StatefulSet PVC auto-delete implementation

[mattcary]

/kind feature
/sig apps

What this PR does / why we need it:

This contains the implementation for the StatefulSet PVC auto-delete KEP

Which issue(s) this PR address:

kubernetes/enhancements#1847

Special notes for your reviewer:

This PR is unfortunately rather large.

The first two api commits were originally submitted in #99378, which was reverted when the implementation didn't get finished in time for 1.22.

The next three are this change: the implementation, unit tests, and finally the feature gate.

The unit tests required a bit of refactoring as the faking was done at the wrong level to efficiently test the new behavior. So it's quite large, but splitting it up would be very difficult at the point :-(

The final commit is the feature gate. I think I'm doing it the right way based on other feature gate implementations, but please let me know if I missed some key bit.

Does this PR introduce a user-facing change?

Adds a feature gate StatefulSetAutoDeletePVC, which allows PVCs automatically created for StatefulSet pods to be automatically deleted.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-apps/1847-autoremove-statefulset-pvcs

[mattcary]

/cc @kk-src
/cc @msau42

[k8s-ci-robot]

@mattcary: GitHub didn't allow me to request PR reviews from the following users: kk-src.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @kk-src
/cc @msau42

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[fejta-bot]

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

[msau42]

I'm wondering if we should error or we should log a warning and continue. This would most likely happen if someone deleted the object out of band?

[mattcary]

This also happens when everything is getting created IIUC. In UpdateStatefulPod, above, we ignore an error from this method when appropriate.

I think it's nicer to do it that way, where the caller knows when it's ok to ignore missing things, than to plumb that logic down here.

I may eat my words on this when we do more complicated test cases, but for the time being at least to me it makes it easier to reason about.

[smarterclayton]

If objectMgr is fed by an informer, this in an inherently racy check (create object A, check cache until B shows up). Generally we don't warn in those cases, because that's creating log spam (the race is roughly guaranteed to always happen at least once on the first pass, and depending on watch latency, possibly longer).

If a PVC doesn't exist, retention is irrelevant. So I'd probably say apierrors.IsNotFound should not cause an error to be returned, and should log at a high level (i.e. not be visible except during debugging such as 4 or 5). It doesn't matter whether it's a race on startup, a user driven deletion, or a bug elsewhere in the controller - the controller has to accept that cross object comparisons driven by inherently laggy caches can't be done transactionally, and the way we do it is break our checks into simple invariants (if no PVC exists but should -> try to create, if PVC shouldn't exist but does -> try to destroy) and minimizing the amount of noise we create in logs and events.

[mattcary]

I think that makes sense. Done.

[msau42]

Should use klog to log

[mattcary]

Yikes this is printf debugging that leaked out from the commit with the test :-P. fixed.

[msau42]

What if someone manually created the PVC and didn't put an ownerref on it?

[mattcary]

That case of manual pod creation will be caught in UpdateStatefulPod.

A stale owner ref is where there's a ref to a different pod, meaning the race condition during a scale-down followed immediately by a scale back up before the PVC can get deleted. Since things may be in process of getting unmounted it seems best to just wait for everything to settle down.

[msau42]

Any new logic in the controller should be feature gated.

[msau42]

Oops I'm reviewing a commit at a time and missed 89caf6d

[mattcary]

Sorry, I thought it would be easier to split that out. I'm overthinking it!

[mattcary]

The feature gate checks happen in this commit now (see getPersistentVolumeClaimDeletePolicy in stateful-set_utils.go).

Also note that we will need to update claim ownerRefs if the feature gate is rolled back. So the feature gate check has to happen deeper down anyway.

[kow3ns]

From a code organization perspective the feature gate is buried deeply in the utils. Its hard to read the code and determine the controller behavior when its enabled/disabled.

[mattcary]

I see with the StatefulSetMinReadySeconds that the feature gate testing is hoisted up as you describe. So I've done the same with this feature.

[msau42]

Maybe something to consider as a future optimization, but we could save an update if we create+update in one call.

[mattcary]

yes, although it gets complicated because if the pod is new as well it may not have the UID necessary for the owner ref.

So +1 to future optimization :-)

[msau42]

pvc name could contain dashes too?

[mattcary]

Yes, but that's okay, because we inject the actual set name into the regex. Really we're just picking out the ordinal (that's also why we can't precompile the RE).

eg if the claim is foo-bar-baz-8, and set.Name = baz, then the RE is foo-bar-(baz-\d+), and we do the right thing. If set.Name = bar-baz, then the RE is foo-(bar-baz-\d+) and again we're okay.

At least I think so, maybe I missed something.

[msau42]

With parallel pod management can we still make the assumption that the highest ordinals are scaled down first?

[mattcary]

My understanding with parallel pod management is that Replicas will still be set to the final number of replicas. We just don't know which of the condemned pods will get deleted first.

In other words, with both parallel pod management as well as conventional, all the condemned pods will have ordinal > Replicas, and we will set owner refs on all of those PVCs at the same time. We don't need to do anything different w/rt PVC deletion AFAICT.

[krmayankk]

this is correct, all condemned pods will have ordinal > Replicas

[msau42]

should this return an error?

[mattcary]

This ftn only returns a bool. Since the policy should be validated, it seems excessive to return an error.

I have changed the behavior to match Retain, though, since I'm going to have to deal with a nil pointer since making the field optional in the API.

[msau42]

Does this happen in a real cluster or only unit tests?

[mattcary]

Yes, this was happening in a real cluster. Maybe this means something has to wait a reconcile loop for the pod to be created?

[msau42]

should we error instead?

[mattcary]

oops, more debugging code. Removed.

[msau42]

I think this can be addressed in the API pr, but policy should be a pointer, and then dropping it would be setting it to nil.

[msau42]

These new rules should be feature gated

[mattcary]

done (will be in next push up). Also delete isn't needed I don't think.

[jingxu97]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kow3ns, mattcary, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• api/OWNERS [smarterclayton]
• pkg/apis/OWNERS [smarterclayton]
• pkg/controller/statefulset/OWNERS [kow3ns,smarterclayton]
• pkg/features/OWNERS [kow3ns,smarterclayton]
• pkg/registry/OWNERS [smarterclayton]
• plugin/pkg/auth/authorizer/OWNERS [smarterclayton]
• staging/src/k8s.io/api/OWNERS [smarterclayton]
• staging/src/k8s.io/client-go/OWNERS [smarterclayton]
• test/e2e/apps/OWNERS [kow3ns,smarterclayton]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jingxu97]

/lgtm

[mattcary]

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[jingxu97]

/test pull-kubernetes-unit

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[liggitt]

The delete PVC unit tests started flaking when this was merged:

https://storage.googleapis.com/k8s-triage/index.html?ci=0&pr=1&test=PVC

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/106568/pull-kubernetes-unit/1462136832413143040

Looks like there's a data race inside runTestOverPVCRetentionPolicies