add support for impersonating dynamic client and configuring subresource

[alaypatel07]

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

This PR adds API support to stage CRD for using impersonation to patch status and an option to patch entire object instead of subresource

Which issue(s) this PR fixes:

Fixes #903

Special notes for your reviewer:

The impersonate permission is not granted to the service account by default because this seems like an advance usecase. When user wants to use impersonation, the impersonate permissions can be patched as its done here https://github.com/kwok-ci/kubevirt-demo/blob/main/kustomize/rbac/role.yaml

Does this PR introduce a user-facing change?

Add support for impersonating client and configuring subresource to Stage api

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

In order to use the impersonating client an additional patch to rbac is required.
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: alaypatel07 / name: Alay Patel (7d18f43)

[netlify]

✅ Deploy Preview for k8s-kwok ready!

Name	Link
🔨 Latest commit	7d18f43
🔍 Latest deploy log	https://app.netlify.com/sites/k8s-kwok/deploys/65adf26c7d1b2500080280a0
😎 Deploy Preview	https://deploy-preview-920--k8s-kwok.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[k8s-ci-robot]

Welcome @alaypatel07!

It looks like this is your first PR to kubernetes-sigs/kwok 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kwok has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @alaypatel07. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[alaypatel07]

Tested the code changes with the following stage

$ k get stage vmi-ready -oyaml
apiVersion: kwok.x-k8s.io/v1alpha1
kind: Stage
metadata:
  creationTimestamp: "2024-01-16T08:44:09Z"
  generation: 3
  name: vmi-ready
  resourceVersion: "18495"
  uid: 2b9a141e-0a9f-4fb1-bb43-db581b95dace
spec:
  impersonationConfig:
    username: system:serviceaccount:kubevirt:kubevirt-controller
  isStatusSubresource: false
  next:
    statusTemplate: |
      {{ $now := Now }}
      phase: Running
      conditions:
      - type: Ready
        status: "True"
        lastTransitionTime: {{ $now }}
      phaseTransitionTimestamps:
      - phase: Running
        phaseTransitionTimestamp: {{ $now }}
  resourceRef:
    apiGroup: kubevirt.io/v1
    kind: VirtualMachineInstance
  selector:
    matchExpressions:                                                                                                                                                                                                                                              - key: .metadata.deletionTimestamp
      operator: DoesNotExist                                                                                                                                                                                                                                       - key: .status.phase
      operator: NotIn                                                                                                                                                                                                                                                values:
      - Running                                                                                                                                                                                                                                                    - key: .spec.nodeSelector.type
      operator: In                                                                                                                                                                                                                                                   values:
      - kwok                                                                                                                                                                                                                                                     weight: 0

Got the VMI to transition into running state, kwok logs

{"time":"2024-01-16T08:57:01.245931431Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwok/controllers.(*StageController).patchResource","file":"/home/alayp/go/src/sigs.k8s.io/kwok/pkg/kwok/controllers/stage_controller.go","line":362},"msg":"patchResource","id":"kind-control-plane_68c54e43-50ba-42a6-9ba7-a83aeb01ffff","resource":"default/test-vmi","client":"using impersonating client"}
{"time":"2024-01-16T08:57:01.245944716Z","level":"INFO","source":{"function":"sigs.k8s.io/kwok/pkg/kwok/controllers.(*StageController).patchResource","file":"/home/alayp/go/src/sigs.k8s.io/kwok/pkg/kwok/controllers/stage_controller.go","line":381},"msg":"isStatusSubresource false","id":"kind-control-plane_68c54e43-50ba-42a6-9ba7-a83aeb01ffff","resource":"default/test-vmi","patch":"{\"status\":{\"conditions\":[{\"lastTransitionTime\":\"2024-01-16T08:57:01.245788983Z\",\"status\":\"True\",\"type\":\"Ready\"}],\"phase\":\"Running\",\"phaseTransitionTimestamps\":[{\"phase\":\"Running\",\"phaseTransitionTimestamp\":\"2024-01-16T08:57:01.245788983Z\"}]}}"}

vmi status:

status:
 activePods:
   023580f8-06bd-4c0d-90fc-698663c12fdb: kwok-node-0
 conditions:
 - lastTransitionTime: "2024-01-16T08:57:01.245788983Z"
   status: "True"
   type: Ready
 guestOSInfo: {}
 launcherContainerImageVersion: quay.io/kubevirt/virt-launcher:v1.1.1
 memory:
   guestAtBoot: 50M
   guestCurrent: 50M
   guestRequested: 50M
 phase: Running
 phaseTransitionTimestamps:
 - phase: Running
   phaseTransitionTimestamp: "2024-01-16T08:57:01.245788983Z"
 runtimeUser: 107
 volumeStatus:
 - name: containerdisk
   target: ""

[alaypatel07]

Please note this is just a draft for sharing the POC, will clean up the code if this is acceptable API change. @wzshiming PTAL

[wzshiming]

• ❌ The email address for the commit (51744a9) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please submit a support request ticket.

Please take a look and sign the CLA

[alaypatel07]

Thanks for the review, I will address all the comments soon

[alaypatel07]

can I please get an ok-to-test to trigger the prow tests?

[wzshiming]

Suggested change

	StatusSubresource *string
	StatusSubresource string

A null pointer is assigned to a value during the conversion, so thie don't have to use a pointer here

[alaypatel07]

I have updated this.

Just out of curiosity, whats the point of have *string in api, when we are automatically converting nil string to ""?

My understanding is that a *string in api is recommended to differentiate nil and "" as different states

[wzshiming]

/ok-to-test

[alaypatel07]

Unsure why this failed https://github.com/kubernetes-sigs/kwok/actions/runs/7564581117/job/20598936655?pr=920. @wzshiming is the failure related to the PR?

[wzshiming]

Unsure why this failed https://github.com/kubernetes-sigs/kwok/actions/runs/7564581117/job/20598936655?pr=920. @wzshiming is the failure related to the PR?

Yes, you can ignore the failures in mac, the recent Github Action MacOS Runner is very unstable with docker.

[alaypatel07]

Okay thanks @wzshiming. I addressed all your comments. Can I have another round of reviews? TIA

[wzshiming]

I have a try, and seems that the merge did not work properly, but overwrote the original content.

status:
  activePods:
    08451704-809e-450c-a45c-862995158c57: kwok-node-0
  conditions:
  - lastTransitionTime: "2024-01-18T14:59:32.084011845Z"
    status: "True"
    type: Ready
  guestOSInfo: {}
  launcherContainerImageVersion: quay.io/kubevirt/virt-launcher:v1.1.1
  memory:
    guestAtBoot: 50M
    guestCurrent: 50M
    guestRequested: 50M
  phase: Running
  phaseTransitionTimestamps:
  - phase: Running
    phaseTransitionTimestamp: "2024-01-18T14:59:32.084011845Z"
  runtimeUser: 107
  volumeStatus:
  - name: containerdisk
    target: ""

status:
  activePods:
    4de00779-ba67-438f-8357-213ac7500f22: kwok-node-0
  conditions:
  - lastProbeTime: "2024-01-18T14:56:22Z"
    lastTransitionTime: "2024-01-18T14:56:22Z"
    message: Guest VM is not reported as running
    reason: GuestNotRunning
    status: "False"
    type: Ready
  guestOSInfo: {}
  launcherContainerImageVersion: quay.io/kubevirt/virt-launcher:v1.1.1
  memory:
    guestAtBoot: 50M
    guestCurrent: 50M
    guestRequested: 50M
  migrationTransport: Unix
  nodeName: kwok-node-0
  phase: Scheduled
  phaseTransitionTimestamps:
  - phase: Pending
    phaseTransitionTimestamp: "2024-01-18T14:56:22Z"
  - phase: Scheduling
    phaseTransitionTimestamp: "2024-01-18T14:56:22Z"
  - phase: Scheduled
    phaseTransitionTimestamp: "2024-01-18T14:56:22Z"
  qosClass: Burstable
  runtimeUser: 107
  volumeStatus:
  - name: containerdisk
    target: ""

[alaypatel07]

