Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle storageClassName specified by StatefulSet's volumeClaimTemplates #1

Open
flavio opened this issue Mar 21, 2024 · 0 comments
Open

Handle storageClassName specified by StatefulSet's volumeClaimTemplates #1

flavio opened this issue Mar 21, 2024 · 0 comments

Comments

@flavio
Copy link
Member

flavio commented Mar 21, 2024

Currently this policy inspects the creation/update of PersistentVolumeClass objects to prevent the usage of certain storage classes.

The StatefulSet Kubernetes resource has a spec.volumeClaimTemplates attribute which holds a list of PersistentVolumeClaim objects.

The policy should be extended to be able to inspect also StatefulSet resources.

Basically, inside of its validate, the policy should look at what kind of object is the subject of the admission request. If that's a PVC, the current code is going to used, otherwise, if it's a StatefulSet, the new code will be handled.

The configuration of the policy is not going to be changed.

Examples

Given the following configuration

# the list of storage classes that cannot be used
deniedStorageClasses:
- fast
- nvme

The following StatefulSet request is going to be accepted:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  selector:
    matchLabels:
      app: nginx # has to match .spec.template.metadata.labels
  serviceName: "nginx"
  replicas: 3 # by default is 1
  minReadySeconds: 10 # by default is 0
  template:
    metadata:
      labels:
        app: nginx # has to match .spec.selector.matchLabels
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: registry.k8s.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "cheap"
      resources:
        requests:
          storage: 1Gi

While the following one is going to be rejected:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  selector:
    matchLabels:
      app: nginx # has to match .spec.template.metadata.labels
  serviceName: "nginx"
  replicas: 3 # by default is 1
  minReadySeconds: 10 # by default is 0
  template:
    metadata:
      labels:
        app: nginx # has to match .spec.selector.matchLabels
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: registry.k8s.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
        - name: uploads
          mountPath: /usr/share/nginx/uploads
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "cheap"
      resources:
        requests:
          storage: 1Gi
  - uploads:
      name: uploads
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "fast"
      resources:
        requests:
          storage: 1Gi

Mutation

Given the following configuration:

# the list of storage classes that cannot be used
deniedStorageClasses:
- fast
- nvme

# optional - the storage class to be used when a denied is requested
fallbackStorageClass: cheap

The following StatefulSet definition:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  selector:
    matchLabels:
      app: nginx # has to match .spec.template.metadata.labels
  serviceName: "nginx"
  replicas: 3 # by default is 1
  minReadySeconds: 10 # by default is 0
  template:
    metadata:
      labels:
        app: nginx # has to match .spec.selector.matchLabels
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: registry.k8s.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
        - name: uploads
          mountPath: /usr/share/nginx/uploads
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "cheap"
      resources:
        requests:
          storage: 1Gi
  - uploads:
      name: uploads
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "fast"
      resources:
        requests:
          storage: 1Gi

Is going to be accepted, but it will be mutated to create this object:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  selector:
    matchLabels:
      app: nginx # has to match .spec.template.metadata.labels
  serviceName: "nginx"
  replicas: 3 # by default is 1
  minReadySeconds: 10 # by default is 0
  template:
    metadata:
      labels:
        app: nginx # has to match .spec.selector.matchLabels
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: registry.k8s.io/nginx-slim:0.8
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: www
          mountPath: /usr/share/nginx/html
        - name: uploads
          mountPath: /usr/share/nginx/uploads
  volumeClaimTemplates:
  - metadata:
      name: www
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "cheap"
      resources:
        requests:
          storage: 1Gi
  - uploads:
      name: uploads
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "cheap"
      resources:
        requests:
          storage: 1Gi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@flavio