Two PVC-s bound to the same PV

[IvanKuchin]

Describe the bug

Hello team,

Reconciliation process creates new pod before deleting old one. In case of pod has pvc in volume-section that ordering creates double claim to the same pv.
IMO order of operations should be

1. remove old pod
2. create new one

Steps to reproduce

Easiest way to reproduce is to follow "Automate image updates to Git" guide , with the following addition to podinfo-deployment.yaml.

Step 1) Add PV / PVC and attach volume to pod.

      volumes:
        - name: empty-dir-vol
          persistentVolumeClaim:
            claimName: empty-dir-pvc
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: empty-dir-pvc
  namespace: podinfo-image-updater
spec:
  storageClassName: slow
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
  labels:
    type: nfs
  name: podinfoimageupdater-emptydir-pv
spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 10Gi
  claimRef:
    name: empty-dir-pvc
    namespace: podinfo-image-updater
  nfs:
    path: /storage_local/podinfo-image-updater/empty-dir
    server: 192.168.170.36
  storageClassName: slow

If it is confusing full manifest is here

2. Change image version to trigger deployment reconciliation

3. Observe the problem.
   PVC will get to Lost state

$ kubectl get pvc -w
NAME            STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS   AGE
empty-dir-pvc   Bound     podinfoimageupdater-emptydir-pv   10Gi       RWO            slow           11s
empty-dir-pvc   Lost      podinfoimageupdater-emptydir-pv   0                         slow           2m26s

ikuchin@microk8s-test:~$ microk8s.kubectl describe pvc 
Name:          empty-dir-pvc
Namespace:     podinfo-image-updater
StorageClass:  slow
Status:        Lost
Volume:        podinfoimageupdater-emptydir-pv
Labels:        kustomize.toolkit.fluxcd.io/name=flux-system
               kustomize.toolkit.fluxcd.io/namespace=flux-system
Annotations:   pv.kubernetes.io/bind-completed: yes
               pv.kubernetes.io/bound-by-controller: yes
Finalizers:    [kubernetes.io/pvc-protection]
Capacity:      0
Access Modes:  
VolumeMode:    Filesystem
Used By:       podinfo-9ccf96ff5-6d8nx    <----------- notice podID
Events:
  Type     Reason         Age   From                         Message
  ----     ------         ----  ----                         -------
  Warning  ClaimMisbound  26s   persistentvolume-controller  Two claims are bound to the same volume, this one is bound incorrectly

PV will get to Available state

$ kubectl get pv -w
podinfoimageupdater-emptydir-pv     10Gi       RWO            Retain           Bound       podinfo-image-updater/empty-dir-pvc   slow                    2m23s
podinfoimageupdater-emptydir-pv     10Gi       RWO            Retain           Available   podinfo-image-updater/empty-dir-pvc   slow                    2m23s

---

Reason for that is order of pod update operations

$ kubectl get pod -w
NAME                       READY   STATUS    RESTARTS       AGE
podinfo-844777597c-hhj8g   1/1     Running   1 (114m ago)   11h <----- this pod owns PVC
podinfo-9ccf96ff5-6d8nx    0/1     Pending   0              0s
podinfo-9ccf96ff5-6d8nx    0/1     Pending   0              0s
podinfo-9ccf96ff5-6d8nx    0/1     Pending   0              14s
podinfo-9ccf96ff5-6d8nx    0/1     ContainerCreating   0              14s
podinfo-9ccf96ff5-6d8nx    0/1     ContainerCreating   0              15s
podinfo-9ccf96ff5-6d8nx    1/1     Running             0              15s   <--------- this pod creates duplicate PVC
podinfo-844777597c-hhj8g   1/1     Terminating         1 (116m ago)   11h
podinfo-844777597c-hhj8g   0/1     Terminating         1 (116m ago)   11h
podinfo-844777597c-hhj8g   0/1     Terminating         1 (116m ago)   11h
podinfo-844777597c-hhj8g   0/1     Terminating         1 (116m ago)   11h

Expected behavior

Successful image update even with PV/PVC attached to the pod

Screenshots and recordings

No response

OS / Distro

20.04.3 LTS (Focal Fossa)

Flux version

flux version 0.27.0

Flux check

$ flux check
► checking prerequisites
✔ Kubernetes 1.22.6-3+7ab10db7034594 >=1.20.6-0
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v0.17.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v0.22.0
✔ image-reflector-controller: deployment ready
► ghcr.io/fluxcd/image-reflector-controller:v0.16.0
✔ image-automation-controller: deployment ready
► ghcr.io/fluxcd/image-automation-controller:v0.20.0
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v0.21.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v0.21.2
✔ all checks passed

Git provider

No response

Container Registry provider

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[stefanprodan]

Reconciliation process creates new pod before deleting old one. In case of pod has pvc in volume-section that ordering creates double claim to the same pv.

