Rearranged feature flags
This commit is contained in:
Cheng Xing
parent
becc6a9c19
commit
94d649b590
@ -148,8 +148,11 @@ func NewAttachDetachController(
|
||||
}
|
||||
|
||||
// Install required CSI CRDs on API server
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.CSICRDAutoInstall) {
|
||||
adc.installCRDs()
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.CSIDriverRegistry) {
|
||||
adc.installCSIDriverCRD()
|
||||
}
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {
|
||||
adc.installCSINodeInfoCRD()
|
||||
}
|
||||
|
||||
if err := adc.volumePluginMgr.InitPlugins(plugins, prober, adc); err != nil {
|
||||
@ -667,8 +670,7 @@ func (adc *attachDetachController) processVolumesInUse(
|
||||
}
|
||||
}
|
||||
|
||||
// installCRDs creates the specified CustomResourceDefinition for the CSIDrivers object.
|
||||
func (adc *attachDetachController) installCRDs() error {
|
||||
func (adc *attachDetachController) installCSIDriverCRD() error {
|
||||
crd := &apiextensionsv1beta1.CustomResourceDefinition{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: csiapiv1alpha1.CsiDriverResourcePlural + "." + csiapiv1alpha1.GroupName,
|
||||
@ -697,7 +699,12 @@ func (adc *attachDetachController) installCRDs() error {
|
||||
return err
|
||||
}
|
||||
|
||||
crd = &apiextensionsv1beta1.CustomResourceDefinition{
|
||||
return nil
|
||||
}
|
||||
|
||||
// installCRDs creates the specified CustomResourceDefinition for the CSIDrivers object.
|
||||
func (adc *attachDetachController) installCSINodeInfoCRD() error {
|
||||
crd := &apiextensionsv1beta1.CustomResourceDefinition{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: csiapiv1alpha1.CsiNodeInfoResourcePlural + "." + csiapiv1alpha1.GroupName,
|
||||
},
|
||||
@ -711,7 +718,7 @@ func (adc *attachDetachController) installCRDs() error {
|
||||
},
|
||||
},
|
||||
}
|
||||
res, err = adc.crdClient.ApiextensionsV1beta1().CustomResourceDefinitions().Create(crd)
|
||||
res, err := adc.crdClient.ApiextensionsV1beta1().CustomResourceDefinitions().Create(crd)
|
||||
|
||||
if err == nil {
|
||||
glog.Infof("CSINodeInfo CRD created successfully: %#v",
|
||||
|
||||
@ -207,8 +207,13 @@ const (
|
||||
|
||||
// owner: @saad-ali
|
||||
// alpha: v1.12
|
||||
// Enable automatic installation of CRD for csi.storage.k8s.io API objects.
|
||||
CSICRDAutoInstall utilfeature.Feature = "CSICRDAutoInstall"
|
||||
// Enable all logic related to the CSIDriver API object in csi.storage.k8s.io
|
||||
CSIDriverRegistry utilfeature.Feature = "CSIDriverRegistry"
|
||||
|
||||
// owner: @verult
|
||||
// alpha: v1.12
|
||||
// Enable all logic related to the CSINodeInfo API object in csi.storage.k8s.io
|
||||
CSINodeInfo utilfeature.Feature = "CSINodeInfo"
|
||||
|
||||
// owner @MrHohn
|
||||
// beta: v1.10
|
||||
@ -434,7 +439,8 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
|
||||
MountContainers: {Default: false, PreRelease: utilfeature.Alpha},
|
||||
VolumeScheduling: {Default: true, PreRelease: utilfeature.Beta},
|
||||
CSIPersistentVolume: {Default: true, PreRelease: utilfeature.Beta},
|
||||
CSICRDAutoInstall: {Default: false, PreRelease: utilfeature.Alpha},
|
||||
CSIDriverRegistry: {Default: false, PreRelease: utilfeature.Alpha},
|
||||
CSINodeInfo: {Default: false, PreRelease: utilfeature.Alpha},
|
||||
CustomPodDNS: {Default: true, PreRelease: utilfeature.Beta},
|
||||
BlockVolume: {Default: false, PreRelease: utilfeature.Alpha},
|
||||
StorageObjectInUseProtection: {Default: true, PreRelease: utilfeature.GA},
|
||||
|
||||
@ -142,8 +142,6 @@ func (h *RegistrationHandler) RegisterPlugin(pluginName string, endpoint string)
|
||||
return fmt.Errorf("error during CSI NodeGetInfo() call: %v", err)
|
||||
}
|
||||
|
||||
// Calling nodeLabelManager to update annotations and labels for newly registered CSI driver
|
||||
// err = nodeUpdater.AddLabelsAndLimits(pluginName, driverNodeID, maxVolumePerNode) // TODO (verult) merge
|
||||
err = nim.AddNodeInfo(pluginName, driverNodeID, maxVolumePerNode, accessibleTopology)
|
||||
if err != nil {
|
||||
unregisterDriver(pluginName)
|
||||
|
||||
@ -44,11 +44,13 @@ go_test(
|
||||
embed = [":go_default_library"],
|
||||
deps = [
|
||||
"//pkg/apis/core/helper:go_default_library",
|
||||
"//pkg/features:go_default_library",
|
||||
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library",
|
||||
"//staging/src/k8s.io/csi-api/pkg/apis/csi/v1alpha1:go_default_library",
|
||||
"//staging/src/k8s.io/csi-api/pkg/client/clientset/versioned/fake:go_default_library",
|
||||
|
||||
@ -91,24 +91,23 @@ func (nim *nodeInfoManager) AddNodeInfo(driverName string, driverNodeID string,
|
||||
return fmt.Errorf("error adding CSI driver node info: driverNodeID must not be empty")
|
||||
}
|
||||
|
||||
err := nim.updateNode(
|
||||
nodeUpdateFuncs := []nodeUpdateFunc{
|
||||
updateNodeIDInNode(driverName, driverNodeID),
|
||||
updateMaxAttachLimit(driverName, maxAttachLimit),
|
||||
updateTopologyLabels(topology),
|
||||
)
|
||||
}
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {
|
||||
nodeUpdateFuncs = append(nodeUpdateFuncs, updateTopologyLabels(topology))
|
||||
}
|
||||
err := nim.updateNode(nodeUpdateFuncs...)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error updating Node object with CSI driver node info: %v", err)
|
||||
}
|
||||
|
||||
err = nim.updateCSINodeInfo(driverName, driverNodeID, topology)
|
||||
if err != nil {
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.CSICRDAutoInstall) {
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {
|
||||
err = nim.updateCSINodeInfo(driverName, driverNodeID, topology)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error updating CSINodeInfo object with CSI driver node info: %v", err)
|
||||
}
|
||||
|
||||
// CSINodeInfo CRD doesn't exist. Log the error instead of triggering driver unregistration
|
||||
// by returning the error.
|
||||
glog.Errorf("Error updating CSINodeInfo object with CSI driver node info: %v", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -18,16 +18,19 @@ package nodeinfomanager
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"github.com/container-storage-interface/spec/lib/go/csi/v0"
|
||||
"k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/client-go/kubernetes/fake"
|
||||
csiv1alpha1 "k8s.io/csi-api/pkg/apis/csi/v1alpha1"
|
||||
csifake "k8s.io/csi-api/pkg/client/clientset/versioned/fake"
|
||||
"k8s.io/kubernetes/pkg/apis/core/helper"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
"testing"
|
||||
)
|
||||
|
||||
@ -318,7 +321,52 @@ func TestAddNodeInfo(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
test(t, true /* addNodeInfo */, testcases)
|
||||
test(t, true /* addNodeInfo */, true /* csiNodeInfoEnabled */, testcases)
|
||||
}
|
||||
|
||||
// TestAddNodeInfo_CSINodeInfoDisabled tests AddNodeInfo with various existing Node annotations
|
||||
// and CSINodeInfo feature gate disabled.
