CSI Node info registration in kubelet

[verult]

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #67683

Special notes for your reviewer:
Feature issue: kubernetes/enhancements#557
Design doc: kubernetes/community#2034

Missing pieces:

• CSI client retry and exponential backoff logic.
• CSINodeInfo object validation
• e2e test with all the CSI machinery.

An RBAC rule is also added to support external-provisioner topology updates.

Release note:

Registers volume topology information reported by a node-level Container Storage Interface (CSI) driver. This enables Kubernetes support of CSI topology mechanisms.

[verult]

/sig storage
/assign @liggitt @saad-ali @vladimirvivien @sbezverk @msau42

[verult]

Will rename all the receivers to nim.

[verult]

Will check set equality instead in the new version that uses CSINodeInfo.

[verult]

Feel free to hold off on reviewing this PR for now - I'm almost done with wiring up CSINodeInfo and a good amount of logic will become obsolete

[verult]

Added integration with CSINodeInfo. Please only review the last commit - everything before it are rebased from #67803.

Missing functionality is updated in the top post, but adding those won't cause any major structural changes. The PR is ready for review now.

@liggitt @saad-ali @vladimirvivien @sbezverk @msau42 @gnufied

[verult]

@saad-ali and I discussed offline, and we are going to leave the CSI label prefix as is in Kubernetes instead of reversing it, for the time being.

[msau42]

This comment needs to be updated. I don't see any channels being used

[msau42]

If a plugin doesn't support topology will this be nil?

[verult]

Yeah, thanks for the catch!

[msau42]

Can you add a comment here describing exactly all the objects/fields that are being modified/added?

[msau42]

are there plans to use a shared informer? If so, we should clone the node object first before modifying it so it doesn't impact other uses that may be sharing the same pointer.

[verult]

No I wasn't planning to. Driver registration is fairly infrequent so watching the object doesn't seem worth it

[msau42]

This works only if the multiple updateFuncs are not conflicting with each other.

[verult]

I'll make it more explicit in the comments for this function that because updateFuncs are called in order, each updateFunc should consider the effects of previous updateFuncs

[liggitt]

each updateFunc should consider the effects of previous updateFuncs

what does that mean?

[verult]

I added a comment here - does that help or should it be more clear?
https://github.com/kubernetes/kubernetes/blob/9c855fb9e62de46f511d9dc0446425c1b5a76499/pkg/volume/csi/nodeinfomanager/nodeinfomanager.go#L119

[gnufied]

You mean, if two update functions both update same field then last one will win, but caller of this function should try and ensure that - it does not happen in first place?

[verult]

Well said! Will update the comment

[msau42]

Should we be adding all drivers in this call to just update a single driver? Do all the CSI drivers register again when we upgrade the node?

Should we be looking at the annotations at all? IIUC, this is supposed to be the replacement for the annotations

[verult]

Yeah CSI drivers should register again upon node upgrade, and this is here as a safeguard to ensure annotations and CSINodeInfo are consistent while we support both. There is always a chance that kubelet is upgraded while the previous Node object stays, and annotations and CSINodeInfo could be momentarily out of sync.

[msau42]

Is it necessary to keep the annotations and CSIDriverInfo in sync on the first driver's registration, if the other driver will register again later? In an upgrade scenario, then this means we're on the first boot after upgrade and we're processing the first driver registration. We're adding an entry for all the other drivers too even though they have not gone through registration yet. Could that cause other issues?

[jsafrane]

I think this method should get whole list of registered CSI drivers so it creates/updates complete CSINodeInfo with all drivers. The result should be the same in the end, however it feels more robust. I don't line CSINodeInfo with empty topology for some drivers just because we translated it from an annotation.

[msau42]

This method gets called for a single driver registration though, and only on the first one since it's creating the object for the first time.

[verult]

Discussed with @msau42 offline. The current implementation doesn't guarantee the node info is always up-to-date. In particular, with the current kubelet plugin registration design, there is no way to remove a non-existent driver unless it detects that a driver socket is removed (after unregistration is implemented). If a driver is removed while kubelet is down, the node information will remain. So whatever issue comes up when CSINodeInfo is kept in sync with annotation is unavoidable today.

But I'll remove the logic to keep the two sources in sync, because it complicates the implementation without adding too much benefit. One minor advantage of keeping them in sync is to avoid debugging confusion, but I think it'll be OK.

[msau42]

Previously the lock was being held across the entire function instead of just the map update. Could there be any issues if this map has an entry but we haven't finished registering the plugin yet? Should we update the map at the very end?

[verult]

In both the previous and the current version, the lock is only held on write, all within this RegistrationCallback() function. The map has to be updated before the csi.NodeGetInfo() call unfortunately because it relies on the driver info to call out to gRPC.

However, when plugin unregistration is implemented in the future, depending on how it's implemented, there could be a race between calls of RegistrationCallback(). Will update to lock the entire function once.

[verult]

Discussed with @msau42 offline. For now we'll keep the map locked as short as possible. When unregistration is implemented we'll reconsider again.

Will add comments explaining why it's OK to keep locking short.

[verult]

Updated with appropriate alpha gates.

Right now each feature related to CSIDriver object still has its own separate feature gate. Will address that in a separate PR.

Will also address the informer issue #68378 (lacking a flag gate) in a separate PR.

@saad-ali @liggitt PTAL

[verult]

Missing node info manager tests for when the flag gate is disabled. I'm on it.

[saad-ali]

/lgtm
/approve

[liggitt]

Looks like the unit test is failing because this feature flag is enabled by default now. Is this still the right flag that determines if the node needs these permissions, or is it fenced by the CSINodeInfo flag as well now?

If this is correct as is, the fixture for the unit test just needs regenerating (instructions are in the unit test failure message)

[verult]

That's one spot I missed. Thanks for the catch!

[liggitt]

one comment on the gate being checked by the RBAC policy change and the unit test failure, authz and admission changes lgtm otherwise

it's worth noting that the removal of driver info from the node depends on observing the removal of the driver (rather than reconciling to current observed state), and doesn't handle errors in removing driver info by retrying. That doesn't necessarily block this PR, but seems important to resolve before this graduates.

[verult]

To clarify, in this PR driver is only unregistered when there's an error adding the driver. Driver unregistration will be added in the next release. The rest of the CSI system should always assume node info is somewhat out of date, since kubelet can't provide the guarantee that updates are reflected immediately anyway, in the best case.

Does the same logic apply to driver addition as well?

[verult]

Updated RBAC test

[verult]

Keeping a laundry list of considerations for CSI kubelet driver registration moving forward:
#67972

[liggitt]

/approve

RBAC, node authz and admission changes lgtm

[verult]

/retest

[verult]

The GCE e2e failure is likely caused by this PR. Taking a look

[msau42]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, msau42, saad-ali, verult

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• hack/OWNERS [liggitt]
• pkg/controller/volume/attachdetach/OWNERS [saad-ali]
• pkg/features/OWNERS [liggitt,saad-ali]
• pkg/volume/csi/OWNERS [saad-ali]
• plugin/pkg/admission/noderestriction/OWNERS [liggitt]
• plugin/pkg/auth/OWNERS [liggitt]
• staging/src/k8s.io/csi-api/OWNERS [saad-ali]
• test/OWNERS [liggitt,saad-ali]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

@verult: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-local-e2e-containerized	7ab3a2fb33939d37d78475d20eb68f646c7eb115	link	/test pull-kubernetes-local-e2e-containerized

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

[verult]

Per #68519 (comment): installing CRD outside k8s core brings back issue #2:

What should be the AddNodeInfo() behavior if CRD doesn’t exist? Continue with registration? Fail and unregister?

I side with @msau42 that if the CSINodeInfo feature flag is enabled, one would expect topology to work, and continuing with registration by falling back to node annotation means topology breaks. So it should fail and unregister the driver. This is the current behavior so no actions required.