Alpha support for provision volumes from cross-namespace data sources #805
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @ttakahashi21! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @ttakahashi21. Thanks for your PR. I'm waiting for a kubernetes-csi member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
ttakahashi21
changed the title
pkg/controller/controller.go
Outdated
| @@ -57,6 +59,7 @@ import ( | |||
| "github.com/kubernetes-csi/csi-lib-utils/rpc" | |||
| snapapi "github.com/kubernetes-csi/external-snapshotter/client/v6/apis/volumesnapshot/v1" | |||
| snapclientset "github.com/kubernetes-csi/external-snapshotter/client/v6/clientset/versioned" | |||
| referenceGrantv1alpha2 "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1alpha2" | |||
There was a problem hiding this comment.
just wondering , considering we have v1beta1 available cant we use v1beta1 of RefGrants insted of alphav2? Isnt it better to use it ? @ttakahashi21
There was a problem hiding this comment.
The ReferenceGrant is not yet in beta. Therefore, I'm using Alpha2.
See the URL below.
https://github.com/kubernetes-sigs/gateway-api
There was a problem hiding this comment.
There was a problem hiding this comment.
I was able to use it by adding the following to my go.mod file:
require sigs.k8s.io/gateway-api v0.5.1-0.20221110191515-2d586cc49ab4
pkg/features/features.go
Outdated
| HonorPVReclaimPolicy: {Default: false, PreRelease: featuregate.Alpha}, | ||
| Topology: {Default: false, PreRelease: featuregate.GA}, | ||
| HonorPVReclaimPolicy: {Default: false, PreRelease: featuregate.Alpha}, | ||
| CrossNamespaceSourceProvisioning: {Default: false, PreRelease: featuregate.Alpha}, |
There was a problem hiding this comment.
we also need to add this feature gate to the readme doc
There was a problem hiding this comment.
Could you tell me where should i write it?
There was a problem hiding this comment.
Added CrossNamespaceVolumeDataSource in README.md.
|
@ttakahashi21 thanks. I have few review comments . Apart from that, can we add some tests to this PR ? |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
pkg/controller/controller.go
Outdated
| @@ -57,6 +59,7 @@ import ( | |||
| "github.com/kubernetes-csi/csi-lib-utils/rpc" | |||
| snapapi "github.com/kubernetes-csi/external-snapshotter/client/v6/apis/volumesnapshot/v1" | |||
| snapclientset "github.com/kubernetes-csi/external-snapshotter/client/v6/clientset/versioned" | |||
| referenceGrantv1alpha2 "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1alpha2" | |||
pkg/controller/controller.go
Outdated
| return p.getSnapshotSourceInternal(ctx, claim, sc, claim.Namespace, claim.Spec.DataSourceRef2.Name) | ||
| } | ||
|
|
||
| if ok, err := p.IsGranted(ctx, claim.Spec.DataSourceRef2.Namespace, claim.Spec.DataSourceRef2.Name, claim); err != nil || !ok { |
There was a problem hiding this comment.
Do we check somewhere if the PVC namespace is the same as the VolumeSnapshot namespace? If they are the same, then referenceGrant is not needed.
There was a problem hiding this comment.
Do we check somewhere if the PVC namespace is the same as the VolumeSnapshot namespace?
Changed to check.
@robscott
Do you have any comments from the gateway api point of view?
There was a problem hiding this comment.
I'm not sure I get the context here. Agree that ReferenceGrant is only useful/necessary to enable cross-namespace references. Same namespace references should not require a ReferenceGrant.
k8s-ci-robot
added
size/XXL
ttakahashi21
force-pushed
the
KEP-3294
branch
from
3c81e32 to
7f613fb
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/assign msau42 |
k8s-ci-robot
added
the
needs-rebase
deploy/kubernetes/rbac.yaml
Outdated
| @@ -57,6 +57,9 @@ rules: | |||
| - apiGroups: ["storage.k8s.io"] | |||
| resources: ["volumeattachments"] | |||
| verbs: ["get", "list", "watch"] | |||
| - apiGroups: ["gateway.networking.k8s.io"] | |||
There was a problem hiding this comment.
Can you comment these out for now with a note that it's alpha?
There was a problem hiding this comment.
I see. But if I comment it out, CI fails. Is it possible to test without commenting out in the CI side test?
There was a problem hiding this comment.
what is the test failure you see?
go.mod
Outdated
| sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect | ||
| sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect | ||
| sigs.k8s.io/yaml v1.3.0 // indirect | ||
| ) | ||
|
|
||
| replace k8s.io/api => k8s.io/api v0.25.2 | ||
| replace k8s.io/api => k8s.io/api v0.0.0-20221110160654-5cb32024090c |
There was a problem hiding this comment.
does this support human-friendly tags like v1.26.0-beta.0?
There was a problem hiding this comment.
I set it temporarily because I need to use the API added for k8s 1.26 for successful CI testing. Therefore, I will change it when the release tag is attached.
pkg/controller/controller.go
Outdated
| } | ||
| rc.snapshot = true | ||
| default: | ||
| return nil, controller.ProvisioningFinished, fmt.Errorf("the PVC source specified via DataSourceRef with non-empty namespace does not belong to the right Kind. Expected %s, Got %s", snapshotKind, claim.Spec.DataSourceRef.Kind) |
There was a problem hiding this comment.
Are we allowing pvc source and data populators too?
There was a problem hiding this comment.
Yes. Added. 1f9df93
pkg/controller/controller.go
Outdated
| } | ||
|
|
||
| for _, to := range grant.Spec.To { | ||
| if to.Group != snapshotAPIGroup || to.Kind != snapshotKind { |
There was a problem hiding this comment.
Can we make the function more generic to handle non-snapshot data sources?
There was a problem hiding this comment.
Yes. Is possible. Fixed code 1f9df93
pkg/controller/controller.go
Outdated
| @@ -582,6 +589,21 @@ func (p *csiProvisioner) prepareProvision(ctx context.Context, claim *v1.Persist | |||
| } | |||
| } | |||
| } | |||
|
|
|||
| if utilfeature.DefaultFeatureGate.Enabled(features.CrossNamespaceVolumeDataSource) { | |||
| if claim.Spec.DataSourceRef != nil && claim.Spec.DataSourceRef.Namespace != nil && len(*claim.Spec.DataSourceRef.Namespace) > 0 { | |||
There was a problem hiding this comment.
I think we should move the check for feature gate and return error earlier at this place. There's a number of csi calls we make after this that may be nice to avoid.
There was a problem hiding this comment.
I added feature gate check code early in the prepare Provision function.
pkg/controller/controller.go
Outdated
| if claim.Spec.DataSource != nil && (rc.clone || rc.snapshot) { | ||
| if claim.Spec.DataSourceRef != nil && claim.Spec.DataSourceRef.Namespace != nil && len(*claim.Spec.DataSourceRef.Namespace) > 0 { | ||
| if utilfeature.DefaultFeatureGate.Enabled(features.CrossNamespaceVolumeDataSource) && rc.snapshot { | ||
| volumeContentSource, err := p.getVolumeContentSourceFromXnsDataSource(ctx, claim, sc) |
There was a problem hiding this comment.
Do we need a new function, or can we modify getVolumeContentSource?
There was a problem hiding this comment.
Yes. Is possible. Fixed code 1f9df93
Could you check code?
ttakahashi21
force-pushed
the
KEP-3294
branch
2 times, most recently
from
2b8ea8c to
bbd6d77
Compare
k8s-ci-robot
removed
the
needs-rebase
deploy/kubernetes/rbac.yaml
Outdated
| @@ -57,6 +57,9 @@ rules: | |||
| - apiGroups: ["storage.k8s.io"] | |||
| resources: ["volumeattachments"] | |||
| verbs: ["get", "list", "watch"] | |||
| - apiGroups: ["gateway.networking.k8s.io"] | |||
There was a problem hiding this comment.
what is the test failure you see?
go.mod
Outdated
| @@ -29,6 +29,8 @@ require ( | |||
| sigs.k8s.io/sig-storage-lib-external-provisioner/v8 v8.0.0 | |||
| ) | |||
|
|
|||
| require sigs.k8s.io/gateway-api v0.5.1-0.20221110191515-2d586cc49ab4 | |||
There was a problem hiding this comment.
instead of creating a new require block, can you add it to the block above?
Also is there a release tag of gateway-api we can use?