|
||||
func TestAddNodeInfo_CSINodeInfoDisabled(t *testing.T) {
|
||||
testcases := []testcase{
|
||||
{
|
||||
name: "empty node",
|
||||
driverName: "com.example.csi/driver1",
|
||||
existingNode: generateNode(nil /* nodeIDs */, nil /* labels */),
|
||||
inputNodeID: "com.example.csi/csi-node1",
|
||||
expectedNodeIDMap: map[string]string{
|
||||
"com.example.csi/driver1": "com.example.csi/csi-node1",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "pre-existing node info from the same driver",
|
||||
driverName: "com.example.csi/driver1",
|
||||
existingNode: generateNode(
|
||||
nodeIDMap{
|
||||
"com.example.csi/driver1": "com.example.csi/csi-node1",
|
||||
},
|
||||
nil /* labels */),
|
||||
inputNodeID: "com.example.csi/csi-node1",
|
||||
expectedNodeIDMap: map[string]string{
|
||||
"com.example.csi/driver1": "com.example.csi/csi-node1",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "pre-existing node info from different driver",
|
||||
driverName: "com.example.csi/driver1",
|
||||
existingNode: generateNode(
|
||||
nodeIDMap{
|
||||
"net.example.storage/other-driver": "net.example.storage/test-node",
|
||||
},
|
||||
nil /* labels */),
|
||||
inputNodeID: "com.example.csi/csi-node1",
|
||||
expectedNodeIDMap: map[string]string{
|
||||
"com.example.csi/driver1": "com.example.csi/csi-node1",
|
||||
"net.example.storage/other-driver": "net.example.storage/test-node",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
test(t, true /* addNodeInfo */, false /* csiNodeInfoEnabled */, testcases)
|
||||
}
|
||||
|
||||
// TestRemoveNodeInfo tests RemoveNodeInfo with various existing Node and/or CSINodeInfo objects.
|
||||
@ -407,10 +455,51 @@ func TestRemoveNodeInfo(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
test(t, false /* addNodeInfo */, testcases)
|
||||
test(t, false /* addNodeInfo */, true /* csiNodeInfoEnabled */, testcases)
|
||||
}
|
||||
|
||||
// TestRemoveNodeInfo tests RemoveNodeInfo with various existing Node objects and CSINodeInfo
|
||||
// feature disabled.
|
||||
func TestRemoveNodeInfo_CSINodeInfoDisabled(t *testing.T) {
|
||||
testcases := []testcase{
|
||||
{
|
||||
name: "empty node",
|
||||
driverName: "com.example.csi/driver1",
|
||||
existingNode: generateNode(nil /* nodeIDs */, nil /* labels */),
|
||||
expectedNodeIDMap: nil,
|
||||
},
|
||||
{
|
||||
name: "pre-existing node info from the same driver",
|
||||
driverName: "com.example.csi/driver1",
|
||||
existingNode: generateNode(
|
||||
nodeIDMap{
|
||||
"com.example.csi/driver1": "com.example.csi/csi-node1",
|
||||
},
|
||||
nil /* labels */),
|
||||
expectedNodeIDMap: nil,
|
||||
},
|
||||
{
|
||||
name: "pre-existing node info from different driver",
|
||||
driverName: "com.example.csi/driver1",
|
||||
existingNode: generateNode(
|
||||
nodeIDMap{
|
||||
"net.example.storage/other-driver": "net.example.storage/csi-node1",
|
||||
},
|
||||
nil /* labels */),
|
||||
expectedNodeIDMap: map[string]string{
|
||||
"net.example.storage/other-driver": "net.example.storage/csi-node1",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
test(t, false /* addNodeInfo */, false /* csiNodeInfoEnabled */, testcases)
|
||||
}
|
||||
|
||||
func TestAddNodeInfoExistingAnnotation(t *testing.T) {
|
||||
csiNodeInfoEnabled := utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo)
|
||||
utilfeature.DefaultFeatureGate.Set(fmt.Sprintf("%s=true", features.CSINodeInfo))
|
||||
defer utilfeature.DefaultFeatureGate.Set(fmt.Sprintf("%s=%t", features.CSINodeInfo, csiNodeInfoEnabled))
|
||||
|
||||
driverName := "com.example.csi/driver1"
|
||||
nodeID := "com.example.csi/some-node"
|
||||
|
||||
@ -471,7 +560,11 @@ func TestAddNodeInfoExistingAnnotation(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func test(t *testing.T, addNodeInfo bool, testcases []testcase) {
|
||||
func test(t *testing.T, addNodeInfo bool, csiNodeInfoEnabled bool, testcases []testcase) {
|
||||
wasEnabled := utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo)
|
||||
utilfeature.DefaultFeatureGate.Set(fmt.Sprintf("%s=%t", features.CSINodeInfo, csiNodeInfoEnabled))
|
||||
defer utilfeature.DefaultFeatureGate.Set(fmt.Sprintf("%s=%t", features.CSINodeInfo, wasEnabled))
|
||||
|
||||
for _, tc := range testcases {
|
||||
t.Logf("test case: %q", tc.name)
|
||||
|
||||
@ -534,39 +627,39 @@ func test(t *testing.T, addNodeInfo bool, testcases []testcase) {
|
||||
}
|
||||
}
|
||||
|
||||
// Topology labels
|
||||
if !helper.Semantic.DeepEqual(node.Labels, tc.expectedLabels) {
|
||||
t.Errorf("expected topology labels to be %v; got: %v", tc.expectedLabels, node.Labels)
|
||||
}
|
||||
/* End Node Validation */
|
||||
if csiNodeInfoEnabled {
|
||||
// Topology labels
|
||||
if !helper.Semantic.DeepEqual(node.Labels, tc.expectedLabels) {
|
||||
t.Errorf("expected topology labels to be %v; got: %v", tc.expectedLabels, node.Labels)
|
||||
}
|
||||
|
||||
/* CSINodeInfo validation */
|
||||
nodeInfo, err := csiClient.Csi().CSINodeInfos().Get(nodeName, metav1.GetOptions{})
|
||||
if tc.expectNoNodeInfo && errors.IsNotFound(err) {
|
||||
continue
|
||||
} else if err != nil {
|
||||
t.Errorf("error getting CSINodeInfo: %v", err)
|
||||
continue
|
||||
}
|
||||
/* CSINodeInfo validation */
|
||||
nodeInfo, err := csiClient.Csi().CSINodeInfos().Get(nodeName, metav1.GetOptions{})
|
||||
if tc.expectNoNodeInfo && errors.IsNotFound(err) {
|
||||
continue
|
||||
} else if err != nil {
|
||||
t.Errorf("error getting CSINodeInfo: %v", err)
|
||||
continue
|
||||
}
|
||||
|
||||
// Extract node IDs and topology keys
|
||||
actualNodeIDs := make(map[string]string)
|
||||
actualTopologyKeys := make(map[string]sets.String)
|
||||
for _, driver := range nodeInfo.CSIDrivers {
|
||||
actualNodeIDs[driver.Driver] = driver.NodeID
|
||||
actualTopologyKeys[driver.Driver] = sets.NewString(driver.TopologyKeys...)
|
||||
}
|
||||
// Extract node IDs and topology keys
|
||||
actualNodeIDs := make(map[string]string)
|
||||
actualTopologyKeys := make(map[string]sets.String)
|
||||
for _, driver := range nodeInfo.CSIDrivers {
|
||||
actualNodeIDs[driver.Driver] = driver.NodeID
|
||||
actualTopologyKeys[driver.Driver] = sets.NewString(driver.TopologyKeys...)
|
||||
}
|
||||
|
||||
// Node IDs
|
||||
if !helper.Semantic.DeepEqual(actualNodeIDs, tc.expectedNodeIDMap) {
|
||||
t.Errorf("expected node IDs %v from CSINodeInfo; got: %v", tc.expectedNodeIDMap, actualNodeIDs)
|
||||
}
|
||||
// Node IDs
|
||||
if !helper.Semantic.DeepEqual(actualNodeIDs, tc.expectedNodeIDMap) {
|
||||
t.Errorf("expected node IDs %v from CSINodeInfo; got: %v", tc.expectedNodeIDMap, actualNodeIDs)
|
||||
}
|
||||
|
||||
// Topology keys
|
||||
if !helper.Semantic.DeepEqual(actualTopologyKeys, tc.expectedTopologyMap) {
|
||||
t.Errorf("expected topology keys %v from CSINodeInfo; got: %v", tc.expectedTopologyMap, actualTopologyKeys)
|
||||
// Topology keys
|
||||
if !helper.Semantic.DeepEqual(actualTopologyKeys, tc.expectedTopologyMap) {
|
||||
t.Errorf("expected topology keys %v from CSINodeInfo; got: %v", tc.expectedTopologyMap, actualTopologyKeys)
|
||||
}
|
||||
}
|
||||
/* End CSINodeInfo validation */
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -147,10 +147,10 @@ func (c *nodePlugin) Admit(a admission.Attributes) error {
|
||||
return admission.NewForbidden(a, fmt.Errorf("disabled by feature gate %s", features.NodeLease))
|
||||
|
||||
case csiNodeInfoResource:
|
||||
if c.features.Enabled(features.KubeletPluginsWatcher) {
|
||||
if c.features.Enabled(features.KubeletPluginsWatcher) && c.features.Enabled(features.CSINodeInfo) {
|
||||
return c.admitCSINodeInfo(nodeName, a)
|
||||
}
|
||||
return admission.NewForbidden(a, fmt.Errorf("disabled by feature gate %s", features.KubeletPluginsWatcher))
|
||||
return admission.NewForbidden(a, fmt.Errorf("disabled by feature gates %s and %s", features.KubeletPluginsWatcher, features.CSINodeInfo))
|
||||
|
||||
default:
|
||||
return nil
|
||||
|
||||
@ -21,6 +21,7 @@ import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"fmt"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
@ -41,12 +42,12 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
trEnabledFeature = utilfeature.NewFeatureGate()
|
||||
trDisabledFeature = utilfeature.NewFeatureGate()
