New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update AnyVolumeDataSource feature gate to beta #108736
Update AnyVolumeDataSource feature gate to beta #108736
Conversation
@bswartz: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/milestone 1.24 |
@mehabhalodiya: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your and have them propose you as an additional delegate for this responsibility. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig storage |
This needs to be updated to "beta" as well: |
9ab237f
to
a6b893d
Compare
This is updated now |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
/retest-required |
/label api-review |
/assign @kubernetes/api-reviewers |
tl;dr is that the decorator doesn't run on the old object read from etcd when doing an update, so if your PrepareForUpdate or update validation would be unhappy with the new object being defaulted and the old object not being defaulted, you'll need to default the old object explicitly in those paths |
Is there an easy workaround that I can copy? I'll take another look at how this was fixed for the Service object to see if I missed something. |
it looks like persistentvolumeclaimStrategy#PrepareForUpdate is already calling the same default-on-read normalization as defaultOnReadPvc on the new PVC: kubernetes/pkg/registry/core/persistentvolumeclaim/strategy.go Lines 99 to 114 in e0ca5cf
But it's not touching the old PVC. I don't know if validation is counting on the old PVC having been normalized by the default-on-read path or not, but it is not currently being normalized. |
I understood that that function treated the "oldPvc" as a read-only object and that newPvc was the one to be updated. How could anyone be interested in the contents of the oldPvc object after calling PrepareForUpdate? Maybe I'm not familiar enough the the API server guts, but I don't see any benefit to also fixing the oldPvc in that function (if it isn't already accurate) |
Some update validation disallows specific transitions or enforces immutable fields based on comparing the old and new objects (I don't know if PVC validation does, I didn't check). If the new object had normalization applied and the old object didn't, the user could get an error saying a field was not allowed to be changed in some way that would make no sense to them (since from their perspective they weren't changing the field) |
I see what you're saying. You're not worried about bogus output from the function but the possibility that a bogus input could cause it to misbehave. I'll look for that specifically. |
Okay I re-reviewed the code and this is a case that we considered extensively when we first designed this (with a huge amount of help from @thockin). If you follow the PrepareForUpdate() function logic, there are several function calls but they're all very small. There's exactly one place where the contents of the old PVC is considered, and it's written to look at both the old field and the new field, such that it makes the correct decision whether the old object is upgraded or not.
The huge comment for EnforceDataSourceBackwardsCompatibility() tries to explain exactly what's going on here so that future versions of ourselves can remember why this code is the way it is. I'm confident there are no issues if someone tries to update an un-upgraded object. |
The last commit in https://github.com/liggitt/kubernetes/commits/any-volume-data-source-beta adds an integration test that demonstrates the problems if someone tries to update a non-upgraded PVC object. All three update methods fail the PVC spec immutability check when the feature gate is enabled:
All three update methods work with the AnyVolumeDataSource feature gate disabled.
|
a6b893d
to
856b3ae
Compare
856b3ae
to
cdefa1a
Compare
Default to enabled Fix validation of null-updates/patches when the "old" PVC was persisted by an older version. Add upgrade integration tests written by liggitt.
cdefa1a
to
08948ca
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like the right fix. It's an unfortunate wart, but .
@@ -111,6 +112,10 @@ func (persistentvolumeclaimStrategy) PrepareForUpdate(ctx context.Context, obj, | |||
// in again here. | |||
pvcutil.EnforceDataSourceBackwardsCompatibility(&newPvc.Spec, &oldPvc.Spec) | |||
pvcutil.NormalizeDataSources(&newPvc.Spec) | |||
|
|||
// We also normalize the data source fields of the old PVC, so that objects saved | |||
// from an earlier version will pass validation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could also document that it should be called AFTER EnforceDataSourceBackwardsCompatibility
(I went and read that code, and I am pretty sure that must run first :)
I don't want anyone "fixing" it later.
Thanks! /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bswartz, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/remove-sig api-machinery |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Default AnyVolumeDataSource feature gate to enabled, as the feature is moving to beta.
Which issue(s) this PR fixes:
Fixes #99955
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: