Always Start pvc-protection-controller#61282
Always Start pvc-protection-controller#61282pospispa wants to merge 1 commit intokubernetes:release-1.9from
Conversation
03c3671 to
d61a1e1
Compare
|
Couple of comments:
|
It allows both adding and removing finalizers. I forgot to feature flag the adding of finalizers.
It works only for Pod/PVC. It doesn't work for PV/PVC. |
|
@jpbetz PTAL - this needs to get in ASAP so we can validate test signal. |
|
/hold |
|
In case the |
d61a1e1 to
4b0ae05
Compare
|
New changes are detected. LGTM label has been removed. |
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: pospispa The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
I updated the PR so that in case the |
|
@saad-ali @jpbetz @calebamiles @rootfs @jdumars this PR is ready for review. IMPORTANT: this PR contains only the Pod/PVC part, i.e. finalizers are automatically removed only from PVCs not PVs. |
4b0ae05 to
f40fe59
Compare
f40fe59 to
8cfc579
Compare
|
when this completes review, #61299 can be reverted as part of this as well |
|
the finalizers on PV objects must be removed as well (e.g. partial backport of #58743) |
There was a problem hiding this comment.
setting global feature gates in unit tests is racy... consider passing a feature gate to the controller and checking the local one rather than mutating global state here (and leaving it mutated after the unit test runs).
See https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authorizer/node/node_authorizer.go#L53 as an example
After K8s 1.9 is upgraded to K8s 1.10 finalizer [kubernetes.io/pvc-protection] is added to PVCs because StorageObjectInUseProtection feature is enabled by default in K8s 1.10. However, when K8s 1.10 is downgraded to K8s 1.9 the finalizers remain in the PVCs and as pvc-protection-controller is not started by default in K8s 1.9 finalizers are not removed automatically from deleted PVCs and that's why deleted PVC are not removed but remain in Terminating phase. That's why pvc-protection-controller is always started because the pvc-protection-controller removes finalizers from PVCs automatically when a PVC is not in active use by a pod. Related issue: kubernetes#60764
8cfc579 to
213c8b4
Compare
|
That's fine, just wanted to make sure it was clear that this PR wasn't the extent of the changes needed in 1.9 |
|
@liggitt I believe I've addressed all your comments. PTAL. Would you LGTM? |
|
/hold |
| } | ||
|
|
||
| func (c *Controller) addFinalizer(pvc *v1.PersistentVolumeClaim) error { | ||
| // Skip adding Finalizer in case the PVC Protection feature is not enabled |
There was a problem hiding this comment.
I think I am missing something but which bits will by default remove the finalizer if feature gate is disabled? I do not see that in the code.
There was a problem hiding this comment.
I think what we need to add is - when feature gate is disabled then we need to return false by default from isBeingUsed function so as controller can run in "remove finalizer" only mode. As it exists - this code will not remove the finalizer from PVCs which are in use by pods, even if feature gate is disabled.
|
@liggitt @pospispa @saad-ali I am not sure that controller change introduced in #61282 and #61316 is enough. We are still left with the problem that - if user upgrades to 1.10 and then downgrades to 1.9 (with aforementioned controller fixes), he can't delete the PVCs until he "touches" the PVCs in some manner because controller will only remove finalizer if it notices add/update event on PVC. We may have to introduce some sort of additional loop that removes finalizers from existing PVC objects, even if they aren't updated. |
No. On startup, every informer gets an Add event for every existing object. |
|
Also, the delete that sets the deletionTimestamp (but leaves the record in place until all finalizers are removed) would trigger an Update watch event |
|
This PR is not for the master branch but does not have the |
|
Replaced by PR #61370 so I'm closing this PR. |
What this PR does / why we need it:
After K8s 1.9 is upgraded to K8s 1.10 finalizer [kubernetes.io/pvc-protection] is added to PVCs
because
StorageObjectInUseProtectionfeature is enabled by default in K8s 1.10.However, when K8s 1.10 is downgraded to K8s 1.9 the finalizers remain in the PVCs and as
pvc-protection-controlleris not started by default in K8s 1.9 finalizers are not removed automatically from deleted PVCs and that's why deleted PVC are not removed but remain in Terminating phase.That's why
pvc-protection-controlleris always started because thepvc-protection-controllerremoves finalizers from PVCs automatically when a PVC is not in active use by a pod.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #60764
Special notes for your reviewer:
This PR fixes problem with finalizers in PVCs only. It does not fix problem with finalizers in PVs.
Release note: