 02:41
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 29, 2024
liggitt
liggitt reviewed Aug 29, 2024
View reviewed changes
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule("list", "watch", "get").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
rbacv1helpers.NewRule("list", "watch", "get").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(storageGroup).Resources("volumeattributesclasses").RuleOrDie(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this going to use update or patch to remove the finalizer?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, it follows the same pattern as pvcprotection and pvprotection.

/cc @msau42

Should I use a patch instead of an update in this PR?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold cancel

we discussed this at sig storage triage today. “Patch” is usually recommended, but “update” is fine here

https://docs.google.com/document/d/1n-dXXvCbHsPfO1yrKwT1qoC80KhsxHYKbRdChdzqeXY/edit?tab=t.0#heading=h.lc8t1s7x74pi

/cc @liggitt

@carlory
controller-manager adds a new controller named volumeattributesclass-…
a9de9a3 
…protection-controller which adds/removes finalizer to VAC for protection
@carlory carlory force-pushed the kep-3751-finalizer branch from fbd3650 to a9de9a3 Compare August 30, 2024 07:00
@carlory
Copy link
Member Author

carlory commented Aug 30, 2024

/test pull-kubernetes-e2e-storage-kind-alpha-beta-features

@carlory
Copy link
Member Author

carlory commented Aug 30, 2024

/test pull-kubernetes-node-e2e-containerd

@carlory
Copy link
Member Author

carlory commented Aug 30, 2024

need to bump e2e hostpath manifests to fix csi bug
/hold

/test pull-kubernetes-e2e-storage-kind-alpha-beta-features

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 30, 2024
@carlory
Copy link
Member Author

carlory commented Sep 11, 2024

/test pull-kubernetes-e2e-storage-kind-alpha-beta-features

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 16, 2024
@k8s-ci-robot k8s-ci-robot requested a review from liggitt October 16, 2024 17:47
@carlory
Copy link
Member Author

carlory commented Oct 16, 2024

/test pull-kubernetes-e2e-storage-kind-alpha-beta-features

@carlory
Copy link
Member Author

carlory commented Oct 29, 2024

/cc @liggitt @deads2k

msau42
msau42 reviewed Nov 4, 2024
View reviewed changes
cmd/kube-controller-manager/app/core.go
controllerContext.ClientBuilder.ClientOrDie("volumeattributesclass-protection-controller"),
controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
controllerContext.InformerFactory.Core().V1().PersistentVolumes(),
controllerContext.InformerFactory.Storage().V1beta1().VolumeAttributesClasses(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the controller only start when the feature gate is enabled? Because the beta API is optional, I believe if you start the informer and the API is not installed, then there will be lots of error messages.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the controller only start when the feature gate is enabled?

@msau42 Yes, it is.

// StartController starts a controller with a specified ControllerContext
// and performs required pre- and post- checks/actions
func StartController(ctx context.Context, controllerCtx ControllerContext, controllerDescriptor *ControllerDescriptor,
	unsecuredMux *mux.PathRecorderMux) (healthz.HealthChecker, error) {
	logger := klog.FromContext(ctx)
	controllerName := controllerDescriptor.Name()

	for _, featureGate := range controllerDescriptor.GetRequiredFeatureGates() {
		if !utilfeature.DefaultFeatureGate.Enabled(featureGate) {
			logger.Info("Controller is disabled by a feature gate", "controller", controllerName, "requiredFeatureGates", controllerDescriptor.GetRequiredFeatureGates())
			return nil, nil
		}
	}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the controller is gated with features.VolumeAttributesClass in its controller descriptor.

requiredFeatureGates: []featuregate.Feature{
    features.VolumeAttributesClass,
},

@msau42
Copy link
Member

msau42 commented Nov 5, 2024

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 5, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 862a796a3c13e5479a4b5f5b8b9a55ff7daaf025

@carlory
Copy link
Member Author

carlory commented Nov 5, 2024

/assign @liggitt @deads2k

@deads2k
Copy link
Contributor

deads2k commented Nov 5, 2024

It looks good. Remember that this will be suffer from cache lag, so it's a "usually correct and helpful" versus "security/correctness requirement we can rely upon".

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: carlory, deads2k, msau42

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 5, 2024
@k8s-ci-robot k8s-ci-robot merged commit 08391b3 into kubernetes:master Nov 5, 2024
19 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.32 milestone Nov 5, 2024
@carlory carlory deleted the kep-3751-finalizer branch November 6, 2024 02:07
@carlory carlory mentioned this pull request Mar 6, 2025
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@msau42 msau42 msau42 left review comments

@chrishenzie chrishenzie Awaiting requested review from chrishenzie

@ingvagabund ingvagabund Awaiting requested review from ingvagabund

@feiskyer feiskyer Awaiting requested review from feiskyer

@jsafrane jsafrane Awaiting requested review from jsafrane

@aramase aramase Awaiting requested review from aramase

@sunnylovestiramisu sunnylovestiramisu Awaiting requested review from sunnylovestiramisu

@humblec humblec Awaiting requested review from humblec

@mattcary mattcary Awaiting requested review from mattcary

@deads2k deads2k Awaiting requested review from deads2k

@mikedanese mikedanese Awaiting requested review from mikedanese

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@liggitt liggitt

@deads2k deads2k

@msau42 msau42

@sunnylovestiramisu sunnylovestiramisu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Apps
Archived in project
SIG Auth
Archived in project
Milestone
v1.32
Development

Successfully merging this pull request may close these issues.

1.30 - [kep-3751] Finalizer Management Change
8 participants
@carlory @k8s-ci-robot @sftim @sunnylovestiramisu @aramase @msau42 @deads2k @liggitt