Added set and map structural validation for AllowedTopologies

[verult]

What this PR does / why we need it: Adding structural validation to AllowedTopologies field in StorageClass.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #66184

Release note:

AllowedTopologies field inside StorageClass is now validated against set and map semantics. Specifically, there cannot be duplicate TopologySelectorTerms, MatchLabelExpressions keys, and TopologySelectorLabelRequirement Values.

[verult]

/sig storage
/assign @msau42 @lichuqiang

[verult]

/cc ddebroy

[k8s-ci-robot]

@verult: GitHub didn't allow me to request PR reviews from the following users: ddebroy.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc ddebroy

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[verult]

/assign @liggitt

[lichuqiang]

Thank you for help improving this!
A few minor comments, otherwise lgtm

[lichuqiang]

@msau42 , I remembered that I had this check in the initial commit,
but you'd suggest that the things of TopologySelectorTerm should be same to that of NodeSelector as much as possible, so we removed it.

Now since it has already been kind of different from NodeSelector, let's add the check here?
An empty expression won't bring users anything I guess.

[liggitt]

/hold

tightening validation is a potentially breaking change that cannot be done without consideration of existing persisted data in etcd. This PR would invalidate persisted data, which we cannot do compatibly.

see discussion in #64841 (comment)

[msau42]

@liggitt is tightening validation not allowed even for alpha types?

[ddebroy]

logic lgtm

[liggitt]

@liggitt is tightening validation not allowed even for alpha types?

ah, I didn't realize it was a gated alpha field. if it is gated as alpha, that means we have no persisted data for that field in an upgradeable cluster. as long as the schema isn't changing, tightening validation seems acceptable prior to promotion of the field to beta.

[liggitt]

/hold cancel

[liggitt]

think carefully about whether we'd need to extend these with other types of matchers in the future (e.g. a field matcher like this:

kubernetes/staging/src/k8s.io/api/core/v1/types.go

Lines 2400 to 2405 in a279d09

	// A list of node selector requirements by node's labels.
	// +optional
	MatchExpressions []NodeSelectorRequirement `json:"matchExpressions,omitempty" protobuf:"bytes,1,rep,name=matchExpressions"`
	// A list of node selector requirements by node's fields.
	// +optional
	MatchFields []NodeSelectorRequirement `json:"matchFields,omitempty" protobuf:"bytes,2,rep,name=matchFields"`

if so, we'd need to tolerate len(term.MatchLabelExpressions) == 0 in validation now to make such a future addition safe for old skewed apiservers

[verult]

What does the version skew issue look like? If a client makes a call to create a new object against an old apiserver, wouldn't it fail anyway because MatchFields doesn't exist?

[msau42]

I did explicitly call it MatchLabelExpressions to leave room for other types of matchers in the future (although no concrete use cases yet)

[msau42]

@liggitt can you describe more in detail the skew issue?

[liggitt]

@liggitt can you describe more in detail the skew issue?

What is the behavior of a TopologySelectorTerm with no MatchLabelExpressions? I'd expect it to match nothing.

Making MatchLabelExpressions required makes it very hard to make it optional in the future without breaking clients that expect a required field to stay required.

Making it optional allows adding something like MatchFieldExpressions to TopologySelectorTerm in the future without breaking clients that assume that all TopologySelectorTerm objects will contain non-zero-length MatchLabelExpressions.

[liggitt]

reflect.DeepEqual or semantic.DeepEqual? (reflect differentiates between nil and [], semantic does not)

[verult]

Neat, in this case reflect.DeepEqual is OK but semantic.DeepEqual is safer. Will update

[verult]

Removed empty validation on MatchLabelExpressions

[msau42]

Can you also add some positive test cases similar to these negative ones? For example, specifying the same key but across different TopologySelectorTerms

[verult]

addressed comments

[verult]

/retest

[msau42]

/lgtm

[verult]

/retest

[verult]

/retest

Bazel test failure is due to a flake currently being addressed: #67852

[liggitt]

api-wise, this LGTM. the changes to validation are only to fields that are currently behind alpha gates

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, msau42, verult

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/apis/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.