KEP Proposal: API for PVC Namespace Transfer #1555
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @mhenriks! |
|
Hi @mhenriks. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mhenriks The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
kind/kep
|
|
||
| - Make sure the associated PersistentVolume is not deleted/recycled during the transfer by setting reclaim policy to `Retain` (if not already). | ||
| - Delete the PVC `source-namespace\foo`. | ||
| - Bind The PersistentVolume to `target-namespace\bar`. |
There was a problem hiding this comment.
Earlier, targetName (with value of bar) is said to be optional.
If the value is omitted, the transfer would use existing name from the source.
It is better to explain this in the procedure.
There was a problem hiding this comment.
Personally I'd prefer not to be implicit, that's one of the reasons I proposed using the datasource model, we can easily enforce things like quota, limits and required claim parameters that way IMO.
There was a problem hiding this comment.
Yeah, with the datasource model, the user will directly see if creating the target PVC fails because of a quota limitation. Otherwise, it will happen in the background and be reported in the status of the StorageTransferRequest.
What other required parameters are a concern? And does validating the new target PVC require referencing the source PVC to validate compatible parameters? If so, that would be complicated.
There was a problem hiding this comment.
My main philosophy has been just to make it as close to the existing create workflow as possible and avoid assumptions. It also means you don't have to duplicate parameters or testing for them. Instead you use the existing create implementation as your foundation and build on it rather than trying to make it better or offering a divergent path. Just my 2 cents though.
|
|
||
| // TargetName allows for the source and target resources to have different names | ||
| // It is optional | ||
| TargetName *string |
There was a problem hiding this comment.
It may be better to always keep this field populated (which would simplify checking in the code)
There was a problem hiding this comment.
Hi @tedyu - thanks for taking a look. Yes, your suggestion would definitely make the implementation simpler. But I wonder about the case in which the user doesn't have access to the source namespace and some coordination with an admin is necessary. Now one more piece of information is required to be communicated. Maybe it's not a big deal, but at this point I kind of feel like the benefit outweighs the cost.
There was a problem hiding this comment.
Since the transfer is secure, I wonder under what scenario the user doesn't have access to the source namespace.
There was a problem hiding this comment.
A hypothetical case could be something like: Department A needs a copy of a database (PVC) owned by department B. Each department operates only in their own namespace. The admins for A and B can work together to facilitate the transfer rather than getting a cluster admin involved.
There was a problem hiding this comment.
Maybe it makes sense to assume that a typical user of this API has access to both namespaces. If so, binding requests/responses is simpler. Dynamic binding can be a later feature.
|
|
||
| ```golang | ||
| type StorageTransferRequestStatus struct { | ||
| Complete bool |
There was a problem hiding this comment.
Can we change the bool field to int field where 100 (percent) means completion ?
Progress int
This way, if the controller can estimate the progress, user would get better idea.
There was a problem hiding this comment.
How do you suggest measuring progress? No data is transferred. The transfer simply involves updating metadata and should occur quickly after requests/approvals are matched.
There was a problem hiding this comment.
Another option is to use enum to represent each step as outlined starting line 147 above. Actually this field can be a string where 'done' or 'complete' marks the end of operation.
It is clearer than a single bool.
|
|
||
| I believe the API can be implemented as CRDs and an external controller. If so, is a KEP really required? Would there be advantages to implementing in-tree? | ||
|
|
||
| What is the best way to deal with unbound PVCs (WaitForFirstConsumer)? Transfer the unbound PVC? Wait until it's bound? May be race conditions with the former. |
There was a problem hiding this comment.
One option is to report error for unbound PVCs.
When the PVC is bound, the transfer process can start again.
| to other resource types as compelling use cases come up. | ||
|
|
||
| `StorageTransferRequest` resources are created in the target namespace. | ||
| `StorageTransferApproval` resources are created in the source namespace. |
There was a problem hiding this comment.
@kubernetes/sig-auth-api-reviews FYI.
k8s-ci-robot
added
sig/auth
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| @@ -0,0 +1,283 @@ | |||
| --- | |||
| title: Namespace Transfer | |||
There was a problem hiding this comment.
| title: Namespace Transfer | |
| title: Namespace transfer for storage |
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
Signed-off-by: Michael Henriksen <[email protected]>
Signed-off-by: Michael Henriksen <[email protected]>
mhenriks
force-pushed
the
namespace-transfer
branch
from
fbc0ff0 to
e134abf
Compare
There was a problem hiding this comment.
Thanks for working on this @mhenriks I had a couple of questions and a thought around tieing this together with DataSources; would be curious what you think of the idea.
| When a controller detects matching request/approval resources, a transfer in initiated. | ||
|
|
||
| When transferring a PersistentVolumeClaim, the associated PersistentVolume will be updated, | ||
| the source PersistentVolumeClaim will be deleted, and the target PersistentVolumeClaim will be created. |
There was a problem hiding this comment.
The more I thought about this the last time around, the more I liked the idea of deleting the original claim; I think that's the right step FWIW.
There was a problem hiding this comment.
In another comment here, you propose having the triggering the transfer via the pvc spec.dataSource field. In that case do you think it would still be preferable to delete the original claim? And if so, when? When requests/approvals are matched or the target PVC is created?
There was a problem hiding this comment.
Yeah, that still aligns IMO, once the transfer process is completed then you'd delete the claim from the original namespace.
| kind: PersistentVolumeClaim | ||
| targetName: bar #this is optional | ||
| ``` | ||
|
|
There was a problem hiding this comment.
I don't know that it's necessary, but do we want to consider requiring a secret associated with this? It may be overkill because it's an active operation on both sides and it will only transfer to the destination specified by the source; but just something to think about (briefly). Maybe that's an implementation detail and we address it later.
| ``` | ||
|
|
||
| When matching `StorageTransferRequest` and `StorageTransferApproval` resources are detected, the transfer process is initiated. | ||
|
|
There was a problem hiding this comment.
One thing I thought might improve this, rather than immediately taking the action on this approval object, would it make sense to leverage the pvc datasource model that we've been using for other things? So for example what I'm thinking is that to import or accept a transfer the new namespace still issues a new PVC request, but they use a StorageTransferApproval object like you have here as the DataSource.
So the controller would wait for not only the matching requests, but the final even to kick this off would be a create pvc from that transfer datasource. Maybe that's more of an implementation detail.
There was a problem hiding this comment.
The StorageTransferApproval is not in the same namespace as the target PVC, so the DataSource would have to refer to the StorageTransferRequest.
I agree that this would make the controller simpler. But decided against it because:
- its one more thing for the user to do. And what if the target spec doesn't match the source?
- the DataSource field is not appropriately ignored/handled for all provisioners at current.
2 is obviously also an issue for the populators, so maybe shouldn't be too concerned about it now? But it could lead to some undesirable behavior in the meantime.
There was a problem hiding this comment.
Sorry, I often reverse who does the request and who does the accept... As far as the other points, I see both sides (mine and yours). Would be curious to see if anybody else has thoughts, I'm open to your ideas. Just want to make sure usability is good and if there's places to leverage existing work we do so.
|
|
||
| - Make sure the associated PersistentVolume is not deleted/recycled during the transfer by setting reclaim policy to `Retain` (if not already). | ||
| - Delete the PVC `source-namespace\foo`. | ||
| - Bind The PersistentVolume to `target-namespace\bar`. |
There was a problem hiding this comment.
Personally I'd prefer not to be implicit, that's one of the reasons I proposed using the datasource model, we can easily enforce things like quota, limits and required claim parameters that way IMO.
There was a problem hiding this comment.
Thanks for the feedback @j-griffith and @tedyu.
I think the biggest thing to decide is whether the user creates the target PVC is created internally or explicitly by the user (via spec.dataSource).
| When a controller detects matching request/approval resources, a transfer in initiated. | ||
|
|
||
| When transferring a PersistentVolumeClaim, the associated PersistentVolume will be updated, | ||
| the source PersistentVolumeClaim will be deleted, and the target PersistentVolumeClaim will be created. |
There was a problem hiding this comment.
In another comment here, you propose having the triggering the transfer via the pvc spec.dataSource field. In that case do you think it would still be preferable to delete the original claim? And if so, when? When requests/approvals are matched or the target PVC is created?
| ``` | ||
|
|
||
| When matching `StorageTransferRequest` and `StorageTransferApproval` resources are detected, the transfer process is initiated. | ||
|
|
There was a problem hiding this comment.
The StorageTransferApproval is not in the same namespace as the target PVC, so the DataSource would have to refer to the StorageTransferRequest.
I agree that this would make the controller simpler. But decided against it because:
- its one more thing for the user to do. And what if the target spec doesn't match the source?
- the DataSource field is not appropriately ignored/handled for all provisioners at current.
2 is obviously also an issue for the populators, so maybe shouldn't be too concerned about it now? But it could lead to some undesirable behavior in the meantime.
|
|
||
| - Make sure the associated PersistentVolume is not deleted/recycled during the transfer by setting reclaim policy to `Retain` (if not already). | ||
| - Delete the PVC `source-namespace\foo`. | ||
| - Bind The PersistentVolume to `target-namespace\bar`. |
There was a problem hiding this comment.
Yeah, with the datasource model, the user will directly see if creating the target PVC fails because of a quota limitation. Otherwise, it will happen in the background and be reported in the status of the StorageTransferRequest.
What other required parameters are a concern? And does validating the new target PVC require referencing the source PVC to validate compatible parameters? If so, that would be complicated.
|
|
||
| // TargetName allows for the source and target resources to have different names | ||
| // It is optional | ||
| TargetName *string |
There was a problem hiding this comment.
Maybe it makes sense to assume that a typical user of this API has access to both namespaces. If so, binding requests/responses is simpler. Dynamic binding can be a later feature.
mhenriks
force-pushed
the
namespace-transfer
branch
from
f9aad52 to
d4071c4
Compare
…oval.spec.requestName required parameters Also, StorageTransferRequest.spec.targetName is required Also removed some details that may be better for design doc. Signed-off-by: Michael Henriksen <[email protected]>
mhenriks
force-pushed
the
namespace-transfer
branch
from
d4071c4 to
ee28d1f
Compare
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@mhenriks: Failed to re-open PR: state cannot be changed. The namespace-transfer branch was force-pushed or recreated. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
removed
the
lifecycle/rotten
|
/reopen |
|
@mhenriks: Failed to re-open PR: state cannot be changed. The namespace-transfer branch was force-pushed or recreated. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
update enhancement template
Signed-off-by: Michael Henriksen [email protected]
This follows on previous works by @j-griffith here and here
For now, let's focus on storage resources and specifically PVCs.