There was a problem hiding this comment.
Also is there a release tag of gateway-api we can use?
There is none.
@robscott
Could you please create a tag that includes the ReferenceGrant API Beta?
pkg/controller/controller.go
Outdated
| @@ -537,6 +544,11 @@ func (p *csiProvisioner) prepareProvision(ctx context.Context, claim *v1.Persist | |||
| return nil, controller.ProvisioningFinished, errors.New("storage class was nil") | |||
| } | |||
|
|
|||
| if !utilfeature.DefaultFeatureGate.Enabled(features.CrossNamespaceVolumeDataSource) && | |||
| claim.Spec.DataSourceRef != nil && claim.Spec.DataSourceRef.Namespace != nil && len(*claim.Spec.DataSourceRef.Namespace) > 0 { | |||
| return nil, controller.ProvisioningFinished, fmt.Errorf("error handling for DataSourceRef Type %s with non-empty namespace by Name %s: CrossNamespaceVolumeDataSource feature disabled", claim.Spec.DataSourceRef.Kind, claim.Spec.DataSourceRef.Name) | |||
There was a problem hiding this comment.
I think we can simplify the error message to say "dataSourceRef namespace specified but the CrossNamespaceVolumeDataSource feature is disabled"
pkg/controller/controller.go
Outdated
| @@ -582,6 +594,28 @@ func (p *csiProvisioner) prepareProvision(ctx context.Context, claim *v1.Persist | |||
| } | |||
| } | |||
| } | |||
| if utilfeature.DefaultFeatureGate.Enabled(features.CrossNamespaceVolumeDataSource) { | |||
| if claim.Spec.DataSourceRef != nil { | |||
There was a problem hiding this comment.
This logic looks the same as the DataSource logic. Can we create a common function that takes in Name and Kind?
pkg/controller/controller.go
Outdated
| // For now we shouldn't pass other things to this function, but treat it as a noop and extend as needed | ||
| return nil, nil | ||
| } | ||
| } else { |
There was a problem hiding this comment.
Do we need the if/else? The logic looks exactly the same.
pkg/controller/controller.go
Outdated
| return false, nil | ||
| } | ||
|
|
||
| // Get all ReferenceGrants in snapshot's namespace |
There was a problem hiding this comment.
update comment to say "data source" instead of "snapshot"
pkg/controller/controller.go
Outdated
| @@ -1081,47 +1175,117 @@ func (p *csiProvisioner) getPVCSource(ctx context.Context, claim *v1.PersistentV | |||
| return volumeContentSource, nil | |||
| } | |||
|
|
|||
| func (p *csiProvisioner) IsGranted(ctx context.Context, claim *v1.PersistentVolumeClaim) (bool, error) { | |||
There was a problem hiding this comment.
Add a todo that this function should eventually be replaced by a common kubernetes library
There was a problem hiding this comment.
There was a problem hiding this comment.
btw does the gateway controller have a similar method?
pkg/controller/controller.go
Outdated
| } | ||
|
|
||
| for _, to := range grant.Spec.To { | ||
| if claim.Spec.DataSourceRef.APIGroup != nil && (string(to.Group) != *claim.Spec.DataSourceRef.APIGroup || string(to.Kind) != claim.Spec.DataSourceRef.Kind) { |
There was a problem hiding this comment.
What if dataSourceRef.APIGroup == nil and to.Group is set?
Also it should be groupMatches and kindMatches right?
There was a problem hiding this comment.
I fixed it as follows. Is this the fix you expected?
https://github.com/kubernetes-csi/external-provisioner/pull/805/files#diff-243ebed2765f75e6a54f57167212fefb08c3b2a85967ad2acbc0eb78919019c1R1145-R1149
pkg/controller/controller.go
Outdated
| } | ||
|
|
||
| if !allowed { | ||
| return false, nil |
There was a problem hiding this comment.
I think this could just be return allowed, nil
pkg/controller/controller.go
Outdated
| var claim *v1.PersistentVolumeClaim | ||
| var err error | ||
|
|
||
| if pvc.Spec.DataSourceRef != nil { |
There was a problem hiding this comment.
How much of this logic can be simplified across all the data sources if we had a common function that can normalize DataSource and DataSourceRef? Something like:
func dataSource(claim *v1.PersistentVolumeClaim) (ObjectReference, error)
I see that this pattern repeats many times for each of the data source types.
There was a problem hiding this comment.
I think there is still room for improvement, but I was able to normalize and remove the duplicated code. Is the fix as expected?
There was a problem hiding this comment.
Changed to check the featuregate in the dataSource function. Also, since it is confirmed at the beginning of the prepareProvision function, the confirmation of featuregate removed in the "IsGrant ", "getSnapshotSource ", and "getPVCSource " function.
There was a problem hiding this comment.
It looks much better now thanks!
k8s-ci-robot
added
the
needs-rebase
ttakahashi21
changed the title
ttakahashi21
force-pushed
the
KEP-3294
branch
from
bbd6d77 to
aecf95f
Compare
k8s-ci-robot
removed
the
needs-rebase
ttakahashi21
force-pushed
the
KEP-3294
branch
2 times, most recently
from
59b292e to
ef748fe
Compare
|
#805 (comment) |
pkg/controller/controller.go
Outdated
| var claim *v1.PersistentVolumeClaim | ||
| var err error | ||
|
|
||
| if len(dataSource.Namespace) > 0 { |
There was a problem hiding this comment.
Can dataSource also set the namespace field so we don't need this check?
There was a problem hiding this comment.
It is possible. Fixed code.
pkg/controller/controller.go
Outdated
| var err error | ||
| if len(dataSource.Namespace) > 0 { | ||
| if claim.Namespace != dataSource.Namespace { | ||
| if ok, err := p.IsGranted(ctx, claim); err != nil || !ok { |
There was a problem hiding this comment.
Can IsGranted also be moved to dataSource?
There was a problem hiding this comment.
Is it possible. Fixed code.
pkg/controller/controller.go
Outdated
| @@ -1081,47 +1175,117 @@ func (p *csiProvisioner) getPVCSource(ctx context.Context, claim *v1.PersistentV | |||
| return volumeContentSource, nil | |||
| } | |||
|
|
|||
| func (p *csiProvisioner) IsGranted(ctx context.Context, claim *v1.PersistentVolumeClaim) (bool, error) { | |||
There was a problem hiding this comment.
btw does the gateway controller have a similar method?
pkg/controller/controller_test.go
Outdated
|
|
||
| var provisionRequest controller.ProvisionOptions | ||
| if setnamespace { | ||
| provisionRequest = controller.ProvisionOptions{ |
There was a problem hiding this comment.
It looks like almost everything is the same and the only difference is the namespace field. I think you can move this out of this if block and only change the namespace inside.
| } | ||
|
|
||
| for k, tc := range testcases { | ||
| tc := tc | ||
| t.Run(k, func(t *testing.T) { | ||
| t.Parallel() | ||
| if !tc.xnsEnabled { | ||
| t.Parallel() |
There was a problem hiding this comment.
Why does the xns feature require serial tests?
There was a problem hiding this comment.
Because the test did not work with feature gate enabled when it was executed in parallel test.
There was a problem hiding this comment.
Hm that seems to imply there is some global shared state somewhere. I think it would be good to investigate more into that.
There was a problem hiding this comment.
DefaultFeatureGate defined in utilfeature seems a global value, therefore setting value during tests causes changes to a global value in each test.
There was a problem hiding this comment.
thanks for investigting, can you add a comment and open an issue so we can track improving this in the future?
There was a problem hiding this comment.
I added the link of the issue I created as a comment
pkg/controller/controller_test.go
Outdated
| }, | ||
| } | ||
| } | ||
| } else { |
There was a problem hiding this comment.
Can this be collapsed into 2 conditions?
pkg/controller/controller.go
Outdated
| @@ -1081,47 +1118,108 @@ func (p *csiProvisioner) getPVCSource(ctx context.Context, claim *v1.PersistentV | |||
| return volumeContentSource, nil | |||
| } | |||
|
|
|||
| // TODO: This function should eventually be replaced by a common kubernetes library. | |||
There was a problem hiding this comment.
For now this is a pretty important function from a security perspective. Can we move this out into a util file and have extensive unit tests for it?
There was a problem hiding this comment.
Added new file of util.go and util_test.go on the controller package.
|
@msau42 |
ttakahashi21
force-pushed
the
KEP-3294
branch
from
94f465a to
1c69511
Compare
| } | ||
|
|
||
| for k, tc := range testcases { | ||
| tc := tc | ||
| t.Run(k, func(t *testing.T) { | ||
| t.Parallel() | ||
| if !tc.xnsEnabled { | ||
| t.Parallel() |
There was a problem hiding this comment.
thanks for investigting, can you add a comment and open an issue so we can track improving this in the future?
pkg/controller/controller.go
Outdated
| func (p *csiProvisioner) setCloneFinalizer(ctx context.Context, pvc *v1.PersistentVolumeClaim) error { | ||
| claim, err := p.claimLister.PersistentVolumeClaims(pvc.Namespace).Get(pvc.Spec.DataSource.Name) | ||
| func (p *csiProvisioner) setCloneFinalizer(ctx context.Context, pvc *v1.PersistentVolumeClaim, dataSource *v1.ObjectReference) error { | ||
| var claim *v1.PersistentVolumeClaim |
There was a problem hiding this comment.
Can you restore the original code style, where the variables were defined inline?
pkg/controller/util_test.go
Outdated
| volOpts controller.ProvisionOptions | ||
| refGrantList []*gatewayv1beta1.ReferenceGrant | ||
| } | ||
| testcases := map[string]testcase{ |
There was a problem hiding this comment.
Can you add a test case for nil datasource apigroup?
There was a problem hiding this comment.
pkg/controller/util_test.go
Outdated
| testcases := map[string]testcase{ | ||
| "Allowed to access dataSource for xns PVC with refGrant": { | ||
| volOpts: generatePVCForProvisionFromXnsdataSource(toNamespace, fromsrcName, "", pvcapiKind, &fromNamespace, &coreapiGrp, requestedBytes, "", true), | ||
| refGrantList: newRefGrantList("refGrant1", fromNamespace, coreapiGrp, pvcapiKind, toNamespace, coreapiGrp, pvcapiKind, "", false), |
There was a problem hiding this comment.
I know we do this in our other test files, but I think it's a little difficult to read the test case with this style of constructor because I need to remember the ordering of the arguments and which field they correspond to. It's perhaps more lines, but I think it's more readable to directly reference the object in the test case definition.
If you want to reduce the boilerplate, maybe you can still have a constructor, but have it take a ReferenceGrantFrom and a ReferenceGrantTo as arguments?
Similar comment for generatePVC... Keep the constructor to reduce on the common boilerplate, but have it take DataSourceRef type as an input, which is what changes across each test case.
There was a problem hiding this comment.
util_test.go created a base test case. And I modified the base test case and modified it to add the test case.
Along with the above modifications, TestProvisionFromSnapshot and TestProvisionFromPVC have also been modified.
In util.go I added the following just in case:
https://github.com/kubernetes-csi/external-provisioner/pull/805/files#diff-ded124c02add3467ce103641d0cd28436ea69cf37c5906470b3d519009d950b7R16-R20
As it turned out to be necessary in the test case below.
https://github.com/kubernetes-csi/external-provisioner/pull/805/files#diff-640957054096359bf678ef9f2789673a60814fba8286165ad298f5eba881536aR166-R170
This condition is unnecessary in the controller because it is acquired by specifying the namespace, but I added it just in case.
https://github.com/kubernetes-csi/external-provisioner/pull/805/files#diff-243ebed2765f75e6a54f57167212fefb08c3b2a85967ad2acbc0eb78919019c1R1936-R1937
ttakahashi21
force-pushed
the
KEP-3294
branch
from
1c69511 to
f4e3be4
Compare
ttakahashi21
force-pushed
the
KEP-3294
branch
from
f4e3be4 to
bbb2698
Compare
|
/lgtm Thanks for adding all the comprehensive unit tests! For the release note, can you update it to say "Add support for cross-namespace data sources alpha feature" |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: msau42, ttakahashi21 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind feature
What this PR does / why we need it:
Please see CrossNamespaceVolumeDataSource
Which issue(s) this PR fixes:
Part of ##804
Special notes for your reviewer:
Discuss the API definition kubernetes/kubernetes#113186.
The code may change due to API specification changes.
Does this PR introduce a user-facing change?: