Validate labelSelector in topologySpreadConstraints

[maaoBit]

Signed-off-by: maao maao420691301@gmail.com

What type of PR is this?

/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #111791

Special notes for your reviewer:

Does this PR introduce a user-facing change?

LabelSelectors specified in topologySpreadConstraints are now validated to ensure that pod is scheduled as expected. Existing pods with invalid LabelSelectors can be updated, but new pods are required to specify valid LabelSelectors.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[k8s-ci-robot]

Please note that we're already in Test Freeze for the release-1.25 branch. This means every merged PR will be automatically fast-forwarded via the periodic ci-fast-forward job to the release branch of the upcoming v1.25.0 release.

Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Thu Aug 11 07:32:13 UTC 2022.

[k8s-ci-robot]

@maaoBit: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Hi @maaoBit. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[alaypatel07]

/cc

[liggitt]

We need to consider what happens to existing persisted data that doesn't pass this validation

This means we need to only apply this stricter validation when validating a create request or an update request of an object that already passes the strict validation.

The pattern we use for this is:

1. plumbing the PodValidationOptions struct down to this function
2. add an AllowInvalidTopologySpreadConstraintLabelSelector bool field to that struct
3. populate that field in GetValidationOptionsFromPodSpecAndMeta:

• set it to false when creating a new pod
• set it to true when updating a pod where the old pod has invalid topology spread constraint label selectors
• set it to false otherwise

4. Make this new validation line conditional on that boolean field
5. Add unit tests:

• validate a new pod (should not allow invalid selectors)
• validate an updated pod where the old pod has invalid selectors (should allow the new pod to have an invalid selector)
• validate an updated pod where the old pod has valid selectors (should not allow the new pod to have an invalid selector)

[maaoBit]

thanks for review. PR has been updated. PTAL

[alaypatel07]

wonder if we need another test for invalid matchlables but with AllowInvalidTopologySpreadConstraintLabelSelector set to true to account for an update with invalid pod

[maaoBit]

@alaypatel07 Done

[alculquicondor]

It looks generally good, but there is something else that we need to make sure:

When tightening validation, a Pod that used to work should continue to work. For this PR, this means that if a Pod had an invalid labelSelector, it should have failed to schedule.

Can you verify that this is the case?

[alculquicondor]

rename to metavalidation

[maaoBit]

/test pull-kubernetes-verify

[liggitt]

this lgtm, just a couple comments

/milestone v1.27

[alculquicondor]

/approve
/lgtm
/hold for optional nit

[alculquicondor]

/lgtm
/hold cancel

This needs a release note btw.

[alculquicondor]

/hold
for release note

[liggitt]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alculquicondor, liggitt, maaoBit

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/api/OWNERS [liggitt]
• pkg/apis/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dims]

If you still need this PR then please rebase, if not, please close the PR

[maaoBit]

release note has been added, remove hold label
/hold cancel
@dims this PR has been rebased.

[dims]

i can see it in the merge queue - https://prow.k8s.io/tide

[ameukam]

/milestone v1.27

The milestone_applier plugin was not configured to add 1.27 milestone