It's not Flux that managed pods, but Kubernetes deployment and replicaset controllers. PVC should be used with Statefulsets, Kubernetes knows how to handle the rolling upgrade accordingly. If you want to use PVC with Kubernetes Deployments, then set the strategy to replace, this will delete the old pod before creating the new one.

[IvanKuchin]

Thank you Stefan. Sorry that I didn't do enough exploration before opening the issue.

[IvanKuchin]

Hello Stefan,

Sorry for bugging you again and re-opening issue.
I did lots of testing and you are right that order of operation can be influenced by Deployment.spec.strategy.type==RollingUpdate or Recreate. But it doesn't change success or failure of deployment.
I'll try to keep this post short with description only. Please let me know if you want to look at actual outputs.

In spite of deployment strategy normal-k8s image upgrade works perfectly fine.
rollout strategy + kubectl set image deployment/podinfo podinfod=ghcr.io/stefanprodan/podinfo:5.1.4 - no problem
recreate strategy + kubectl set image deployment/podinfo podinfod=ghcr.io/stefanprodan/podinfo:5.1.0 - no problem
rollout strategy + kustomize build . | kubectl apply/delete -f - - no problem
recreate strategy + kustomize build . | kubectl apply/delete -f - - no problem

rollout strategy + flux reconcile kustomization flux-system - makes PVC lost w/ warning ClaimMisbound
recreate strategy + flux reconcile kustomization flux-system - makes PVC lost w/o warnings

I think that flux is doing smth unusual from standard kubectl set image or kustomize | kubectl

Could you comment ?

---

• Annotating pvc with kustomize.toolkit.fluxcd.io/reconcile: disabled and reconciliation after has put pvc in a Lost state.
• Changing PVC/PV access mode to RWX/RWO put pvc in a Lost state

Sorry for bothering you again.

[damyan]

Same here: using a PVC with a deployment (the combination is unfortunately not under our control) leads to a ClaimMisbound and phase: Lost.

[daogilvie-9fin]

+1 from me for reports of this in the wild. Really happy with Flux generally, thanks for making a cool bit of software!

As for this issue specifically: we are also experiencing something similar, immediately after having done a rolling update of our kubernetes cluster.
We have just updated to 1.22.6 on GKE so is it possible there's something in this K8S version that is problematic for flux? We have a flux2 managed kustomization, and this issue appears even though we have tried completely removing the app with a flux delete followed by a re-adding of the kustomize i.e we get this when starting from an empty cluster.
We have always had the relevant deployments use a "Recreate" strategy too, so that has not changed.
Our app itself actually works fine, and is able to access and use the volumes, so we're mostly just confused 😄

❯ flux check
► checking prerequisites
✔ Kubernetes 1.22.6-gke.300 >=1.20.6-0
► checking controllers
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v0.22.3
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v0.23.2
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v0.22.5
✔ all checks passed

[jmriebold]

@kingdonb, RE: your suggestion in #2250, you were absolutely correct: claimRef is not required, and without it Flux has no problem with the PV(C)s. In hindsight this makes perfect sense since the PVC has a selector, which is enough to bind, but since I'd always had the field there and it was referenced in some articles I read, I assumed it was necessary.

Thanks a bunch, this solves our issue completely.

@IvanKuchin, if you remove claimRef from your PV and add spec.selector to your PVC (e.g. spec.selector.matchLabels with a corresponding label on the PV) that ought to fix your problem as well.

[Robbilie]

I am using local path pvs and I want to prevent pvcs from being bound to them from inside namespaces other than what I configured, that's why I was using claim ref. I don't really see an alternative to my problem though 😕

[jmriebold]

@Robbilie, would a selector not work for some reason?

[Robbilie]

I can pin the PVC to a PV (just by setting the volume name, doesn't even need the selector) but I want to enforce only this one PVC being allowed to be bound to the PV. The claim ref is on the PV side so no other PVC is allowed to be bound to it. The volume name/selector on PVC side doesn't prevent this...

This way if I allow someone to create pvcs they can simply bind to the PV and write on the local path volume to which they shouldn't have access

[jmriebold]

Kubernetes itself enforces that though. From the docs:

Once bound, PersistentVolumeClaim binds are exclusive, regardless of how they were bound.

The claimRef field, if unset on PV creation, will be set as soon as a PVC binds the volume (e.g. via a selector). I just tested this a few minutes ago, so unless local path volumes work differently, a volume name or selector on the PVC should be enough.

[Robbilie]

Yeah but what if there are two pvcs, isn't that a race condition and it's possible the "malicious" one binds first?