From d188a6481ef45cb08e3a788fc56f8ffc38dbad38 Mon Sep 17 00:00:00 2001
From: Ben Swartzlander <ben@swartzlander.org>
Date: Wed, 3 Mar 2021 15:05:48 -0500
Subject: [PATCH] Split Volume Populators KEP

Create a new KEP to address to long-standing bug in the PVC admission
controller. This KEP is related to the Volume Populators KEP but either
KEP can stand alone.

The primary reasons to have a separate KEP are to allow discussion of the
specific bugfix, and to ensure that any fix clearly communicated in the
release notes.
---
 keps/prod-readiness/sig-storage/2546.yaml     |   3 +
 .../1495-volume-populators/README.md          |   4 +
 .../README.md                                 | 577 ++++++++++++++++++
 .../kep.yaml                                  |  21 +
 4 files changed, 605 insertions(+)
 create mode 100644 keps/prod-readiness/sig-storage/2546.yaml
 create mode 100644 keps/sig-storage/2546-reject-invalid-pvc-datasource/README.md
 create mode 100644 keps/sig-storage/2546-reject-invalid-pvc-datasource/kep.yaml

diff --git a/keps/prod-readiness/sig-storage/2546.yaml b/keps/prod-readiness/sig-storage/2546.yaml
new file mode 100644
index 000000000000..a859749d17c6
--- /dev/null
+++ b/keps/prod-readiness/sig-storage/2546.yaml
@@ -0,0 +1,3 @@
+kep-number: 2546
+beta:
+  approver: "@deads2k"
diff --git a/keps/sig-storage/1495-volume-populators/README.md b/keps/sig-storage/1495-volume-populators/README.md
index dbf5a9691bea..23d797166f9a 100644
--- a/keps/sig-storage/1495-volume-populators/README.md
+++ b/keps/sig-storage/1495-volume-populators/README.md
@@ -62,6 +62,8 @@ Check these off as they are completed for the Release Team to track. These check
 
 ## Summary
 
+[Reject Invalid PVC DataSource KEP]: ../2546-reject-invalid-pvc-datasource/README.md
+
 In Kubernetes 1.12, we added the `DataSource` field to the PVC spec. The field was implemented
 as a `TypedLocalObjectReference` to give flexibility in the future about what objects could be
 data sources for new volumes.
@@ -86,6 +88,8 @@ perform the validation on those data sources and provide feedback to users. We w
 a new CRD to register valid datasource kinds, and individual volume populators will
 create a CR for each kind of data source that it understands.
 
+See [Reject Invalid PVC DataSource KEP] for changes to `DataSource` field handling.
+
 ## Motivation
 
 ### Goals
diff --git a/keps/sig-storage/2546-reject-invalid-pvc-datasource/README.md b/keps/sig-storage/2546-reject-invalid-pvc-datasource/README.md
new file mode 100644
index 000000000000..1511bf12ef92
--- /dev/null
+++ b/keps/sig-storage/2546-reject-invalid-pvc-datasource/README.md
@@ -0,0 +1,577 @@
+# Reject Invalid PVC DataSource
+
+## Table of Contents
+
+<!-- toc -->
+- [Release Signoff Checklist](#release-signoff-checklist)
+- [Summary](#summary)
+- [Motivation](#motivation)
+  - [Goals](#goals)
+  - [Non-Goals](#non-goals)
+- [Proposal](#proposal)
+  - [Risks and Mitigations](#risks-and-mitigations)
+- [Design Details](#design-details)
+  - [Test Plan](#test-plan)
+  - [Risks and Mitigations](#risks-and-mitigations-1)
+- [Design Details](#design-details-1)
+  - [Test Plan](#test-plan-1)
+  - [Graduation Criteria](#graduation-criteria)
+  - [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy)
+  - [Version Skew Strategy](#version-skew-strategy)
+- [Production Readiness Review Questionnaire](#production-readiness-review-questionnaire)
+  - [Feature Enablement and Rollback](#feature-enablement-and-rollback)
+  - [Rollout, Upgrade and Rollback Planning](#rollout-upgrade-and-rollback-planning)
+  - [Monitoring Requirements](#monitoring-requirements)
+  - [Dependencies](#dependencies)
+  - [Scalability](#scalability)
+  - [Troubleshooting](#troubleshooting)
+- [Implementation History](#implementation-history)
+- [Drawbacks](#drawbacks)
+- [Alternatives](#alternatives)
+<!-- /toc -->
+
+## Release Signoff Checklist
+
+**ACTION REQUIRED:** In order to merge code into a release, there must be an issue in [kubernetes/enhancements] referencing this KEP and targeting a release milestone **before [Enhancement Freeze](https://github.com/kubernetes/sig-release/tree/master/releases)
+of the targeted release**.
+
+For enhancements that make changes to code or processes/procedures in core Kubernetes i.e., [kubernetes/kubernetes], we require the following Release Signoff checklist to be completed.
+
+Check these off as they are completed for the Release Team to track. These checklist items _must_ be updated for the enhancement to be released.
+
+- [ ] kubernetes/enhancements issue in release milestone, which links to KEP (this should be a link to the KEP location in kubernetes/enhancements, not the initial KEP PR)
+- [ ] KEP approvers have set the KEP status to `implementable`
+- [ ] Design details are appropriately documented
+- [ ] Test plan is in place, giving consideration to SIG Architecture and SIG Testing input
+- [ ] Graduation criteria is in place
+- [ ] "Implementation History" section is up-to-date for milestone
+- [ ] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]
+- [ ] Supporting documentation e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
+
+**Note:** Any PRs to move a KEP to `implementable` or significant changes once it is marked `implementable` should be approved by each of the KEP approvers. If any of those approvers is no longer appropriate than changes to that list should be approved by the remaining approvers and/or the owning SIG (or SIG-arch for cross cutting KEPs).
+
+**Note:** This checklist is iterative and should be reviewed and updated every time this enhancement is being considered for a milestone.
+
+[kubernetes.io]: https://kubernetes.io/
+[kubernetes/enhancements]: https://github.com/kubernetes/enhancements/issues
+[kubernetes/kubernetes]: https://github.com/kubernetes/kubernetes
+[kubernetes/website]: https://github.com/kubernetes/website
+
+## Summary
+
+[Volume Populators KEP]: ../1495-volume-populators/README.md
+
+While developing the [Volume Populators KEP] it became obvious that the way the admission
+controller handles the `DataSource` field of PVC specs is contrary to everyone's intentions.
+
+The existing behavior, which has been in place since 1.12, is to clear the field if the user
+supplies a value that is not one of the supported values. This results in Kubernetes behaving
+as if the user requested an empty volume, and indeed the user is given an empty volume in
+that case (absent any other errors).
+
+Developers never intended the `DataSource` field to work this way, and it's clearly not good
+practice to ignore user input. Most likely this was an accidental behavior resulting from the
+need to support disabling feature gates for specific kinds of data sources.
+
+Users cannot possibly depend on this behavior, because for every invalid request that we are
+currently incorrectly treating as valid, there is an actual valid request that results in the
+exact same result -- specifically a PVC with an empty data source.
+
+## Motivation
+
+### Goals
+
+- Fix the buggy admission controller behavior
+- Generate a clearly visible release note for users in the unlikely event that anyone is
+  affected.
+
+### Non-Goals
+
+- This change makes sense regardless of the future of the Volume Populators KEP. As such
+  is it not a goal of this KEP to advance the Volume Populators feature, although both
+  KEPs together to make good sense.
+
+## Proposal
+
+We propose to correct this bad behavior by making the admission controller reject invalid
+data sources instead of silently changing them. This would cause the admission controller
+to reject PVCs that specify core object other than PVCs as data sources when the
+AnyVolumeDataSource feature gate is enabled, and to reject PVCs that specify anything
+other than the two supported data sources (PVCs and VolumeSnapshots) when the feature gate
+is disabled.
+
+No existing workflows would be affected by this change, unless they are accidentally
+specifying a data source when they wanted an empty volume. Correcting those workflows would
+be trivial -- users would simply need to remove the data source if they wanted an empty
+volume. Valid data sources would be completely unaffected.
+
+### Risks and Mitigations
+
+The main risk is if a user had some preconfigured workflow that involved creation of
+PVCs with the `DataSource` field set to an invalid value. The workflow would be yielding
+empty volumes today, and if that was acceptable (most likely because the user forgot
+they ever put contents in the `DataSource` field) then it could go on unnoticed. Fixing
+this bug will cause that user's workflow to suddenly break.
+
+The workaround for the user would be trivial, they would just need to clear the
+`DataSource` field in their requests to obtain the old behavior. One can imagine
+situations where changing the workflow is non-trivial, but it's not unheard of for users
+to have to take actions upon Kubernetes upgrades so that we can correct bad decisions
+from our past.
+
+The real question is the liklihood of users making the particular mistake outlined above.
+Given that the only supported contents of that field was other PVCs and VolumeSnapshots,
+and both of those types of data sources are GA today, it seems impossible that users
+who wanted to clone a PVC or a VolumeSnapshot would be doing so incorrectly, because the
+fact that they were receiving an empty volume would make them fix their workflow. It's
+almost impossible to imagine a case where a user put something else in that field and
+expected it to work, except for the handful of developers working on the volume populators
+feature. The only remaining possibility is users who were intentionally trying out
+something they expected not to work, and were surprised that it did work, and for some
+reason continued to use the malformed workflow. This seems surpassinly unlikely.
+
+## Design Details
+
+### Test Plan
+
+* Add test case that creates a PVC with a `DataSource` pointing to a core object and expect
+creation to fail.
+* Add test case that creates a PVC with a `DataSource` pointing to a definitely-invalid 
+object and expect creation to fail. (This test case becomes obsolete after volume populator
+modifies this.)
+
+
+### Risks and Mitigations
+
+<!--
+What are the risks of this proposal, and how do we mitigate? Think broadly.
+For example, consider both security and how this will impact the larger
+Kubernetes ecosystem.
+
+How will security be reviewed, and by whom?
+
+How will UX be reviewed, and by whom?
+
+Consider including folks who also work outside the SIG or subproject.
+-->
+
+## Design Details
+
+<!--
+This section should contain enough information that the specifics of your
+change are understandable. This may include API specs (though not always
+required) or even code snippets. If there's any ambiguity about HOW your
+proposal will be implemented, this is the place to discuss them.
+-->
+
+### Test Plan
+
+<!--
+**Note:** *Not required until targeted at a release.*
+
+Consider the following in developing a test plan for this enhancement:
+- Will there be e2e and integration tests, in addition to unit tests?
+- How will it be tested in isolation vs with other components?
+
+No need to outline all of the test cases, just the general strategy. Anything
+that would count as tricky in the implementation, and anything particularly
+challenging to test, should be called out.
+
+All code is expected to have adequate tests (eventually with coverage
+expectations). Please adhere to the [Kubernetes testing guidelines][testing-guidelines]
+when drafting this test plan.
+
+[testing-guidelines]: https://git.k8s.io/community/contributors/devel/sig-testing/testing.md
+-->
+
+### Graduation Criteria
+
+<!--
+**Note:** *Not required until targeted at a release.*
+
+Define graduation milestones.
+
+These may be defined in terms of API maturity, or as something else. The KEP
+should keep this high-level with a focus on what signals will be looked at to
+determine graduation.
+
+Consider the following in developing the graduation criteria for this enhancement:
+- [Maturity levels (`alpha`, `beta`, `stable`)][maturity-levels]
+- [Deprecation policy][deprecation-policy]
+
+Clearly define what graduation means by either linking to the [API doc
+definition](https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-versioning)
+or by redefining what graduation means.
+
+In general we try to use the same stages (alpha, beta, GA), regardless of how the
+functionality is accessed.
+
+[maturity-levels]: https://git.k8s.io/community/contributors/devel/sig-architecture/api_changes.md#alpha-beta-and-stable-versions
+[deprecation-policy]: https://kubernetes.io/docs/reference/using-api/deprecation-policy/
+
+Below are some examples to consider, in addition to the aforementioned [maturity levels][maturity-levels].
+
+#### Alpha -> Beta Graduation
+
+- Gather feedback from developers and surveys
+- Complete features A, B, C
+- Tests are in Testgrid and linked in KEP
+
+#### Beta -> GA Graduation
+
+- N examples of real-world usage
+- N installs
+- More rigorous forms of testing—e.g., downgrade tests and scalability tests
+- Allowing time for feedback
+
+**Note:** Generally we also wait at least two releases between beta and
+GA/stable, because there's no opportunity for user feedback, or even bug reports,
+in back-to-back releases.
+
+#### Removing a Deprecated Flag
+
+- Announce deprecation and support policy of the existing flag
+- Two versions passed since introducing the functionality that deprecates the flag (to address version skew)
+- Address feedback on usage/changed behavior, provided on GitHub issues
+- Deprecate the flag
+
+**For non-optional features moving to GA, the graduation criteria must include 
+[conformance tests].**
+
+[conformance tests]: https://git.k8s.io/community/contributors/devel/sig-architecture/conformance-tests.md
+-->
+
+### Upgrade / Downgrade Strategy
+
+<!--
+If applicable, how will the component be upgraded and downgraded? Make sure
+this is in the test plan.
+
+Consider the following in developing an upgrade/downgrade strategy for this
+enhancement:
+- What changes (in invocations, configurations, API use, etc.) is an existing
+  cluster required to make on upgrade, in order to maintain previous behavior?
+- What changes (in invocations, configurations, API use, etc.) is an existing
+  cluster required to make on upgrade, in order to make use of the enhancement?
+-->
+
+### Version Skew Strategy
+
+<!--
+If applicable, how will the component handle version skew with other
+components? What are the guarantees? Make sure this is in the test plan.
+
+Consider the following in developing a version skew strategy for this
+enhancement:
+- Does this enhancement involve coordinating behavior in the control plane and
+  in the kubelet? How does an n-2 kubelet without this feature available behave
+  when this feature is used?
+- Will any other components on the node change? For example, changes to CSI,
+  CRI or CNI may require updating that component before the kubelet.
+-->
+
+## Production Readiness Review Questionnaire
+
+<!--
+
+Production readiness reviews are intended to ensure that features merging into
+Kubernetes are observable, scalable and supportable; can be safely operated in
+production environments, and can be disabled or rolled back in the event they
+cause increased failures in production. See more in the PRR KEP at
+https://git.k8s.io/enhancements/keps/sig-architecture/1194-prod-readiness.
+
+The production readiness review questionnaire must be completed and approved
+for the KEP to move to `implementable` status and be included in the release.
+
+In some cases, the questions below should also have answers in `kep.yaml`. This
+is to enable automation to verify the presence of the review, and to reduce review
+burden and latency.
+
+The KEP must have a approver from the
+[`prod-readiness-approvers`](http://git.k8s.io/enhancements/OWNERS_ALIASES)
+team. Please reach out on the
+[#prod-readiness](https://kubernetes.slack.com/archives/CPNHUMN74) channel if
+you need any help or guidance.
+-->
+
+### Feature Enablement and Rollback
+
+<!--
+This section must be completed when targeting alpha to a release.
+-->
+
+###### How can this feature be enabled / disabled in a live cluster?
+
+<!--
+Pick one of these and delete the rest.
+-->
+
+- [ ] Feature gate (also fill in values in `kep.yaml`)
+  - Feature gate name:
+  - Components depending on the feature gate:
+- [ ] Other
+  - Describe the mechanism:
+  - Will enabling / disabling the feature require downtime of the control
+    plane?
+  - Will enabling / disabling the feature require downtime or reprovisioning
+    of a node? (Do not assume `Dynamic Kubelet Config` feature is enabled).
+
+###### Does enabling the feature change any default behavior?
+
+<!--
+Any change of default behavior may be surprising to users or break existing
+automations, so be extremely careful here.
+-->
+
+###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?
+
+<!--
+Describe the consequences on existing workloads (e.g., if this is a runtime
+feature, can it break the existing applications?).
+
+NOTE: Also set `disable-supported` to `true` or `false` in `kep.yaml`.
+-->
+
+###### What happens if we reenable the feature if it was previously rolled back?
+
+###### Are there any tests for feature enablement/disablement?
+
+<!--
+The e2e framework does not currently support enabling or disabling feature
+gates. However, unit tests in each component dealing with managing data, created
+with and without the feature, are necessary. At the very least, think about
+conversion tests if API types are being modified.
+-->
+
+### Rollout, Upgrade and Rollback Planning
+
+<!--
+This section must be completed when targeting beta to a release.
+-->
+
+###### How can a rollout fail? Can it impact already running workloads?
+
+<!--
+Try to be as paranoid as possible - e.g., what if some components will restart
+mid-rollout?
+-->
+
+###### What specific metrics should inform a rollback?
+
+<!--
+What signals should users be paying attention to when the feature is young
+that might indicate a serious problem?
+-->
+
+###### Were upgrade and rollback tested? Was the upgrade->downgrade->upgrade path tested?
+
+<!--
+Describe manual testing that was done and the outcomes.
+Longer term, we may want to require automated upgrade/rollback tests, but we
+are missing a bunch of machinery and tooling and can't do that now.
+-->
+
+###### Is the rollout accompanied by any deprecations and/or removals of features, APIs, fields of API types, flags, etc.?
+
+<!--
+Even if applying deprecation policies, they may still surprise some users.
+-->
+
+### Monitoring Requirements
+
+<!--
+This section must be completed when targeting beta to a release.
+-->
+
+###### How can an operator determine if the feature is in use by workloads?
+
+<!--
+Ideally, this should be a metric. Operations against the Kubernetes API (e.g.,
+checking if there are objects with field X set) may be a last resort. Avoid
+logs or events for this purpose.
+-->
+
+###### What are the SLIs (Service Level Indicators) an operator can use to determine the health of the service?
+
+<!--
+Pick one more of these and delete the rest.
+-->
+
+- [ ] Metrics
+  - Metric name:
+  - [Optional] Aggregation method:
+  - Components exposing the metric:
+- [ ] Other (treat as last resort)
+  - Details:
+
+###### What are the reasonable SLOs (Service Level Objectives) for the above SLIs?
+
+<!--
+At a high level, this usually will be in the form of "high percentile of SLI
+per day <= X". It's impossible to provide comprehensive guidance, but at the very
+high level (needs more precise definitions) those may be things like:
+  - per-day percentage of API calls finishing with 5XX errors <= 1%
+  - 99% percentile over day of absolute value from (job creation time minus expected
+    job creation time) for cron job <= 10%
+  - 99,9% of /health requests per day finish with 200 code
+-->
+
+###### Are there any missing metrics that would be useful to have to improve observability of this feature?
+
+<!--
+Describe the metrics themselves and the reasons why they weren't added (e.g., cost,
+implementation difficulties, etc.).
+-->
+
+### Dependencies
+
+<!--
+This section must be completed when targeting beta to a release.
+-->
+
+###### Does this feature depend on any specific services running in the cluster?
+
+<!--
+Think about both cluster-level services (e.g. metrics-server) as well
+as node-level agents (e.g. specific version of CRI). Focus on external or
+optional services that are needed. For example, if this feature depends on
+a cloud provider API, or upon an external software-defined storage or network
+control plane.
+
+For each of these, fill in the following—thinking about running existing user workloads
+and creating new ones, as well as about cluster-level services (e.g. DNS):
+  - [Dependency name]
+    - Usage description:
+      - Impact of its outage on the feature:
+      - Impact of its degraded performance or high-error rates on the feature:
+-->
+
+### Scalability
+
+<!--
+For alpha, this section is encouraged: reviewers should consider these questions
+and attempt to answer them.
+
+For beta, this section is required: reviewers must answer these questions.
+
+For GA, this section is required: approvers should be able to confirm the
+previous answers based on experience in the field.
+-->
+
+###### Will enabling / using this feature result in any new API calls?
+
+<!--
+Describe them, providing:
+  - API call type (e.g. PATCH pods)
+  - estimated throughput
+  - originating component(s) (e.g. Kubelet, Feature-X-controller)
+Focusing mostly on:
+  - components listing and/or watching resources they didn't before
+  - API calls that may be triggered by changes of some Kubernetes resources
+    (e.g. update of object X triggers new updates of object Y)
+  - periodic API calls to reconcile state (e.g. periodic fetching state,
+    heartbeats, leader election, etc.)
+-->
+
+###### Will enabling / using this feature result in introducing new API types?
+
+<!--
+Describe them, providing:
+  - API type
+  - Supported number of objects per cluster
+  - Supported number of objects per namespace (for namespace-scoped objects)
+-->
+
+###### Will enabling / using this feature result in any new calls to the cloud provider?
+
+<!--
+Describe them, providing:
+  - Which API(s):
+  - Estimated increase:
+-->
+
+###### Will enabling / using this feature result in increasing size or count of the existing API objects?
+
+<!--
+Describe them, providing:
+  - API type(s):
+  - Estimated increase in size: (e.g., new annotation of size 32B)
+  - Estimated amount of new objects: (e.g., new Object X for every existing Pod)
+-->
+
+###### Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?
+
+<!--
+Look at the [existing SLIs/SLOs].
+
+Think about adding additional work or introducing new steps in between
+(e.g. need to do X to start a container), etc. Please describe the details.
+
+[existing SLIs/SLOs]: https://git.k8s.io/community/sig-scalability/slos/slos.md#kubernetes-slisslos
+-->
+
+###### Will enabling / using this feature result in non-negligible increase of resource usage (CPU, RAM, disk, IO, ...) in any components?
+
+<!--
+Things to keep in mind include: additional in-memory state, additional
+non-trivial computations, excessive access to disks (including increased log
+volume), significant amount of data sent and/or received over network, etc.
+This through this both in small and large cases, again with respect to the
+[supported limits].
+
+[supported limits]: https://git.k8s.io/community//sig-scalability/configs-and-limits/thresholds.md
+-->
+
+### Troubleshooting
+
+<!--
+This section must be completed when targeting beta to a release.
+
+The Troubleshooting section currently serves the `Playbook` role. We may consider
+splitting it into a dedicated `Playbook` document (potentially with some monitoring
+details). For now, we leave it here.
+-->
+
+###### How does this feature react if the API server and/or etcd is unavailable?
+
+###### What are other known failure modes?
+
+<!--
+For each of them, fill in the following information by copying the below template:
+  - [Failure mode brief description]
+    - Detection: How can it be detected via metrics? Stated another way:
+      how can an operator troubleshoot without logging into a master or worker node?
+    - Mitigations: What can be done to stop the bleeding, especially for already
+      running user workloads?
+    - Diagnostics: What are the useful log messages and their required logging
+      levels that could help debug the issue?
+      Not required until feature graduated to beta.
+    - Testing: Are there any tests for failure mode? If not, describe why.
+-->
+
+###### What steps should be taken if SLOs are not being met to determine the problem?
+
+## Implementation History
+
+<!--
+Major milestones in the lifecycle of a KEP should be tracked in this section.
+Major milestones might include:
+- the `Summary` and `Motivation` sections being merged, signaling SIG acceptance
+- the `Proposal` section being merged, signaling agreement on a proposed design
+- the date implementation started
+- the first Kubernetes release where an initial version of the KEP was available
+- the version of Kubernetes where the KEP graduated to general availability
+- when the KEP was retired or superseded
+-->
+
+## Drawbacks
+
+<!--
+Why should this KEP _not_ be implemented?
+-->
+
+
+## Alternatives
+
+The only viable alternative that I can see is to forever enshrine the existing
+behavior and accept that it's gross. 
\ No newline at end of file
diff --git a/keps/sig-storage/2546-reject-invalid-pvc-datasource/kep.yaml b/keps/sig-storage/2546-reject-invalid-pvc-datasource/kep.yaml
new file mode 100644
index 000000000000..6c5db5f49c8f
--- /dev/null
+++ b/keps/sig-storage/2546-reject-invalid-pvc-datasource/kep.yaml
@@ -0,0 +1,21 @@
+title: Reject Invalid PVC DataSource
+kep-number: 2546
+authors:
+  - "@bswartz"
+owning-sig: sig-storage
+participating-sigs:
+  - sig-api-machinery
+status: implementable
+creation-date: 2021-03-02
+last-updated: 2021-03-02
+reviewers:
+  - "@thockin"
+  - "@saad-ali"
+approvers:
+  - "@thockin"
+  - "@saad-ali"
+stage: stable
+latest-milestone: "v1.21"
+milestone:
+  stable: "v1.21"
+disable-supported: false