distributed provisioning: allowed topologies + immediate binding

[pohly]

What type of PR is this?
/kind bug

What this PR does / why we need it:

When using immediate binding with allowed topologies set in the storage class together with distributed provisioning, node instances must ignore PVCs that do not fit their node.

Which issue(s) this PR fixes:
Fixes #611

Special notes for your reviewer:

Includes some drive-by test enhancements.

Does this PR introduce a user-facing change?:

Fixes an issue when using immediate binding, allowed topologies and distributed provisioning, where PVCs may have been assigned to nodes which did not fit the allowed topologies, leading to permanent `error generating accessibility requirements` failures.

/cc @chrishenzie

[pohly]

/test pull-kubernetes-csi-external-provisioner-distributed-on-kubernetes-master

[k8s-ci-robot]

@pohly: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-kubernetes-csi-external-provisioner-distributed-on-kubernetes-master	cfabf52	link	/test pull-kubernetes-csi-external-provisioner-distributed-on-kubernetes-master

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[pohly]

The whole pull-kubernetes-csi-external-provisioner-distributed-on-kubernetes-master job can be ignored. It still uses the v1.6.0 release of the hostpath driver. I just wasn't sure anymore and thought I give it a try...

[chrishenzie]

/assign @verult

[chrishenzie]

typo: has

[pohly]

Fixed.

[verult]

we should not become the owner

[pohly]

Duh. Of course. Fixed.

[verult]

If strictTopology is false, does GenerateAccessibilityRequirements() return an error if node isn't part of AllowedTopologies?

[pohly]

Yes, it should. The "strict topology" case is just a simpler version of that existing, older check.

[verult]

Sg. I haven't been able to find the old logic but since we have test coverage this should be great. I'll find the logic eventually 😛

[verult]

I actually still couldn't find the logic for this when strictTopology is false. If you happen to know off-hand could you point me to it?

[verult]

The logic must exist somewhere because if it doesn't, GenerateAccessibilityRequirements would return a topology and no error. checkNode() then proceeds and tries to becomeOwner(), in which case either

• it succeeds and selected node is updated, or
• it fails and returns an error, and the caller, ShouldProvision(), proceeds to return true.

In both cases the distributed immediate, allowed topologies not okay test case should've failed (expectedSelectedNode: "" and expectNoProvision: true)

[verult]

Could you quickly explain why this check was added? (just for my understanding, not necessarily as a code comment)

[pohly]

Just for the sake of completeness. All other pointers were also checked for non-nil.

[verult]

Prior to the fix, the test will fail at expectNoProvision, while expectErr, expectState, and skipCreateVolume will pass, right?

[pohly]

It would have passed expectNoProvision, but for the wrong reason (not owner yet). Without the fix, it fails expectSelectedNode because the provisioner would set the current node to itself. The correct behavior is to not provision and not set the node.

[verult]

Gotcha. The behavior of selected node is a little non-obvious to me, and I had trouble making sense of what behavior should be expected from the test case parameters. Given enough time I should be able to figure it out but I couldn't quite grasp it just by scanning the test case.

Just a nit - not sure what could improve it but maybe a comment explaining the scenario could help?

[verult]

Maybe consider adding a comment that selecting a node == becoming owner

[pohly]

Added a comment.

[verult]

/lgtm
/hold
(in case you want to address any nits)

[pohly]

/lgtm
/hold
(in case you want to address any nits)

I do, and did 😁

Please re-approve.

[verult]

/lgtm
/hold cancel

[verult]

/assign @msau42
for approval

[msau42]

This call can error for other reasons besides incompatible allowedTopologies. Will this correctly recover in that case? Do we need a more specific error code to look for?

[pohly]

Which failures? When deployed on a node, fake CSINode and Node listers are used (

external-provisioner/cmd/csi-provisioner/csi-provisioner.go

Lines 304 to 340 in 213cd3d

	// Avoid watching in favor of fake, static objects. This is particularly relevant for
	// Node objects, which can generate significant traffic.
	csiNode := &storagev1.CSINode{
	ObjectMeta: metav1.ObjectMeta{
	Name: nodeDeployment.NodeName,
	},
	Spec: storagev1.CSINodeSpec{
	Drivers: []storagev1.CSINodeDriver{
	{
	Name: provisionerName,
	NodeID: nodeDeployment.NodeInfo.NodeId,
	},
	},
	},
	}
	node := &v1.Node{
	ObjectMeta: metav1.ObjectMeta{
	Name: nodeDeployment.NodeName,
	},
	}
	if nodeDeployment.NodeInfo.AccessibleTopology != nil {
	for key := range nodeDeployment.NodeInfo.AccessibleTopology.Segments {
	csiNode.Spec.Drivers[0].TopologyKeys = append(csiNode.Spec.Drivers[0].TopologyKeys, key)
	}
	node.Labels = nodeDeployment.NodeInfo.AccessibleTopology.Segments
	}
	klog.Infof("using local topology with Node = %+v and CSINode = %+v", node, csiNode)
	// We make those fake objects available to the topology code via informers which
	// never change.
	stoppedFactory := informers.NewSharedInformerFactory(clientset, 1000*time.Hour)
	csiNodes := stoppedFactory.Storage().V1().CSINodes()
	nodes := stoppedFactory.Core().V1().Nodes()
	csiNodes.Informer().GetStore().Add(csiNode)
	nodes.Informer().GetStore().Add(node)
	csiNodeLister = csiNodes.Lister()
	nodeLister = nodes.Lister()

), so all errors related to access to those can be ruled out. Errors related to incorrect or incomplete content of those objects also cannot occur.

I think all that remains is an unsuitable selected node, and therefore we don't need a more detailed error.

After having described it like this, the code could also be replaced with a direct comparison of the selected node. I'm undecided whether that is better: if GenerateAccessibilityRequirements then fails after the node became owner (against all expectations), then the volume is stuck. More code would be needed to handle that, like detecting this particular problem earlier and/or recovering earlier.

Given that immediate binding isn't recommended when using distributed provisioning, I think I prefer to merge this simpler solution even if it doesn't cover some edge cases.

[msau42]

Thanks for explaining. It wasn't obvious to me from a quick review of the code that this is the case. I think from a general readability and maintenance standpoint, it's better to code more defensively in case the function changes in the future and we can no longer make this assumption.

[pohly]

I can add a specific error and check for it here.

[msau42]

A separate error code, or a new condition, or perhaps a more targeted function like you mentioned would all work. Out of all those, I like the separate method approach the most because there's no confusion about what parts of the function are/are not relevant depending on the codepath.

Anyway, I think we can leave this to a future refactoring. For now, this works with the current assumptions.

/approve

[pohly]

#613

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: msau42, pohly

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [msau42]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment