Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add webhook to make SourceVolumeMode immutable #680

Merged
merged 3 commits into from
Apr 20, 2022
Merged

Add webhook to make SourceVolumeMode immutable #680

merged 3 commits into from
Apr 20, 2022

Conversation

RaunakShah
Copy link
Contributor

@RaunakShah RaunakShah commented Mar 31, 2022
edited

What type of PR is this?
/kind feature

What this PR does / why we need it:

This PR adds changes to snapshot-validation-webhook to make the SourceVolumeMode field immutable.

KEP - https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3141-prevent-volume-mode-conversion

Testing

  1. Deploy snapshot-controller with Changes to snapshot controller to add sourceVolumeMode #679

  2. Create VolumeSnapshot object and attempt to alter Spec.SourceVolumeMode from Filesystem to Block. The attempt fails with the below error:

% kubectl edit volumesnapshotcontent                  
error: volumesnapshotcontents.snapshot.storage.k8s.io "snapcontent-bbf7be38-ccb9-46bf-a420-f1a436bf10e4" could not be patched: admission webhook "validation-webhook.snapshot.storage.k8s.io" denied the request: Spec.SourceVolumeMode is immutable but was changed from Filesystem to Block
You can run `kubectl replace -f /var/folders/th/sx982z_x23g8jdhw6vxqtjz40000gn/T/kubectl-edit-2559984217.yaml` to try this update again.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Add webhook to make SourceVolumeMode immutable

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 31, 2022
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Mar 31, 2022
@RaunakShah RaunakShah changed the title [WIP] Add webhook to make SourceVolumeMode immutable Add webhook to make SourceVolumeMode immutable Apr 4, 2022
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 4, 2022
@xing-yang
Copy link
Collaborator

This webhook should have a feature flag as well?

@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Apr 19, 2022
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 19, 2022
@RaunakShah
Copy link
Contributor Author

This webhook should have a feature flag as well?

Done!

RaunakShah
RaunakShah commented Apr 20, 2022
View reviewed changes
vendor/github.com/kubernetes-csi/external-snapshotter/client/v6/apis/volumesnapshot/v1/types.go
@@ -341,8 +341,6 @@ type VolumeSnapshotContentSpec struct {
// VolumeSnapshotContentSource represents the CSI source of a snapshot.
// Exactly one of its members must be set.
// Members in VolumeSnapshotContentSource are immutable.
// TODO(xiangqian): Add a webhook to ensure that VolumeSnapshotContentSource members
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why this isn't checked in already. My CI was failing without this change.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's very strange. It didn't fail CI when the original PR was merged.

xing-yang
xing-yang reviewed Apr 20, 2022
View reviewed changes
pkg/validation-webhook/webhook.go
@@ -67,6 +68,8 @@ func init() {
CmdWebhook.MarkFlagRequired("tls-private-key-file")
// Add optional flag for kubeconfig
CmdWebhook.Flags().StringVar(&kubeconfigFile, "kubeconfig", "", "kubeconfig file to use for volumesnapshotclasses")
CmdWebhook.Flags().BoolVar(&preventVolumeModeConversion, "prevent-volume-mode-conversion",
false, "Prevents an unauthorised user from modifying the volume mode when creating a PVC from an existing VolumeSnapshot.")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please submit a followup PR to update README.

@xing-yang
Copy link
Collaborator

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 20, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RaunakShah, xing-yang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 20, 2022
@xing-yang
Copy link
Collaborator

Can you backport this to release-6.0?

@k8s-ci-robot k8s-ci-robot merged commit 047ffd0 into kubernetes-csi:master Apr 20, 2022
@RaunakShah RaunakShah mentioned this pull request Apr 21, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xing-yang xing-yang xing-yang left review comments

@yuxiangqian yuxiangqian Awaiting requested review from yuxiangqian

Assignees

@xing-yang xing-yang

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@RaunakShah @xing-yang @k8s-ci-robot