Move CSI snapshot KEP into directory and add an extension for tightening validation

[AndiLi99]

Create KEP extension for tightening validation on snapshot objects #1900

Some details are not fully fleshed out.

• We need to carefully consider what validation will be tightened, and which fields will become immutable. What types of immutability will we use? Immutable on create, set or once 'valid'?
• How exactly will the webhook server deploy with TLS? There is no standard boilerplate as far as I am aware of for creating webhook servers. Some suggestions include cert-manager. We need to consider whether TLS deployment is in scope for this feature. How will we ensure the certs don't interfere with existing cert management installed on existing clusters? How will we automate testing of the webhook?

The release process has been outlined in order to tackle backwards compatibility concerns.

cc @xing-yang @msau42 @yuxiangqian @mattcary

[k8s-ci-robot]

Welcome @AndiLi99!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @AndiLi99. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[msau42]

/ok-to-test

[msau42]

Is 1 release enough? I'm not quite sure where this falls under the kubernetes deprecation policy. This is changing the behavior of a beta API, but the deprecation policy mostly talks about removing entire API groups. cc @liggitt

[xing-yang]

Most of this tightening is like fixing bugs. The oneof restriction is already handled by the controller. So I think we should not wait for more than 1 release.

[msau42]

@kubernetes/sig-storage-proposals

[msau42]

cc @jsafrane @liggitt

[yuxiangqian]

cc @xing-yang

[xing-yang]

There's a validation error:

    --- FAIL: TestValidation/../../keps/sig-storage/177-volume-snapshot-validation/kep.yaml (0.00s)
        main_test.go:80: exit code was 1 and not 0. Output:
            ../../keps/sig-storage/177-volume-snapshot-validation/kep.yaml has an error: "error validating KEP metadata: \"prr-approvers\" must be one of (deads2k,johnbelamaric,wojtek-t) but it is a string: TBD"

[AndiLi99]

@xing-yang who would be the prr reviewer for the original csi snapshot kep?

[mattcary]

@xing-yang who would be the prr reviewer for the original csi snapshot kep?

Looks like PRRs are new: #1620

There's a note in the changes to "Please reach out on the
#prod-readiness channel" for help & guidance.

I'll ask on there what to do.

[xing-yang]

The original snapshot KEP didn't go through the PRR process. You can pick one of (deads2k,johnbelamaric,wojtek-t) as PRR reviewer.

[xing-yang]

There's also spec.VolumeSnapshotRef

[AndiLi99]

Added to the list with a note that it is immutable only after UID is set. I'm not sure if that behaviour is good though. I feel like we shall either make it fully immutable after creation, or not make it immutable at all. Thoughts?

[mattcary]

Sorry, the VolumeSnapshotRef field says it's immutable after creation, is that inconsistent with the UID being set after creation? Also, I thought the controller created the whole VSC at once (but am I mistaken?)

[AndiLi99]

In the dynamic snapshot case, the controller creates the entire VSC at once, you are correct.

In the pre-provisioned snapshot case, the CA must create the VSC. They must specify the name and namespace of the VS they wish to be bound to the VSC on the VSC.Spec.VolumeSnapshotRef field. If the VS does not exist yet there is no UID set, The controller after binding will set the UID in the VSC.Spec.VolumeSnapshotRef field. So the controller must be able to change that field after it is created to add set the UID one time.

This is a bit confusing but I'm not sure if anything can be done to change this behaviour.

cc @yuxiangqian to check if I got this behaviour right.

[mattcary]

ok. Could you make a quick PR to update the comment in types.go so that it's consistent with what is actually the case?

[yuxiangqian]

what Andi described is accurate, I guess the semantic is more accurate if put this way: VSC.Spec.VolumeSnapshotRef is immutable (more specifically name, namespace, and UID fields) once bound.
for dynamic case, there is little ambiguity, all three fields will be set at once by controller.
for preprovisioned case, name/namespace are the users responsibility to set, while the UID is the controller's responsibility during binding (two stages instead of one compared to dynamic case). I think it's reasonable to allow updating for name/namespace fields BEFORE a content is bound to a VS, i.e., UID == "", for the pre-provisioned case. A potential use case could be:

1. CA creates a pre-provisioned VSC with VS-A name = "a", ns = "a-ns" (not bound yet)
2. CA realized they need the VSC to point to VS-B name = "b", ns = "b-ns"
3. CA updates the VSC to point to VS-B (if VSC has been bound(by checking UID == ""), it should be rejected by webhook, if not, webhook should allow?)

[mattcary]

Yeah, I think those semantics make sense. But we shouldn't call the field just "immutable" in that case. I like making more precise by saying "immutable after binding" or something like that.

[AndiLi99]

I'm making a quick PR to update the comment in types.go to say it's immutable after UID is set only.

[mattcary]

Can we add the reason for not restricting updates?

[AndiLi99]

@yuxiangqian would know what specific scenarios are valid for changing the class name.

[msau42]

Can you add a TODO to resolve this by the time we implement the webhook? We should very clearly understand the use cases for supporting mutability of each field, and perhaps even document the use case in the CRD schema.

[yuxiangqian]

one scenario was the following:

1. user creates a VS which points to a non-existing volume snapshot class (fat-fingered or whatever reason), in this case the volume snapshot controller will fail the create a snapshot.
2. user updates the volume snapshot class to point to a correct one.
   IMO it sounds like a reasonable mutation scenario?
   If it's a mutable field, then it makes sense to me not to list this entry here?

[msau42]

What happens if a valid snapshot was created, but then the user changes the class to something different?

I guess there's a similar scenario where a user could delete and create a volumesnapshotclass with the same name, but completely different settings.

[AndiLi99]

Added a TODO issue kubernetes-csi/external-snapshotter#362

[msau42]

/approve
Awesome work Andy on tackling this difficult problem!

Will leave it to @xing-yang and @yuxiangqian for final review

[yuxiangqian]

overall LGTM. Great work Andi!

[yuxiangqian]

one scenario was the following:

1. user creates a VS which points to a non-existing volume snapshot class (fat-fingered or whatever reason), in this case the volume snapshot controller will fail the create a snapshot.
2. user updates the volume snapshot class to point to a correct one.
   IMO it sounds like a reasonable mutation scenario?
   If it's a mutable field, then it makes sense to me not to list this entry here?

[xing-yang]

What "version change" do you mean? Cut a different release?

[AndiLi99]

Version change in the api of the object. So volume snapshot moves from v1beta1 to v1.

[xing-yang]

Can you clarify in the KEP that "version change" means snapshot API version moves from v1beta1 to v1?

[msau42]

It's not quite a "move" at this point. We're just making a new api version available at this stage, and changing our controllers to use the new api version.

[xing-yang]

What API version are you referring to? Is it "v1"?

[xing-yang]

Does phase 2 implies snapshot will go GA?

[AndiLi99]

I reworded it to show that in phase 2 there will be a new snapshot version (v1). The plan is for phase 2 to be v1, implying GA.

[AndiLi99]

If it is not GA ready, potentially the version could be v1beta2.

[yuxiangqian]

LGTM
@liggitt @mattcary @xing-yang any more comments?

[xing-yang]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AndiLi99, msau42, xing-yang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-storage/OWNERS [msau42,xing-yang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xing-yang]

Thanks Andi!

[AndiLi99]

Thank you everyone for all your help! Pleasure to work with you all.