kubernetes · k8s-ci-robot · Mar 5, 2021 · Mar 4, 2021 · Mar 5, 2021 · liggitt
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
diff --git a/pkg/apis/policy/types.go b/pkg/apis/policy/types.go
@@ -77,6 +77,10 @@ type PodDisruptionBudgetStatus struct {
 
 	// total number of pods counted by this disruption budget
 	ExpectedPods int32
+
+	// Conditions contain conditions for PDB
+	// +optional
+	Conditions []metav1.Condition
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

diff --git a/pkg/apis/policy/v1beta1/zz_generated.conversion.go b/pkg/apis/policy/v1beta1/zz_generated.conversion.go
diff --git a/pkg/apis/policy/validation/validation.go b/pkg/apis/policy/validation/validation.go
@@ -23,8 +23,10 @@ import (
 	"strings"
 
 	"k8s.io/api/core/v1"
+	policyapiv1beta1 "k8s.io/api/policy/v1beta1"
 	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
 	unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	appsvalidation "k8s.io/kubernetes/pkg/apis/apps/validation"
@@ -40,7 +42,6 @@ import (
 // with any errors.
 func ValidatePodDisruptionBudget(pdb *policy.PodDisruptionBudget) field.ErrorList {
 	allErrs := ValidatePodDisruptionBudgetSpec(pdb.Spec, field.NewPath("spec"))
-	allErrs = append(allErrs, ValidatePodDisruptionBudgetStatus(pdb.Status, field.NewPath("status"))...)
 	return allErrs
 }
 
@@ -68,10 +69,16 @@ func ValidatePodDisruptionBudgetSpec(spec policy.PodDisruptionBudgetSpec, fldPat
 	return allErrs
 }
 
-// ValidatePodDisruptionBudgetStatus validates a PodDisruptionBudgetStatus and returns an ErrorList
+// ValidatePodDisruptionBudgetStatusUpdate validates a PodDisruptionBudgetStatus and returns an ErrorList
 // with any errors.
-func ValidatePodDisruptionBudgetStatus(status policy.PodDisruptionBudgetStatus, fldPath *field.Path) field.ErrorList {
+func ValidatePodDisruptionBudgetStatusUpdate(status, oldStatus policy.PodDisruptionBudgetStatus, fldPath *field.Path, apiVersion schema.GroupVersion) field.ErrorList {
 	allErrs := field.ErrorList{}
+	allErrs = append(allErrs, unversionedvalidation.ValidateConditions(status.Conditions, fldPath.Child("conditions"))...)
+	// Don't run other validations for v1beta1 since we don't want to introduce
+	// new validations retroactively.
+	if apiVersion == policyapiv1beta1.SchemeGroupVersion {
+		return allErrs
+	}
 	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.DisruptionsAllowed), fldPath.Child("disruptionsAllowed"))...)
 	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.CurrentHealthy), fldPath.Child("currentHealthy"))...)
 	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(status.DesiredHealthy), fldPath.Child("desiredHealthy"))...)

diff --git a/pkg/apis/policy/validation/validation_test.go b/pkg/apis/policy/validation/validation_test.go
@@ -19,10 +19,13 @@ package validation
 import (
 	"fmt"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"k8s.io/api/core/v1"
+	policyv1beta1 "k8s.io/api/policy/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/kubernetes/pkg/apis/core"
@@ -98,26 +101,150 @@ func TestValidateMinAvailablePodAndMaxUnavailableDisruptionBudgetSpec(t *testing
 }
 
 func TestValidatePodDisruptionBudgetStatus(t *testing.T) {
-	successCases := []policy.PodDisruptionBudgetStatus{
-		{DisruptionsAllowed: 10},
-		{CurrentHealthy: 5},
-		{DesiredHealthy: 3},
-		{ExpectedPods: 2}}
-	for _, c := range successCases {
-		errors := ValidatePodDisruptionBudgetStatus(c, field.NewPath("status"))
-		if len(errors) > 0 {
-			t.Errorf("unexpected failure %v for %v", errors, c)
-		}
+	const expectNoErrors = false
+	const expectErrors = true
+	testCases := []struct {
+		name                string
+		pdbStatus           policy.PodDisruptionBudgetStatus
+		expectErrForVersion map[schema.GroupVersion]bool
+	}{
+		{
+			name: "DisruptionsAllowed: 10",
+			pdbStatus: policy.PodDisruptionBudgetStatus{
+				DisruptionsAllowed: 10,
+			},
+			expectErrForVersion: map[schema.GroupVersion]bool{
+				policy.SchemeGroupVersion:        expectNoErrors,
+				policyv1beta1.SchemeGroupVersion: expectNoErrors,
+			},
+		},
+		{
+			name: "CurrentHealthy: 5",
+			pdbStatus: policy.PodDisruptionBudgetStatus{
+				CurrentHealthy: 5,
+			},
+			expectErrForVersion: map[schema.GroupVersion]bool{
+				policy.SchemeGroupVersion:        expectNoErrors,
+				policyv1beta1.SchemeGroupVersion: expectNoErrors,
+			},
+		},
+		{
+			name: "DesiredHealthy: 3",
+			pdbStatus: policy.PodDisruptionBudgetStatus{
+				DesiredHealthy: 3,
+			},
+			expectErrForVersion: map[schema.GroupVersion]bool{
+				policy.SchemeGroupVersion:        expectNoErrors,
+				policyv1beta1.SchemeGroupVersion: expectNoErrors,
+			},
+		},
+		{
+			name: "ExpectedPods: 2",
+			pdbStatus: policy.PodDisruptionBudgetStatus{
+				ExpectedPods: 2,
+			},
+			expectErrForVersion: map[schema.GroupVersion]bool{
+				policy.SchemeGroupVersion:        expectNoErrors,
+				policyv1beta1.SchemeGroupVersion: expectNoErrors,
+			},
+		},
+		{
+			name: "DisruptionsAllowed: -10",
+			pdbStatus: policy.PodDisruptionBudgetStatus{
+				DisruptionsAllowed: -10,
+			},
+			expectErrForVersion: map[schema.GroupVersion]bool{
+				policy.SchemeGroupVersion:        expectErrors,
+				policyv1beta1.SchemeGroupVersion: expectNoErrors,
+			},
+		},
+		{
+			name: "CurrentHealthy: -5",
+			pdbStatus: policy.PodDisruptionBudgetStatus{
+				CurrentHealthy: -5,
+			},
+			expectErrForVersion: map[schema.GroupVersion]bool{
+				policy.SchemeGroupVersion:        expectErrors,
+				policyv1beta1.SchemeGroupVersion: expectNoErrors,
+			},
+		},
+		{
+			name: "DesiredHealthy: -3",
+			pdbStatus: policy.PodDisruptionBudgetStatus{
+				DesiredHealthy: -3,
+			},
+			expectErrForVersion: map[schema.GroupVersion]bool{
+				policy.SchemeGroupVersion:        expectErrors,
+				policyv1beta1.SchemeGroupVersion: expectNoErrors,
+			},
+		},
+		{
+			name: "ExpectedPods: -2",
+			pdbStatus: policy.PodDisruptionBudgetStatus{
+				ExpectedPods: -2,
+			},
+			expectErrForVersion: map[schema.GroupVersion]bool{
+				policy.SchemeGroupVersion:        expectErrors,
+				policyv1beta1.SchemeGroupVersion: expectNoErrors,
+			},
+		},
+		{
+			name: "Conditions valid",
+			pdbStatus: policy.PodDisruptionBudgetStatus{
+				Conditions: []metav1.Condition{
+					{
+						Type:   policyv1beta1.DisruptionAllowedCondition,
+						Status: metav1.ConditionTrue,
+						LastTransitionTime: metav1.Time{
+							Time: time.Now().Add(-5 * time.Minute),
+						},
+						Reason:             policyv1beta1.SufficientPodsReason,
+						Message:            "message",
+						ObservedGeneration: 3,
+					},
+				},
+			},
+			expectErrForVersion: map[schema.GroupVersion]bool{
+				policy.SchemeGroupVersion:        expectNoErrors,
+				policyv1beta1.SchemeGroupVersion: expectNoErrors,
+			},
+		},
+		{
+			name: "Conditions not valid",
+			pdbStatus: policy.PodDisruptionBudgetStatus{
+				Conditions: []metav1.Condition{
+					{
+						Type:   policyv1beta1.DisruptionAllowedCondition,
+						Status: metav1.ConditionTrue,
+					},
+					{
+						Type:   policyv1beta1.DisruptionAllowedCondition,
+						Status: metav1.ConditionFalse,
+					},
+				},
+			},
+			expectErrForVersion: map[schema.GroupVersion]bool{
+				policy.SchemeGroupVersion:        expectErrors,
+				policyv1beta1.SchemeGroupVersion: expectErrors,
+			},
+		},
 	}
-	failureCases := []policy.PodDisruptionBudgetStatus{
-		{DisruptionsAllowed: -10},
-		{CurrentHealthy: -5},
-		{DesiredHealthy: -3},
-		{ExpectedPods: -2}}
-	for _, c := range failureCases {
-		errors := ValidatePodDisruptionBudgetStatus(c, field.NewPath("status"))
-		if len(errors) == 0 {
-			t.Errorf("unexpected success for %v", c)
+
+	for _, tc := range testCases {
+		for apiVersion, expectErrors := range tc.expectErrForVersion {
+			t.Run(fmt.Sprintf("apiVersion: %s, %s", apiVersion.String(), tc.name), func(t *testing.T) {
+				errors := ValidatePodDisruptionBudgetStatusUpdate(tc.pdbStatus, policy.PodDisruptionBudgetStatus{},
+					field.NewPath("status"), apiVersion)
+				errCount := len(errors)
+
+				if errCount > 0 && !expectErrors {
+					t.Errorf("unexpected failure %v for %v", errors, tc.pdbStatus)
+				}
+
+				if errCount == 0 && expectErrors {
+					t.Errorf("expected errors but didn't one for %v", tc.pdbStatus)
+				}
+			})
 		}
 	}
 }

diff --git a/pkg/apis/policy/zz_generated.deepcopy.go b/pkg/apis/policy/zz_generated.deepcopy.go
diff --git a/pkg/controller/disruption/disruption.go b/pkg/controller/disruption/disruption.go
@@ -49,6 +49,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
+	pdbhelper "k8s.io/component-helpers/apps/poddisruptionbudget"
 	"k8s.io/klog/v2"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/controller"
@@ -63,7 +64,9 @@ import (
 // If the controller is running on a different node it is important that the two nodes have synced
 // clock (via ntp for example). Otherwise PodDisruptionBudget controller may not provide enough
 // protection against unwanted pod disruptions.
-const DeletionTimeout = 2 * 60 * time.Second
+const (
+	DeletionTimeout = 2 * 60 * time.Second
+)
 
 type updater func(*policy.PodDisruptionBudget) error
 
@@ -579,7 +582,7 @@ func (dc *DisruptionController) sync(key string) error {
 	}
 	if err != nil {
 		klog.Errorf("Failed to sync pdb %s/%s: %v", pdb.Namespace, pdb.Name, err)
-		return dc.failSafe(pdb)
+		return dc.failSafe(pdb, err)
 	}
 
 	return nil
@@ -774,9 +777,21 @@ func (dc *DisruptionController) buildDisruptedPodMap(pods []*v1.Pod, pdb *policy
 // implement the  "fail open" part of the design since if we manage to update
 // this field correctly, we will prevent the /evict handler from approving an
 // eviction when it may be unsafe to do so.
-func (dc *DisruptionController) failSafe(pdb *policy.PodDisruptionBudget) error {
+func (dc *DisruptionController) failSafe(pdb *policy.PodDisruptionBudget, err error) error {
 	newPdb := pdb.DeepCopy()
 	newPdb.Status.DisruptionsAllowed = 0
+
+	if newPdb.Status.Conditions == nil {
+		newPdb.Status.Conditions = make([]metav1.Condition, 0)
+	}
+	apimeta.SetStatusCondition(&newPdb.Status.Conditions, metav1.Condition{
+		Type:               policy.DisruptionAllowedCondition,
+		Status:             metav1.ConditionFalse,
+		Reason:             policy.SyncFailedReason,
+		Message:            err.Error(),
+		ObservedGeneration: newPdb.Status.ObservedGeneration,
+	})
+
 	return dc.getUpdater()(newPdb)
 }
 
@@ -797,7 +812,8 @@ func (dc *DisruptionController) updatePdbStatus(pdb *policy.PodDisruptionBudget,
 		pdb.Status.ExpectedPods == expectedCount &&
 		pdb.Status.DisruptionsAllowed == disruptionsAllowed &&
 		apiequality.Semantic.DeepEqual(pdb.Status.DisruptedPods, disruptedPods) &&
-		pdb.Status.ObservedGeneration == pdb.Generation {
+		pdb.Status.ObservedGeneration == pdb.Generation &&
+		pdbhelper.ConditionsAreUpToDate(pdb) {
 		return nil
 	}
 
@@ -811,6 +827,8 @@ func (dc *DisruptionController) updatePdbStatus(pdb *policy.PodDisruptionBudget,
 		ObservedGeneration: pdb.Generation,
 	}
 
+	pdbhelper.UpdateDisruptionAllowedCondition(newPdb)
+
 	return dc.getUpdater()(newPdb)
 }
 

diff --git a/pkg/controller/disruption/disruption_test.go b/pkg/controller/disruption/disruption_test.go
@@ -32,6 +32,7 @@ import (
 	policy "k8s.io/api/policy/v1beta1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/errors"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/api/meta/testrestmapper"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -73,6 +74,8 @@ func (ps *pdbStates) Get(key string) policy.PodDisruptionBudget {
 func (ps *pdbStates) VerifyPdbStatus(t *testing.T, key string, disruptionsAllowed, currentHealthy, desiredHealthy, expectedPods int32,
 	disruptedPodMap map[string]metav1.Time) {
 	actualPDB := ps.Get(key)
+	actualConditions := actualPDB.Status.Conditions
+	actualPDB.Status.Conditions = nil
 	expectedStatus := policy.PodDisruptionBudgetStatus{
 		DisruptionsAllowed: disruptionsAllowed,
 		CurrentHealthy:     currentHealthy,
@@ -86,6 +89,22 @@ func (ps *pdbStates) VerifyPdbStatus(t *testing.T, key string, disruptionsAllowe
 		debug.PrintStack()
 		t.Fatalf("PDB %q status mismatch.  Expected %+v but got %+v.", key, expectedStatus, actualStatus)
 	}
+
+	cond := apimeta.FindStatusCondition(actualConditions, policy.DisruptionAllowedCondition)
+	if cond == nil {
+		t.Fatalf("Expected condition %q, but didn't find it", policy.DisruptionAllowedCondition)
+	}
+	if disruptionsAllowed > 0 {
+		if cond.Status != metav1.ConditionTrue {
+			t.Fatalf("Expected condition %q to have status %q, but was %q",
+				policy.DisruptionAllowedCondition, metav1.ConditionTrue, cond.Status)
+		}
+	} else {
+		if cond.Status != metav1.ConditionFalse {
+			t.Fatalf("Expected condition %q to have status %q, but was %q",
+				policy.DisruptionAllowedCondition, metav1.ConditionFalse, cond.Status)
+		}
+	}
 }
 
 func (ps *pdbStates) VerifyDisruptionAllowed(t *testing.T, key string, disruptionsAllowed int32) {