|
||||
leaseEnabledFeature = utilfeature.NewFeatureGate()
|
||||
leaseDisabledFeature = utilfeature.NewFeatureGate()
|
||||
pluginsWatcherEnabledFeature = utilfeature.NewFeatureGate()
|
||||
pluginsWatcherDisabledFeature = utilfeature.NewFeatureGate()
|
||||
trEnabledFeature = utilfeature.NewFeatureGate()
|
||||
trDisabledFeature = utilfeature.NewFeatureGate()
|
||||
leaseEnabledFeature = utilfeature.NewFeatureGate()
|
||||
leaseDisabledFeature = utilfeature.NewFeatureGate()
|
||||
csiNodeInfoEnabledFeature = utilfeature.NewFeatureGate()
|
||||
csiNodeInfoDisabledFeature = utilfeature.NewFeatureGate()
|
||||
)
|
||||
|
||||
func init() {
|
||||
@ -62,10 +63,16 @@ func init() {
|
||||
if err := leaseDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.NodeLease: {Default: false}}); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
if err := pluginsWatcherEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: true}}); err != nil {
|
||||
if err := csiNodeInfoEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: true}}); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
if err := pluginsWatcherDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: false}}); err != nil {
|
||||
if err := csiNodeInfoEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.CSINodeInfo: {Default: true}}); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
if err := csiNodeInfoDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: false}}); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
if err := csiNodeInfoDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.CSINodeInfo: {Default: false}}); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
@ -996,43 +1003,43 @@ func Test_nodePlugin_Admit(t *testing.T) {
|
||||
{
|
||||
name: "disallowed create CSINodeInfo - feature disabled",
|
||||
attributes: admission.NewAttributesRecord(nodeInfo, nil, csiNodeInfoKind, nodeInfo.Namespace, nodeInfo.Name, csiNodeInfoResource, "", admission.Create, false, mynode),
|
||||
features: pluginsWatcherDisabledFeature,
|
||||
err: "forbidden: disabled by feature gate KubeletPluginsWatcher",
|
||||
features: csiNodeInfoDisabledFeature,
|
||||
err: fmt.Sprintf("forbidden: disabled by feature gates %s and %s", features.KubeletPluginsWatcher, features.CSINodeInfo),
|
||||
},
|
||||
{
|
||||
name: "disallowed create another node's CSINodeInfo - feature enabled",
|
||||
attributes: admission.NewAttributesRecord(nodeInfoWrongName, nil, csiNodeInfoKind, nodeInfoWrongName.Namespace, nodeInfoWrongName.Name, csiNodeInfoResource, "", admission.Create, false, mynode),
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
err: "forbidden: ",
|
||||
},
|
||||
{
|
||||
name: "disallowed update another node's CSINodeInfo - feature enabled",
|
||||
attributes: admission.NewAttributesRecord(nodeInfoWrongName, nodeInfoWrongName, csiNodeInfoKind, nodeInfoWrongName.Namespace, nodeInfoWrongName.Name, csiNodeInfoResource, "", admission.Update, false, mynode),
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
err: "forbidden: ",
|
||||
},
|
||||
{
|
||||
name: "disallowed delete another node's CSINodeInfo - feature enabled",
|
||||
attributes: admission.NewAttributesRecord(nil, nil, csiNodeInfoKind, nodeInfoWrongName.Namespace, nodeInfoWrongName.Name, csiNodeInfoResource, "", admission.Delete, false, mynode),
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
err: "forbidden: ",
|
||||
},
|
||||
{
|
||||
name: "allowed create node CSINodeInfo - feature enabled",
|
||||
attributes: admission.NewAttributesRecord(nodeInfo, nil, csiNodeInfoKind, nodeInfo.Namespace, nodeInfo.Name, csiNodeInfoResource, "", admission.Create, false, mynode),
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
err: "",
|
||||
},
|
||||
{
|
||||
name: "allowed update node CSINodeInfo - feature enabled",
|
||||
attributes: admission.NewAttributesRecord(nodeInfo, nodeInfo, csiNodeInfoKind, nodeInfo.Namespace, nodeInfo.Name, csiNodeInfoResource, "", admission.Update, false, mynode),
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
err: "",
|
||||
},
|
||||
{
|
||||
name: "allowed delete node CSINodeInfo - feature enabled",
|
||||
attributes: admission.NewAttributesRecord(nil, nil, csiNodeInfoKind, nodeInfo.Namespace, nodeInfo.Name, csiNodeInfoResource, "", admission.Delete, false, mynode),
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
err: "",
|
||||
},
|
||||
}
|
||||
|
||||
@ -123,10 +123,10 @@ func (r *NodeAuthorizer) Authorize(attrs authorizer.Attributes) (authorizer.Deci
|
||||
}
|
||||
return authorizer.DecisionNoOpinion, fmt.Sprintf("disabled by feature gate %s", features.NodeLease), nil
|
||||
case csiNodeInfoResource:
|
||||
if r.features.Enabled(features.KubeletPluginsWatcher) {
|
||||
if r.features.Enabled(features.KubeletPluginsWatcher) && r.features.Enabled(features.CSINodeInfo) {
|
||||
return r.authorizeCSINodeInfo(nodeName, attrs)
|
||||
}
|
||||
return authorizer.DecisionNoOpinion, fmt.Sprintf("disabled by feature gate %s", features.KubeletPluginsWatcher), nil
|
||||
return authorizer.DecisionNoOpinion, fmt.Sprintf("disabled by feature gates %s and %s", features.KubeletPluginsWatcher, features.CSINodeInfo), nil
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -39,14 +39,14 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
csiEnabledFeature = utilfeature.NewFeatureGate()
|
||||
csiDisabledFeature = utilfeature.NewFeatureGate()
|
||||
trEnabledFeature = utilfeature.NewFeatureGate()
|
||||
trDisabledFeature = utilfeature.NewFeatureGate()
|
||||
leaseEnabledFeature = utilfeature.NewFeatureGate()
|
||||
leaseDisabledFeature = utilfeature.NewFeatureGate()
|
||||
pluginsWatcherEnabledFeature = utilfeature.NewFeatureGate()
|
||||
pluginsWatcherDisabledFeature = utilfeature.NewFeatureGate()
|
||||
csiEnabledFeature = utilfeature.NewFeatureGate()
|
||||
csiDisabledFeature = utilfeature.NewFeatureGate()
|
||||
trEnabledFeature = utilfeature.NewFeatureGate()
|
||||
trDisabledFeature = utilfeature.NewFeatureGate()
|
||||
leaseEnabledFeature = utilfeature.NewFeatureGate()
|
||||
leaseDisabledFeature = utilfeature.NewFeatureGate()
|
||||
csiNodeInfoEnabledFeature = utilfeature.NewFeatureGate()
|
||||
csiNodeInfoDisabledFeature = utilfeature.NewFeatureGate()
|
||||
)
|
||||
|
||||
func init() {
|
||||
@ -68,10 +68,16 @@ func init() {
|
||||
if err := leaseDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.NodeLease: {Default: false}}); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
if err := pluginsWatcherEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: true}}); err != nil {
|
||||
if err := csiNodeInfoEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: true}}); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
if err := pluginsWatcherDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: false}}); err != nil {
|
||||
if err := csiNodeInfoEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.CSINodeInfo: {Default: true}}); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
if err := csiNodeInfoDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: false}}); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
if err := csiNodeInfoDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.CSINodeInfo: {Default: false}}); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
@ -350,79 +356,79 @@ func TestAuthorizer(t *testing.T) {
|
||||
{
|
||||
name: "disallowed CSINodeInfo - feature disabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
|
||||
features: pluginsWatcherDisabledFeature,
|
||||
features: csiNodeInfoDisabledFeature,
|
||||
expect: authorizer.DecisionNoOpinion,
|
||||
},
|
||||
{
|
||||
name: "disallowed CSINodeInfo with subresource - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "csinodeinfos", Subresource: "csiDrivers", APIGroup: "csi.storage.k8s.io", Name: "node0"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionNoOpinion,
|
||||
},
|
||||
{
|
||||
name: "disallowed get another node's CSINodeInfo - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node1"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionNoOpinion,
|
||||
},
|
||||
{
|
||||
name: "disallowed update another node's CSINodeInfo - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "update", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node1"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionNoOpinion,
|
||||
},
|
||||
{
|
||||
name: "disallowed patch another node's CSINodeInfo - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "patch", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node1"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionNoOpinion,
|
||||
},
|
||||
{
|
||||
name: "disallowed delete another node's CSINodeInfo - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "delete", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node1"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionNoOpinion,
|
||||
},
|
||||
{
|
||||
name: "disallowed list CSINodeInfos - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "list", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionNoOpinion,
|
||||
},
|
||||
{
|
||||
name: "disallowed watch CSINodeInfos - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "watch", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionNoOpinion,
|
||||
},
|
||||
{
|
||||
name: "allowed get CSINodeInfo - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionAllow,
|
||||
},
|
||||
{
|
||||
name: "allowed create CSINodeInfo - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "create", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionAllow,
|
||||
},
|
||||
{
|
||||
name: "allowed update CSINodeInfo - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "update", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionAllow,
|
||||
},
|
||||
{
|
||||
name: "allowed patch CSINodeInfo - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "patch", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionAllow,
|
||||
},
|
||||
{
|
||||
name: "allowed delete CSINodeInfo - feature enabled",
|
||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "delete", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
|
||||
features: pluginsWatcherEnabledFeature,
|
||||
features: csiNodeInfoEnabledFeature,
|
||||
expect: authorizer.DecisionAllow,
|
||||
},
|
||||
}
|
||||
|
||||
@ -164,7 +164,8 @@ func NodeRules() []rbacv1.PolicyRule {
|
||||
nodePolicyRules = append(nodePolicyRules, csiDriverRule)
|
||||
}
|
||||
}
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.KubeletPluginsWatcher) {
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.KubeletPluginsWatcher) &&
|
||||
utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {
|
||||
csiNodeInfoRule := rbacv1helpers.NewRule("get", "create", "update", "patch", "delete").Groups("csi.storage.k8s.io").Resources("csinodeinfos").RuleOrDie()
|
||||
nodePolicyRules = append(nodePolicyRules, csiNodeInfoRule)
|
||||
}
|
||||
@ -507,7 +508,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
|
||||
rbacv1helpers.NewRule("get", "list", "watch", "create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),
|
||||
rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
|
||||
}
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.KubeletPluginsWatcher) {
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {
|
||||
externalProvisionerRules = append(externalProvisionerRules, rbacv1helpers.NewRule("get", "watch", "list").Groups("csi.storage.k8s.io").Resources("csinodeinfos").RuleOrDie())
|
||||
}
|
||||
roles = append(roles, rbacv1.ClusterRole{
|
||||
|
||||
@ -531,14 +531,6 @@ items:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- csi.storage.k8s.io
|
||||
resources:
|
||||
- csinodeinfos
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
@ -978,16 +970,6 @@ items:
|
||||
- volumeattachments
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- csi.storage.k8s.io
|
||||
resources:
|
||||
- csinodeinfos
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@ -38,7 +38,7 @@ import (
|
||||
)
|
||||
|
||||
var csiImageVersions = map[string]string{
|
||||
"hostpathplugin": "v0.2.0",
|
||||
"hostpathplugin": "canary", // TODO (verult) update tag once new hostpathplugin release is cut
|
||||
"csi-attacher": "v0.2.0",
|
||||
"csi-provisioner": "v0.2.1",
|
||||
"driver-registrar": "v0.3.0",
|
||||
|
||||
Loading…
Reference in New Issue
Block a user