@wzshiming, yes I had this problem too

I have a try, and seems that the merge did not work properly, but overwrote the original content

Although I modified the stage vmi-ready with following:

apiVersion: kwok.x-k8s.io/v1alpha1
kind: Stage
metadata:
  name: vmi-ready
spec
  resourceRef:
    apiGroup: kubevirt.io/v1
    kind: VirtualMachineInstance
  selector:
    matchExpressions:
    - key: '.metadata.deletionTimestamp'
      operator: 'DoesNotExist'
    - key: '.status.phase'
      operator: 'In'
      values:
      - 'Scheduled'
    - key: '.spec.nodeSelector.type'
      operator: 'In'
      values:
      - 'kwok'
  next:
    statusTemplate: |
      {{ $now := Now }}
      phase: Running
      conditions:
      - type: Ready
        status: "True"
        lastTransitionTime: {{ $now }}
        {{ with .status.phaseTransitionTimestamps }}
      phaseTransitionTimestamps:
        {{ range . }}
      - phase: {{ .phase }}
        phaseTransitionTimestamp: {{ .phaseTransitionTimestamp }}
        {{ end }}
        {{ end }}
      - phase: Running
        phaseTransitionTimestamp: {{ $now }}
    statusPatchAs:
      username: 'system:serviceaccount:kubevirt:kubevirt-controller'
    statusSubresource: ''

With this change to vmi-ready, the merge worked properly for me
Before:

status:
  activePods:
    ddf44ad9-5437-4dc3-bf9f-86884364079d: kwok-node-0
  conditions:
    - lastProbeTime: "2024-01-18T15:34:08Z"
      lastTransitionTime: "2024-01-18T15:34:08Z"
      message: Guest VM is not reported as running
      reason: GuestNotRunning
      status: "False"
      type: Ready
  guestOSInfo: {}
  launcherContainerImageVersion: quay.io/kubevirt/virt-launcher:v1.1.1
  memory:
    guestAtBoot: 50M
    guestCurrent: 50M
    guestRequested: 50M
  migrationTransport: Unix
  nodeName: kwok-node-0
  phase: Scheduled
  phaseTransitionTimestamps:
    - phase: Pending
      phaseTransitionTimestamp: "2024-01-18T15:34:08Z"
    - phase: Scheduling
      phaseTransitionTimestamp: "2024-01-18T15:34:08Z"
    - phase: Scheduled
      phaseTransitionTimestamp: "2024-01-18T15:34:08Z"
  qosClass: Burstable
  runtimeUser: 107
  volumeStatus:
    - name: containerdisk
      target: ""

After:

activePods:
 ddf44ad9-5437-4dc3-bf9f-86884364079d: kwok-node-0
conditions:
 - lastTransitionTime: "2024-01-18T15:34:08.608218243Z"
   status: "True"
   type: Ready
guestOSInfo: {}
launcherContainerImageVersion: quay.io/kubevirt/virt-launcher:v1.1.1
memory:
 guestAtBoot: 50M
 guestCurrent: 50M
 guestRequested: 50M
migrationTransport: Unix
nodeName: kwok-node-0
phase: Running
phaseTransitionTimestamps:
 - phase: Pending
   phaseTransitionTimestamp: "2024-01-18T15:34:08Z"
 - phase: Scheduling
   phaseTransitionTimestamp: "2024-01-18T15:34:08Z"
 - phase: Scheduled
   phaseTransitionTimestamp: "2024-01-18T15:34:08Z"
 - phase: Running
   phaseTransitionTimestamp: "2024-01-18T15:34:08.608218243Z"
qosClass: Burstable
runtimeUser: 107
volumeStatus:
 - name: containerdisk
   target: ""

[alaypatel07]

@wzshiming thanks for another round of reviews, I pushed a change addressing all the comments

[wzshiming]

/approve
/lgtm

Thank you for your contribution!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alaypatel07, wzshiming

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [wzshiming]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[caozhuozi]

Once this is merged, I will rebase the #911

[alaypatel07]

@wzshiming is there a way to manually re-trigger the failing github actions test Test / test-kwokctl (macos-latest, kind)?

[alaypatel07]

/retest