From 3e205cadcc3af125e3452a9de9170a5dccbc207d Mon Sep 17 00:00:00 2001 From: yue9944882 <291271447@qq.com> Date: Thu, 9 Aug 2018 21:26:13 +0800 Subject: [PATCH 1/3] externalize storage object in use protection prune listers from admission controller --- .../storageobjectinuseprotection/BUILD | 5 --- .../storageobjectinuseprotection/admission.go | 31 +------------------ .../admission_test.go | 4 --- 3 files changed, 1 insertion(+), 39 deletions(-) diff --git a/plugin/pkg/admission/storage/storageobjectinuseprotection/BUILD b/plugin/pkg/admission/storage/storageobjectinuseprotection/BUILD index b09a399353c..1cccceca387 100644 --- a/plugin/pkg/admission/storage/storageobjectinuseprotection/BUILD +++ b/plugin/pkg/admission/storage/storageobjectinuseprotection/BUILD @@ -7,10 +7,7 @@ go_library( visibility = ["//visibility:public"], deps = [ "//pkg/apis/core:go_default_library", - "//pkg/client/informers/informers_generated/internalversion:go_default_library", - "//pkg/client/listers/core/internalversion:go_default_library", "//pkg/features:go_default_library", - "//pkg/kubeapiserver/admission:go_default_library", "//pkg/volume/util:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", @@ -24,8 +21,6 @@ go_test( embed = [":go_default_library"], deps = [ "//pkg/apis/core:go_default_library", - "//pkg/client/informers/informers_generated/internalversion:go_default_library", - "//pkg/controller:go_default_library", "//pkg/volume/util:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", diff --git a/plugin/pkg/admission/storage/storageobjectinuseprotection/admission.go b/plugin/pkg/admission/storage/storageobjectinuseprotection/admission.go index 5d7fca15d3b..2a8e24c6dfa 100644 --- a/plugin/pkg/admission/storage/storageobjectinuseprotection/admission.go +++ b/plugin/pkg/admission/storage/storageobjectinuseprotection/admission.go @@ -17,18 +17,14 @@ limitations under the License. package storageobjectinuseprotection import ( - "fmt" "io" "github.com/golang/glog" - admission "k8s.io/apiserver/pkg/admission" + "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/util/feature" api "k8s.io/kubernetes/pkg/apis/core" - informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" - corelisters "k8s.io/kubernetes/pkg/client/listers/core/internalversion" "k8s.io/kubernetes/pkg/features" - kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" volumeutil "k8s.io/kubernetes/pkg/volume/util" ) @@ -48,13 +44,9 @@ func Register(plugins *admission.Plugins) { // storageProtectionPlugin holds state for and implements the admission plugin. type storageProtectionPlugin struct { *admission.Handler - - pvcLister corelisters.PersistentVolumeClaimLister - pvLister corelisters.PersistentVolumeLister } var _ admission.Interface = &storageProtectionPlugin{} -var _ = kubeapiserveradmission.WantsInternalKubeInformerFactory(&storageProtectionPlugin{}) // newPlugin creates a new admission plugin. func newPlugin() *storageProtectionPlugin { @@ -63,27 +55,6 @@ func newPlugin() *storageProtectionPlugin { } } -func (c *storageProtectionPlugin) SetInternalKubeInformerFactory(f informers.SharedInformerFactory) { - pvcInformer := f.Core().InternalVersion().PersistentVolumeClaims() - c.pvcLister = pvcInformer.Lister() - pvInformer := f.Core().InternalVersion().PersistentVolumes() - c.pvLister = pvInformer.Lister() - c.SetReadyFunc(func() bool { - return pvcInformer.Informer().HasSynced() && pvInformer.Informer().HasSynced() - }) -} - -// ValidateInitialization ensures lister is set. -func (c *storageProtectionPlugin) ValidateInitialization() error { - if c.pvcLister == nil { - return fmt.Errorf("missing PVC lister") - } - if c.pvLister == nil { - return fmt.Errorf("missing PV lister") - } - return nil -} - var ( pvResource = api.Resource("persistentvolumes") pvcResource = api.Resource("persistentvolumeclaims") diff --git a/plugin/pkg/admission/storage/storageobjectinuseprotection/admission_test.go b/plugin/pkg/admission/storage/storageobjectinuseprotection/admission_test.go index 4a7c9ce7fc7..757a93749e6 100644 --- a/plugin/pkg/admission/storage/storageobjectinuseprotection/admission_test.go +++ b/plugin/pkg/admission/storage/storageobjectinuseprotection/admission_test.go @@ -29,8 +29,6 @@ import ( "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/util/feature" api "k8s.io/kubernetes/pkg/apis/core" - informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" - "k8s.io/kubernetes/pkg/controller" volumeutil "k8s.io/kubernetes/pkg/volume/util" ) @@ -118,8 +116,6 @@ func TestAdmit(t *testing.T) { } ctrl := newPlugin() - informerFactory := informers.NewSharedInformerFactory(nil, controller.NoResyncPeriodFunc()) - ctrl.SetInternalKubeInformerFactory(informerFactory) for _, test := range tests { feature.DefaultFeatureGate.Set(fmt.Sprintf("StorageObjectInUseProtection=%v", test.featureEnabled)) From b497570e50e3ea378f2701ed499f9167c12f5413 Mon Sep 17 00:00:00 2001 From: yue9944882 <291271447@qq.com> Date: Thu, 9 Aug 2018 21:26:53 +0800 Subject: [PATCH 2/3] util for external pv prune unused pv utils and its test --- pkg/BUILD | 1 + pkg/api/persistentvolume/BUILD | 14 -- pkg/api/persistentvolume/util.go | 113 ----------- pkg/api/v1/persistentvolume/BUILD | 41 ++++ pkg/api/v1/persistentvolume/util.go | 144 ++++++++++++++ .../{ => v1}/persistentvolume/util_test.go | 187 +++++++++--------- 6 files changed, 280 insertions(+), 220 deletions(-) create mode 100644 pkg/api/v1/persistentvolume/BUILD create mode 100644 pkg/api/v1/persistentvolume/util.go rename pkg/api/{ => v1}/persistentvolume/util_test.go (65%) diff --git a/pkg/BUILD b/pkg/BUILD index 1042c2e3310..bbb26c64805 100644 --- a/pkg/BUILD +++ b/pkg/BUILD @@ -24,6 +24,7 @@ filegroup( "//pkg/api/testing:all-srcs", "//pkg/api/v1/endpoints:all-srcs", "//pkg/api/v1/node:all-srcs", + "//pkg/api/v1/persistentvolume:all-srcs", "//pkg/api/v1/pod:all-srcs", "//pkg/api/v1/resource:all-srcs", "//pkg/api/v1/service:all-srcs", diff --git a/pkg/api/persistentvolume/BUILD b/pkg/api/persistentvolume/BUILD index 4a256d0d835..c4743ccc70f 100644 --- a/pkg/api/persistentvolume/BUILD +++ b/pkg/api/persistentvolume/BUILD @@ -3,7 +3,6 @@ package(default_visibility = ["//visibility:public"]) load( "@io_bazel_rules_go//go:def.bzl", "go_library", - "go_test", ) go_library( @@ -29,16 +28,3 @@ filegroup( srcs = [":package-srcs"], tags = ["automanaged"], ) - -go_test( - name = "go_default_test", - srcs = ["util_test.go"], - embed = [":go_default_library"], - deps = [ - "//pkg/apis/core:go_default_library", - "//pkg/features:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", - ], -) diff --git a/pkg/api/persistentvolume/util.go b/pkg/api/persistentvolume/util.go index d5a93667aa9..3b28f207a10 100644 --- a/pkg/api/persistentvolume/util.go +++ b/pkg/api/persistentvolume/util.go @@ -22,119 +22,6 @@ import ( "k8s.io/kubernetes/pkg/features" ) -func getClaimRefNamespace(pv *api.PersistentVolume) string { - if pv.Spec.ClaimRef != nil { - return pv.Spec.ClaimRef.Namespace - } - return "" -} - -// Visitor is called with each object's namespace and name, and returns true if visiting should continue -type Visitor func(namespace, name string, kubeletVisible bool) (shouldContinue bool) - -// VisitPVSecretNames invokes the visitor function with the name of every secret -// referenced by the PV spec. If visitor returns false, visiting is short-circuited. -// Returns true if visiting completed, false if visiting was short-circuited. -func VisitPVSecretNames(pv *api.PersistentVolume, visitor Visitor) bool { - source := &pv.Spec.PersistentVolumeSource - switch { - case source.AzureFile != nil: - if source.AzureFile.SecretNamespace != nil && len(*source.AzureFile.SecretNamespace) > 0 { - if len(source.AzureFile.SecretName) > 0 && !visitor(*source.AzureFile.SecretNamespace, source.AzureFile.SecretName, true /* kubeletVisible */) { - return false - } - } else { - if len(source.AzureFile.SecretName) > 0 && !visitor(getClaimRefNamespace(pv), source.AzureFile.SecretName, true /* kubeletVisible */) { - return false - } - } - return true - case source.CephFS != nil: - if source.CephFS.SecretRef != nil { - // previously persisted PV objects use claimRef namespace - ns := getClaimRefNamespace(pv) - if len(source.CephFS.SecretRef.Namespace) > 0 { - // use the secret namespace if namespace is set - ns = source.CephFS.SecretRef.Namespace - } - if !visitor(ns, source.CephFS.SecretRef.Name, true /* kubeletVisible */) { - return false - } - } - case source.Cinder != nil: - if source.Cinder.SecretRef != nil && !visitor(source.Cinder.SecretRef.Namespace, source.Cinder.SecretRef.Name, true /* kubeletVisible */) { - return false - } - case source.FlexVolume != nil: - if source.FlexVolume.SecretRef != nil { - // previously persisted PV objects use claimRef namespace - ns := getClaimRefNamespace(pv) - if len(source.FlexVolume.SecretRef.Namespace) > 0 { - // use the secret namespace if namespace is set - ns = source.FlexVolume.SecretRef.Namespace - } - if !visitor(ns, source.FlexVolume.SecretRef.Name, true /* kubeletVisible */) { - return false - } - } - case source.RBD != nil: - if source.RBD.SecretRef != nil { - // previously persisted PV objects use claimRef namespace - ns := getClaimRefNamespace(pv) - if len(source.RBD.SecretRef.Namespace) > 0 { - // use the secret namespace if namespace is set - ns = source.RBD.SecretRef.Namespace - } - if !visitor(ns, source.RBD.SecretRef.Name, true /* kubeletVisible */) { - return false - } - } - case source.ScaleIO != nil: - if source.ScaleIO.SecretRef != nil { - ns := getClaimRefNamespace(pv) - if source.ScaleIO.SecretRef != nil && len(source.ScaleIO.SecretRef.Namespace) > 0 { - ns = source.ScaleIO.SecretRef.Namespace - } - if !visitor(ns, source.ScaleIO.SecretRef.Name, true /* kubeletVisible */) { - return false - } - } - case source.ISCSI != nil: - if source.ISCSI.SecretRef != nil { - // previously persisted PV objects use claimRef namespace - ns := getClaimRefNamespace(pv) - if len(source.ISCSI.SecretRef.Namespace) > 0 { - // use the secret namespace if namespace is set - ns = source.ISCSI.SecretRef.Namespace - } - if !visitor(ns, source.ISCSI.SecretRef.Name, true /* kubeletVisible */) { - return false - } - } - case source.StorageOS != nil: - if source.StorageOS.SecretRef != nil && !visitor(source.StorageOS.SecretRef.Namespace, source.StorageOS.SecretRef.Name, true /* kubeletVisible */) { - return false - } - case source.CSI != nil: - if source.CSI.ControllerPublishSecretRef != nil { - if !visitor(source.CSI.ControllerPublishSecretRef.Namespace, source.CSI.ControllerPublishSecretRef.Name, false /* kubeletVisible */) { - return false - } - } - if source.CSI.NodePublishSecretRef != nil { - if !visitor(source.CSI.NodePublishSecretRef.Namespace, source.CSI.NodePublishSecretRef.Name, true /* kubeletVisible */) { - return false - } - } - if source.CSI.NodeStageSecretRef != nil { - if !visitor(source.CSI.NodeStageSecretRef.Namespace, source.CSI.NodeStageSecretRef.Name, true /* kubeletVisible */) { - return false - } - } - } - return true -} - // DropDisabledAlphaFields removes disabled fields from the pv spec. // This should be called from PrepareForCreate/PrepareForUpdate for all resources containing a pv spec. func DropDisabledAlphaFields(pvSpec *api.PersistentVolumeSpec) { diff --git a/pkg/api/v1/persistentvolume/BUILD b/pkg/api/v1/persistentvolume/BUILD new file mode 100644 index 00000000000..0a5cbd81f52 --- /dev/null +++ b/pkg/api/v1/persistentvolume/BUILD @@ -0,0 +1,41 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") + +go_library( + name = "go_default_library", + srcs = ["util.go"], + importpath = "k8s.io/kubernetes/pkg/api/v1/persistentvolume", + visibility = ["//visibility:public"], + deps = [ + "//pkg/features:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", + ], +) + +go_test( + name = "go_default_test", + srcs = ["util_test.go"], + embed = [":go_default_library"], + deps = [ + "//pkg/apis/core:go_default_library", + "//pkg/features:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", + ], +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/pkg/api/v1/persistentvolume/util.go b/pkg/api/v1/persistentvolume/util.go new file mode 100644 index 00000000000..063c3ff8e74 --- /dev/null +++ b/pkg/api/v1/persistentvolume/util.go @@ -0,0 +1,144 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package persistentvolume + +import ( + corev1 "k8s.io/api/core/v1" + utilfeature "k8s.io/apiserver/pkg/util/feature" + "k8s.io/kubernetes/pkg/features" +) + +func getClaimRefNamespace(pv *corev1.PersistentVolume) string { + if pv.Spec.ClaimRef != nil { + return pv.Spec.ClaimRef.Namespace + } + return "" +} + +// Visitor is called with each object's namespace and name, and returns true if visiting should continue +type Visitor func(namespace, name string, kubeletVisible bool) (shouldContinue bool) + +// VisitPVSecretNames invokes the visitor function with the name of every secret +// referenced by the PV spec. If visitor returns false, visiting is short-circuited. +// Returns true if visiting completed, false if visiting was short-circuited. +func VisitPVSecretNames(pv *corev1.PersistentVolume, visitor Visitor) bool { + source := &pv.Spec.PersistentVolumeSource + switch { + case source.AzureFile != nil: + if source.AzureFile.SecretNamespace != nil && len(*source.AzureFile.SecretNamespace) > 0 { + if len(source.AzureFile.SecretName) > 0 && !visitor(*source.AzureFile.SecretNamespace, source.AzureFile.SecretName, true /* kubeletVisible */) { + return false + } + } else { + if len(source.AzureFile.SecretName) > 0 && !visitor(getClaimRefNamespace(pv), source.AzureFile.SecretName, true /* kubeletVisible */) { + return false + } + } + return true + case source.CephFS != nil: + if source.CephFS.SecretRef != nil { + // previously persisted PV objects use claimRef namespace + ns := getClaimRefNamespace(pv) + if len(source.CephFS.SecretRef.Namespace) > 0 { + // use the secret namespace if namespace is set + ns = source.CephFS.SecretRef.Namespace + } + if !visitor(ns, source.CephFS.SecretRef.Name, true /* kubeletVisible */) { + return false + } + } + case source.Cinder != nil: + if source.Cinder.SecretRef != nil && !visitor(source.Cinder.SecretRef.Namespace, source.Cinder.SecretRef.Name, true /* kubeletVisible */) { + return false + } + case source.FlexVolume != nil: + if source.FlexVolume.SecretRef != nil { + // previously persisted PV objects use claimRef namespace + ns := getClaimRefNamespace(pv) + if len(source.FlexVolume.SecretRef.Namespace) > 0 { + // use the secret namespace if namespace is set + ns = source.FlexVolume.SecretRef.Namespace + } + if !visitor(ns, source.FlexVolume.SecretRef.Name, true /* kubeletVisible */) { + return false + } + } + case source.RBD != nil: + if source.RBD.SecretRef != nil { + // previously persisted PV objects use claimRef namespace + ns := getClaimRefNamespace(pv) + if len(source.RBD.SecretRef.Namespace) > 0 { + // use the secret namespace if namespace is set + ns = source.RBD.SecretRef.Namespace + } + if !visitor(ns, source.RBD.SecretRef.Name, true /* kubeletVisible */) { + return false + } + } + case source.ScaleIO != nil: + if source.ScaleIO.SecretRef != nil { + ns := getClaimRefNamespace(pv) + if source.ScaleIO.SecretRef != nil && len(source.ScaleIO.SecretRef.Namespace) > 0 { + ns = source.ScaleIO.SecretRef.Namespace + } + if !visitor(ns, source.ScaleIO.SecretRef.Name, true /* kubeletVisible */) { + return false + } + } + case source.ISCSI != nil: + if source.ISCSI.SecretRef != nil { + // previously persisted PV objects use claimRef namespace + ns := getClaimRefNamespace(pv) + if len(source.ISCSI.SecretRef.Namespace) > 0 { + // use the secret namespace if namespace is set + ns = source.ISCSI.SecretRef.Namespace + } + if !visitor(ns, source.ISCSI.SecretRef.Name, true /* kubeletVisible */) { + return false + } + } + case source.StorageOS != nil: + if source.StorageOS.SecretRef != nil && !visitor(source.StorageOS.SecretRef.Namespace, source.StorageOS.SecretRef.Name, true /* kubeletVisible */) { + return false + } + case source.CSI != nil: + if source.CSI.ControllerPublishSecretRef != nil { + if !visitor(source.CSI.ControllerPublishSecretRef.Namespace, source.CSI.ControllerPublishSecretRef.Name, false /* kubeletVisible */) { + return false + } + } + if source.CSI.NodePublishSecretRef != nil { + if !visitor(source.CSI.NodePublishSecretRef.Namespace, source.CSI.NodePublishSecretRef.Name, true /* kubeletVisible */) { + return false + } + } + if source.CSI.NodeStageSecretRef != nil { + if !visitor(source.CSI.NodeStageSecretRef.Namespace, source.CSI.NodeStageSecretRef.Name, true /* kubeletVisible */) { + return false + } + } + } + return true +} + +// DropDisabledAlphaFields removes disabled fields from the pv spec. +// This should be called from PrepareForCreate/PrepareForUpdate for all resources containing a pv spec. +func DropDisabledAlphaFields(pvSpec *corev1.PersistentVolumeSpec) { + if !utilfeature.DefaultFeatureGate.Enabled(features.BlockVolume) { + pvSpec.VolumeMode = nil + } +} diff --git a/pkg/api/persistentvolume/util_test.go b/pkg/api/v1/persistentvolume/util_test.go similarity index 65% rename from pkg/api/persistentvolume/util_test.go rename to pkg/api/v1/persistentvolume/util_test.go index ffa361cc93d..56473d37bcd 100644 --- a/pkg/api/persistentvolume/util_test.go +++ b/pkg/api/v1/persistentvolume/util_test.go @@ -22,6 +22,7 @@ import ( "strings" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation/field" utilfeature "k8s.io/apiserver/pkg/util/feature" @@ -33,115 +34,115 @@ func TestPVSecrets(t *testing.T) { // Stub containing all possible secret references in a PV. // The names of the referenced secrets match struct paths detected by reflection. secretNamespace := "Spec.PersistentVolumeSource.AzureFile.SecretNamespace" - pvs := []*api.PersistentVolume{ - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - AzureFile: &api.AzureFilePersistentVolumeSource{ + pvs := []*corev1.PersistentVolume{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + AzureFile: &corev1.AzureFilePersistentVolumeSource{ SecretName: "Spec.PersistentVolumeSource.AzureFile.SecretName"}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - AzureFile: &api.AzureFilePersistentVolumeSource{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + AzureFile: &corev1.AzureFilePersistentVolumeSource{ SecretName: "Spec.PersistentVolumeSource.AzureFile.SecretName", SecretNamespace: &secretNamespace}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - CephFS: &api.CephFSPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + CephFS: &corev1.CephFSPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.CephFS.SecretRef", Namespace: "cephfs"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - CephFS: &api.CephFSPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + CephFS: &corev1.CephFSPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.CephFS.SecretRef"}}}}}, - {Spec: api.PersistentVolumeSpec{ - PersistentVolumeSource: api.PersistentVolumeSource{ - Cinder: &api.CinderPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + PersistentVolumeSource: corev1.PersistentVolumeSource{ + Cinder: &corev1.CinderPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.Cinder.SecretRef", Namespace: "cinder"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - FlexVolume: &api.FlexPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + FlexVolume: &corev1.FlexPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.FlexVolume.SecretRef", Namespace: "flexns"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - FlexVolume: &api.FlexPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + FlexVolume: &corev1.FlexPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.FlexVolume.SecretRef"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - RBD: &api.RBDPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + RBD: &corev1.RBDPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.RBD.SecretRef"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - RBD: &api.RBDPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + RBD: &corev1.RBDPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.RBD.SecretRef", Namespace: "rbdns"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - ScaleIO: &api.ScaleIOPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + ScaleIO: &corev1.ScaleIOPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.ScaleIO.SecretRef"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - ScaleIO: &api.ScaleIOPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + ScaleIO: &corev1.ScaleIOPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.ScaleIO.SecretRef", Namespace: "scaleions"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - ISCSI: &api.ISCSIPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + ISCSI: &corev1.ISCSIPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.ISCSI.SecretRef", Namespace: "iscsi"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - ISCSI: &api.ISCSIPersistentVolumeSource{ - SecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + ISCSI: &corev1.ISCSIPersistentVolumeSource{ + SecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.ISCSI.SecretRef"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - StorageOS: &api.StorageOSPersistentVolumeSource{ - SecretRef: &api.ObjectReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + StorageOS: &corev1.StorageOSPersistentVolumeSource{ + SecretRef: &corev1.ObjectReference{ Name: "Spec.PersistentVolumeSource.StorageOS.SecretRef", Namespace: "storageosns"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - CSI: &api.CSIPersistentVolumeSource{ - ControllerPublishSecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + CSI: &corev1.CSIPersistentVolumeSource{ + ControllerPublishSecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.CSI.ControllerPublishSecretRef", Namespace: "csi"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - CSI: &api.CSIPersistentVolumeSource{ - NodePublishSecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + CSI: &corev1.CSIPersistentVolumeSource{ + NodePublishSecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.CSI.NodePublishSecretRef", Namespace: "csi"}}}}}, - {Spec: api.PersistentVolumeSpec{ - ClaimRef: &api.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, - PersistentVolumeSource: api.PersistentVolumeSource{ - CSI: &api.CSIPersistentVolumeSource{ - NodeStageSecretRef: &api.SecretReference{ + {Spec: corev1.PersistentVolumeSpec{ + ClaimRef: &corev1.ObjectReference{Namespace: "claimrefns", Name: "claimrefname"}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + CSI: &corev1.CSIPersistentVolumeSource{ + NodeStageSecretRef: &corev1.SecretReference{ Name: "Spec.PersistentVolumeSource.CSI.NodeStageSecretRef", Namespace: "csi"}}}}}, } @@ -266,23 +267,23 @@ func collectSecretPaths(t *testing.T, path *field.Path, name string, tp reflect. return secretPaths } -func newHostPathType(pathType string) *api.HostPathType { - hostPathType := new(api.HostPathType) - *hostPathType = api.HostPathType(pathType) +func newHostPathType(pathType string) *corev1.HostPathType { + hostPathType := new(corev1.HostPathType) + *hostPathType = corev1.HostPathType(pathType) return hostPathType } func TestDropAlphaPVVolumeMode(t *testing.T) { - vmode := api.PersistentVolumeFilesystem + vmode := corev1.PersistentVolumeFilesystem // PersistentVolume with VolumeMode set - pv := api.PersistentVolume{ - Spec: api.PersistentVolumeSpec{ - AccessModes: []api.PersistentVolumeAccessMode{api.ReadWriteOnce}, - PersistentVolumeSource: api.PersistentVolumeSource{ - HostPath: &api.HostPathVolumeSource{ + pv := corev1.PersistentVolume{ + Spec: corev1.PersistentVolumeSpec{ + AccessModes: []corev1.PersistentVolumeAccessMode{corev1.ReadWriteOnce}, + PersistentVolumeSource: corev1.PersistentVolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ Path: "/foo", - Type: newHostPathType(string(api.HostPathDirectory)), + Type: newHostPathType(string(corev1.HostPathDirectory)), }, }, StorageClassName: "test-storage-class", From e7d0983707e02a583462a360c6a91e4409abad78 Mon Sep 17 00:00:00 2001 From: yue9944882 <291271447@qq.com> Date: Thu, 9 Aug 2018 21:27:23 +0800 Subject: [PATCH 3/3] externalize pv informer in node authorizer --- pkg/kubeapiserver/authorizer/config.go | 2 +- plugin/pkg/auth/authorizer/node/BUILD | 2 +- plugin/pkg/auth/authorizer/node/graph.go | 4 ++-- .../auth/authorizer/node/graph_populator.go | 6 +++--- .../authorizer/node/node_authorizer_test.go | 18 +++++++++--------- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go index 71c4dcdc008..1e0b650cb8a 100644 --- a/pkg/kubeapiserver/authorizer/config.go +++ b/pkg/kubeapiserver/authorizer/config.go @@ -76,7 +76,7 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR graph, config.InformerFactory.Core().InternalVersion().Nodes(), config.VersionedInformerFactory.Core().V1().Pods(), - config.InformerFactory.Core().InternalVersion().PersistentVolumes(), + config.VersionedInformerFactory.Core().V1().PersistentVolumes(), config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(), ) nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules()) diff --git a/plugin/pkg/auth/authorizer/node/BUILD b/plugin/pkg/auth/authorizer/node/BUILD index 2719325fa43..98d4ecb3079 100644 --- a/plugin/pkg/auth/authorizer/node/BUILD +++ b/plugin/pkg/auth/authorizer/node/BUILD @@ -40,7 +40,7 @@ go_library( ], importpath = "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node", deps = [ - "//pkg/api/persistentvolume:go_default_library", + "//pkg/api/v1/persistentvolume:go_default_library", "//pkg/api/v1/pod:go_default_library", "//pkg/apis/core:go_default_library", "//pkg/apis/storage:go_default_library", diff --git a/plugin/pkg/auth/authorizer/node/graph.go b/plugin/pkg/auth/authorizer/node/graph.go index 240ac6e9ae9..2b96db103ef 100644 --- a/plugin/pkg/auth/authorizer/node/graph.go +++ b/plugin/pkg/auth/authorizer/node/graph.go @@ -20,7 +20,7 @@ import ( "sync" corev1 "k8s.io/api/core/v1" - pvutil "k8s.io/kubernetes/pkg/api/persistentvolume" + pvutil "k8s.io/kubernetes/pkg/api/v1/persistentvolume" podutil "k8s.io/kubernetes/pkg/api/v1/pod" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/third_party/forked/gonum/graph" @@ -365,7 +365,7 @@ func (g *Graph) DeletePod(name, namespace string) { // secret -> pv // // pv -> pvc -func (g *Graph) AddPV(pv *api.PersistentVolume) { +func (g *Graph) AddPV(pv *corev1.PersistentVolume) { g.lock.Lock() defer g.lock.Unlock() diff --git a/plugin/pkg/auth/authorizer/node/graph_populator.go b/plugin/pkg/auth/authorizer/node/graph_populator.go index dcb7b732cfb..9910ce0d3c1 100644 --- a/plugin/pkg/auth/authorizer/node/graph_populator.go +++ b/plugin/pkg/auth/authorizer/node/graph_populator.go @@ -39,7 +39,7 @@ func AddGraphEventHandlers( graph *Graph, nodes coreinformers.NodeInformer, pods corev1informers.PodInformer, - pvs coreinformers.PersistentVolumeInformer, + pvs corev1informers.PersistentVolumeInformer, attachments storageinformers.VolumeAttachmentInformer, ) { g := &graphPopulator{ @@ -175,7 +175,7 @@ func (g *graphPopulator) addPV(obj interface{}) { } func (g *graphPopulator) updatePV(oldObj, obj interface{}) { - pv := obj.(*api.PersistentVolume) + pv := obj.(*corev1.PersistentVolume) // TODO: skip add if uid, pvc, and secrets are all identical between old and new g.graph.AddPV(pv) } @@ -184,7 +184,7 @@ func (g *graphPopulator) deletePV(obj interface{}) { if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok { obj = tombstone.Obj } - pv, ok := obj.(*api.PersistentVolume) + pv, ok := obj.(*corev1.PersistentVolume) if !ok { glog.Infof("unexpected type %T", obj) return diff --git a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go index 85a472c1bb2..04b3d6167cc 100644 --- a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go +++ b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go @@ -684,7 +684,7 @@ func BenchmarkAuthorization(b *testing.B) { } } -func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*api.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) { +func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) { p := &graphPopulator{} p.graph = graph for _, node := range nodes { @@ -705,10 +705,10 @@ func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*api.Pe // the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects. // for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0. // when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1. -func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.PersistentVolume, []*storagev1beta1.VolumeAttachment) { +func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1beta1.VolumeAttachment) { nodes := make([]*api.Node, 0, opts.nodes) pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode) - pvs := make([]*api.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces)) + pvs := make([]*corev1.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces)) attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode) for n := 0; n < opts.nodes; n++ { @@ -743,10 +743,10 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.Persisten } for i := 0; i < opts.uniquePVCsPerPod; i++ { - pv := &api.PersistentVolume{} + pv := &corev1.PersistentVolume{} pv.Name = fmt.Sprintf("pv%d-%s-%s", i, pod.Name, pod.Namespace) - pv.Spec.FlexVolume = &api.FlexPersistentVolumeSource{SecretRef: &api.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}} - pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-%s", i, pod.Name), Namespace: pod.Namespace} + pv.Spec.FlexVolume = &corev1.FlexPersistentVolumeSource{SecretRef: &corev1.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}} + pv.Spec.ClaimRef = &corev1.ObjectReference{Name: fmt.Sprintf("pvc%d-%s", i, pod.Name), Namespace: pod.Namespace} pvs = append(pvs, pv) pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{ @@ -754,10 +754,10 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.Persisten }}) } for i := 0; i < opts.sharedPVCsPerPod; i++ { - pv := &api.PersistentVolume{} + pv := &corev1.PersistentVolume{} pv.Name = fmt.Sprintf("pv%d-shared-%s", i, pod.Namespace) - pv.Spec.FlexVolume = &api.FlexPersistentVolumeSource{SecretRef: &api.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}} - pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-shared", i), Namespace: pod.Namespace} + pv.Spec.FlexVolume = &corev1.FlexPersistentVolumeSource{SecretRef: &corev1.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}} + pv.Spec.ClaimRef = &corev1.ObjectReference{Name: fmt.Sprintf("pvc%d-shared", i), Namespace: pod.Namespace} pvs = append(pvs, pv) pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{