CSI - API Changes for Pod Inline Volume Support #67452
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
kind/api-change
k8s-ci-robot
added
sig/apps
|
title says WIP - is it still WIP? |
pkg/apis/core/types.go
Outdated
| // Optional: The value to pass to ControllerPublishVolumeRequest. | ||
| // Defaults to false (read/write). | ||
| // +optional | ||
| ReadOnly bool |
There was a problem hiding this comment.
All optional fields should be pointers or nil-able types (maps, slices)
There was a problem hiding this comment.
OK thanks, will change.
pkg/apis/core/types.go
Outdated
| // +optional | ||
| FSType string | ||
|
|
||
| // Attributes of the volume to publish. |
There was a problem hiding this comment.
Can you expand this? What is done with them?
There was a problem hiding this comment.
Will update the comment.
pkg/apis/core/types.go
Outdated
| // Filesystem type to mount. | ||
| // Must be a filesystem type supported by the host operating system. | ||
| // Ex. "ext4", "xfs", "ntfs". | ||
| // +optional |
There was a problem hiding this comment.
"Default is auto-detect. If not formatted the FS will be chosen by the node." ?
There was a problem hiding this comment.
"Default is auto-detect. If not formatted the FS will be chosen by the node."
I see this quoted, Where is this from ?
Also, for CSI, fstype is passed as-is delegating its interpretation to the CSI driver.
There was a problem hiding this comment.
I meant you need to document what the default is when a user doesn't specify, and that the default shouldn't be defined as a particular FS but as "the system will choose for you".
| type CSIVolumeSource struct { | ||
| // Driver is the name of the driver to use for this volume. | ||
| // Required. | ||
| Driver string |
There was a problem hiding this comment.
do we need to add quota (ok as followup) on this?
There was a problem hiding this comment.
Quota is not currently part of CSI but can certainly be a follow up item.
| type CSIVolumeSource struct { | ||
| // Driver is the name of the driver to use for this volume. | ||
| // Required. | ||
| Driver string |
There was a problem hiding this comment.
Quota is not currently part of CSI but can certainly be a follow up item.
pkg/apis/core/types.go
Outdated
| // Optional: The value to pass to ControllerPublishVolumeRequest. | ||
| // Defaults to false (read/write). | ||
| // +optional | ||
| ReadOnly bool |
There was a problem hiding this comment.
OK thanks, will change.
pkg/apis/core/types.go
Outdated
| // Filesystem type to mount. | ||
| // Must be a filesystem type supported by the host operating system. | ||
| // Ex. "ext4", "xfs", "ntfs". | ||
| // +optional |
There was a problem hiding this comment.
"Default is auto-detect. If not formatted the FS will be chosen by the node."
I see this quoted, Where is this from ?
Also, for CSI, fstype is passed as-is delegating its interpretation to the CSI driver.
k8s-ci-robot
added
the
needs-rebase
|
I'm trying to keep track of PRs that need re-review. This one has unresolved comments. |
|
FYI @vladimirvivien #67803 has merged. Feel free to rebase. That PR did not include the generateVolumeHandle API. We can do that in a follow up PR (and slip it to next release, if needed). |
vladimirvivien
changed the title
k8s-ci-robot
removed
do-not-merge/work-in-progress
|
@thockin I addressed the comments and update the code. |
pkg/apis/core/types.go
Outdated
| // This field is optional, and may be empty if no secret is required. If the | ||
| // secret object contains more than one secret, all secrets are passed. | ||
| // +optional | ||
| ControllerPublishSecretRef *SecretReference |
There was a problem hiding this comment.
@liggitt Ok with inline CSI volumes being able to specify namespace and name of a secret?
There was a problem hiding this comment.
I'd expect references inside a namespaced object to only be in that namespace (like all other secret references). Same comment applies for NodeStageSecretRef and NodePublishSecretRef)
There was a problem hiding this comment.
other inline volume sources (like ScaleIOVolumeSource, StorageOSVolumeSource, CephFSVolumeSource, etc) use *LocalObjectReference for this, where the namespace is implicitly the namespace of the pod
| @@ -1570,6 +1573,59 @@ type CSIPersistentVolumeSource struct { | |||
| NodePublishSecretRef *SecretReference | |||
| } | |||
|
|
|||
| // Represents a source location of a volume to mount, managed by an external CSI driver | |||
| type CSIVolumeSource struct { | |||
There was a problem hiding this comment.
@vladimirvivien is the code implementing this API going to be in a separate PR?
There was a problem hiding this comment.
@saad-ali yes, will publish a separate PR link for impl. Apologies for additional work.
There was a problem hiding this comment.
Hey guys. So, I think this is a pattern we need to do less of. Getting an API in with no implementation is always going to be riskier than putting them together. Getting a review on API before implementing is fine, but I think we want to merge them together.
k8s-ci-robot
added
size/XXL
pkg/apis/policy/types.go
Outdated
| @@ -232,6 +232,10 @@ type PodSecurityPolicySpec struct { | |||
| // Empty or nil indicates that only the DefaultProcMountType may be used. | |||
| // +optional | |||
| AllowedProcMountTypes []api.ProcMountType | |||
| // AllowedCSIDrivers is a whitelist of allowed CSI drivers. This slice will be checked | |||
There was a problem hiding this comment.
Should this clarify that it's only limiting inline csi drivers (and not pv.csi drivers)?
There was a problem hiding this comment.
This will be a way to whitelist any CSI driver, not just inline.
There was a problem hiding this comment.
If that's the case, then I think we may need two separate fields, one for inline and one for PV. For example, we want to allow gce PD CSI driver as a PV, but disallow it as inline because a lot of functionality won't work inline.
There was a problem hiding this comment.
whether it will work or not is not the point of PSP. you can specify driver names that don't even exist in a CSI PV today, and it fails at the point of calling the driver, correct?
PSP is about explicitly whitelisting which drivers a user is allowed to reference
There was a problem hiding this comment.
@msau42 to reduce complexity, the meaning of the PSP is simply a list of allowed CSI drivers here. Capabilities such as inline/attached etc is exposed in the CSIInfo object. We can refine its interpretation in upcoming release.
There was a problem hiding this comment.
Is PSP validated at admission time and/or runtime? I thought that today we cannot have PV validation in PSP because of cross-object validation and the PV may not exist yet
There was a problem hiding this comment.
Admission time. PSP only applies to pods, so this would only restrict inline CSI volume sources
k8s-ci-robot
added
the
needs-rebase
| allErrs = append(allErrs, validateCSIVolumeSource(source.CSI, fldPath.Child("csi"))...) | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
If feature is disabled, should validation reject the object? Accepting it without validation seems like a bad idea.
There was a problem hiding this comment.
@saad-ali not quite following you.
If feature is enabled, only then the object is validated because when the feature is not enabled, the object (VolumeSource.CSI) is cleared as nil (see https://github.com/kubernetes/kubernetes/blob/19be94c88bec6b3cd5983e3f7a468b1e7b30c8bb/pkg/api/pod/util.go#L342)
There was a problem hiding this comment.
that is correct, but as described in #67452 (comment), also checking in validation ensured that if the PrepareForCreate/PrepareForUpdate check is removed or skipped, validation prevents alpha data from being persisted when the feature is not enabled.
There was a problem hiding this comment.
Just in case the field drop doesn't work, it would be good to return an error in validation if CSI is also set and the feature is off.
|
/test pull-kubernetes-e2e-gke |
|
/test pull-kubernetes-e2e-gce-device-plugin-gpu |
|
/test pull-kubernetes-e2e-gke |
|
/test pull-kubernetes-e2e-gke |
3 similar comments
|
/test pull-kubernetes-e2e-gke |
|
/test pull-kubernetes-e2e-gke |
|
/test pull-kubernetes-e2e-gke |
|
/test pull-kubernetes-e2e-gke |
|
/test pull-kubernetes-integration |
| // Namespace of the pod with in-line volume. It is used to resolve | ||
| // references to Secrets in VolumeSource. | ||
| // Required. | ||
| Namespace string |
There was a problem hiding this comment.
Sorry if I missed the conversation around this. But just to verify, specifying the namespace here is considered safe because VolumeAttachment should only be created by kube-controller-manager right? CC @liggitt
There was a problem hiding this comment.
just to verify, specifying the namespace here is considered safe because VolumeAttachment should only be created by kube-controller-manager right? CC @liggitt
Yes, InlineVolumeSource is only used in VolumeAttachmentSource inside VolumeAttachment, which is a cluster-scoped object. Normal namespace-constrained users don't have write permission to VolumeAttachment objects.
It contains a denormalized copy of the VolumeSource field from a pod, along with the recorded namespace of the pod (since all the resource references inside the v1.VolumeSource implicitly refer to the namespace of the pod, but that information is not available when the volume source is copied up the a cluster-level object).
|
/test pull-kubernetes-integration |
|
/test pull-kubernetes-e2e-gke |
1 similar comment
|
/test pull-kubernetes-e2e-gke |
|
/test pull-kubernetes-e2e-gke |
| @@ -1570,6 +1573,59 @@ type CSIPersistentVolumeSource struct { | |||
| NodePublishSecretRef *SecretReference | |||
| } | |||
|
|
|||
| // Represents a source location of a volume to mount, managed by an external CSI driver | |||
| type CSIVolumeSource struct { | |||
There was a problem hiding this comment.
Hey guys. So, I think this is a pattern we need to do less of. Getting an API in with no implementation is always going to be riskier than putting them together. Getting a review on API before implementing is fine, but I think we want to merge them together.
| @@ -39,6 +40,13 @@ import ( | |||
| utilfeature "k8s.io/apiserver/pkg/util/feature" | |||
| ) | |||
|
|
|||
| const ( | |||
| csiDriverNameRexpFmt = `^[a-zA-Z0-9][-a-zA-Z0-9_.]{0,61}[a-zA-Z-0-9]$` | |||
There was a problem hiding this comment.
This requires at least 2 letters - is that the correct spec? Or is it something like
^[a-zA-Z0-9]([-a-zA-Z0-9_.]{0,61}[a-zA-Z-0-9])?$
| @@ -164,8 +164,37 @@ func validateAttacher(attacher string, fldPath *field.Path) field.ErrorList { | |||
| // validateSource tests if the source is valid for VolumeAttachment. | |||
| func validateVolumeAttachmentSource(source *storage.VolumeAttachmentSource, fldPath *field.Path) field.ErrorList { | |||
| allErrs := field.ErrorList{} | |||
| if source.PersistentVolumeName == nil || len(*source.PersistentVolumeName) == 0 { | |||
There was a problem hiding this comment.
Strictly speaking there's no way to convert a field from required to optional and be rollback-safe. This is kind of a problem. Any creative ideas here?
|
@vladimirvivien: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
|
|
/close |
|
@spiffxp: Closing this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
This PR introduces the changes needed in the API to support inline volume for pods using CSI drivers. Detail can be found in feature kubernetes/enhancements#596
/sig storage