Allow PVC VACName to go from non-nil to nil #132106
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
k8s-ci-robot
added
the
release-note
k8s-ci-robot
added
size/S
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-priority
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: AndrewSirenko The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| @@ -2155,11 +2155,6 @@ func ValidatePersistentVolumeUpdate(newPv, oldPv *core.PersistentVolume, opts Pe | |||
| if !utilfeature.DefaultFeatureGate.Enabled(features.VolumeAttributesClass) { | |||
| allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "volumeAttributesClassName"), "update is forbidden when the VolumeAttributesClass feature gate is disabled")) | |||
| } | |||
| if opts.EnableVolumeAttributesClass { | |||
There was a problem hiding this comment.
Presume we want to remove the validation for PV as well so that we avoid situation where PVC can be nil but PV somehow stuck non-nil.
| @@ -2427,7 +2422,7 @@ func ValidatePersistentVolumeClaimUpdate(newPvc, oldPvc *core.PersistentVolumeCl | |||
| newPvcClone.Spec.Resources.Requests["storage"] = oldPvc.Spec.Resources.Requests["storage"] // +k8s:verify-mutation:reason=clone | |||
| } | |||
| // lets make sure volume attributes class name is same. | |||
| if newPvc.Status.Phase == core.ClaimBound && newPvcClone.Spec.VolumeAttributesClassName != nil { | |||
| if newPvc.Status.Phase == core.ClaimBound { | |||
There was a problem hiding this comment.
Was required to prevent this err:
❯ k patch pvc ebs-claim --patch '{"spec": {"volumeAttributesClassName": null}}'
The PersistentVolumeClaim "ebs-claim" is invalid: spec: Forbidden: spec is immutable after creation except resources.requests and volumeAttributesClassName for bound claims
core.PersistentVolumeClaimSpec{
... // 6 identical fields
DataSource: nil,
DataSourceRef: nil,
- VolumeAttributesClassName: &"io3-class",
+ VolumeAttributesClassName: nil,
}
| enableVolumeAttributesClass: true, | ||
| isExpectedFailure: true, | ||
| }, | ||
| "invalid-update-volume-attributes-class-to-nil": { | ||
| oldClaim: validClaimVolumeAttributesClass1, | ||
| newClaim: validClaimNilVolumeAttributesClass, | ||
| enableVolumeAttributesClass: true, | ||
| isExpectedFailure: true, | ||
| isExpectedFailure: false, | ||
| }, | ||
| "invalid-update-volume-attributes-class-to-empty": { |
There was a problem hiding this comment.
This looks like the same test case as line 3035 "invalid-update-volume-attributes-class"?
There was a problem hiding this comment.
Yes there existed duplicate tests with different names.
I presume the intent of "invalid-update-volume-attributes-class" is to catch some invalid update, while the existence of "invalid-update-volume-attributes-class-to-empty" AND "invalid-update-volume-attributes-class-to-nil" was to test these specific cases. But happy to delete one of the duplicate tests.
Either way I realize I need to change the name of this test to valid-update-vac-to-nil now that it is valid. Thanks!
| @@ -3034,15 +3034,15 @@ func TestValidatePersistentVolumeClaimUpdate(t *testing.T) { | |||
| }, | |||
| "invalid-update-volume-attributes-class": { | |||
| oldClaim: validClaimVolumeAttributesClass1, | |||
| newClaim: validClaimNilVolumeAttributesClass, | |||
| newClaim: validClaimEmptyVolumeAttributesClass, | |||
| enableVolumeAttributesClass: true, | |||
| isExpectedFailure: true, | |||
| }, | |||
| "invalid-update-volume-attributes-class-to-nil": { | |||
There was a problem hiding this comment.
Will refactor this helper's name next revision.
There was a problem hiding this comment.
Can we have a test case for string to empty-string and expect error?
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Can you make this a real PR so as tests are running? I am not sure if we run tests on draft PRs. |
@gnufied Jinx! Looks like tests all passed. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
PR kubernetes-csi/external-resizer#487 will allow users using ModifyVolume feature via VolumeAttributesClass to rollback from an infeasible pvc.spec.VacName to no VAC.
However, kube-api-server includes validations to prevent going from non-nil pvc/pv VACName to nil VACName.
This PR loosens those PVC/PV Update validations. External-resizer sidecar will ensure user can only rollback infeasible modifications to nil.
For additional context see slack thread: https://kubernetes.slack.com/archives/C8EJ01Z46/p1748628161127689
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
/cc @gnufied
/cc @sunnylovestiramisu
/cc @msau42
/cc @xing-yang
Tested on an AWS kOps cluster alongside aws-ebs-csi-driver. See K/K VAC Validation changes + Sunny's resizer PR.
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: