Merge pull request #97293 from roycaihw/storage-version/gc-rbac

add rbac rule for storage version garbage collector
2025-07-20 02:11:09 +00:00 · 2021-01-11 08:39:07 -08:00 · 2021-01-11 08:39:07 -08:00 · 1f0ef8e679
commit 1f0ef8e679
parent 94a623a45a 83b30bc92f
5 changed files with 117 additions and 17 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD
@ -24,6 +24,7 @@ go_library(
        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/features:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
        "//vendor/k8s.io/klog/v2:go_default_library",
    ],
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@ -24,6 +24,7 @@ import (
 	capi "k8s.io/api/certificates/v1beta1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	genericfeatures "k8s.io/apiserver/pkg/features"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
 	"k8s.io/kubernetes/pkg/features"
@ -411,6 +412,19 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 			},
 		})
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StorageVersionAPI) &&
+		utilfeature.DefaultFeatureGate.Enabled(genericfeatures.APIServerIdentity) {
+		addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "storage-version-garbage-collector"},
+			Rules: []rbacv1.PolicyRule{
+				rbacv1helpers.NewRule("get", "list", "watch").Groups(coordinationGroup).Resources("leases").RuleOrDie(),
+				rbacv1helpers.NewRule("get", "list", "watch", "patch", "update", "delete").Groups(internalAPIServerGroup).
+					Resources("storageversions").RuleOrDie(),
+				rbacv1helpers.NewRule("get", "patch", "update").Groups(internalAPIServerGroup).
+					Resources("storageversions/status").RuleOrDie(),
+			},
+		})
+	}

 	return controllerRoles, controllerRoleBindings
 }
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -42,23 +42,24 @@ var (
 )

 const (
-	legacyGroup         = ""
-	appsGroup           = "apps"
-	authenticationGroup = "authentication.k8s.io"
-	authorizationGroup  = "authorization.k8s.io"
-	autoscalingGroup    = "autoscaling"
-	batchGroup          = "batch"
-	certificatesGroup   = "certificates.k8s.io"
-	coordinationGroup   = "coordination.k8s.io"
-	discoveryGroup      = "discovery.k8s.io"
-	extensionsGroup     = "extensions"
-	policyGroup         = "policy"
-	rbacGroup           = "rbac.authorization.k8s.io"
-	storageGroup        = "storage.k8s.io"
-	resMetricsGroup     = "metrics.k8s.io"
-	customMetricsGroup  = "custom.metrics.k8s.io"
-	networkingGroup     = "networking.k8s.io"
-	eventsGroup         = "events.k8s.io"
+	legacyGroup            = ""
+	appsGroup              = "apps"
+	authenticationGroup    = "authentication.k8s.io"
+	authorizationGroup     = "authorization.k8s.io"
+	autoscalingGroup       = "autoscaling"
+	batchGroup             = "batch"
+	certificatesGroup      = "certificates.k8s.io"
+	coordinationGroup      = "coordination.k8s.io"
+	discoveryGroup         = "discovery.k8s.io"
+	extensionsGroup        = "extensions"
+	policyGroup            = "policy"
+	rbacGroup              = "rbac.authorization.k8s.io"
+	storageGroup           = "storage.k8s.io"
+	resMetricsGroup        = "metrics.k8s.io"
+	customMetricsGroup     = "custom.metrics.k8s.io"
+	networkingGroup        = "networking.k8s.io"
+	eventsGroup            = "events.k8s.io"
+	internalAPIServerGroup = "internal.apiserver.k8s.io"
 )

 func addDefaultMetadata(obj runtime.Object) {
--- a/test/e2e/apimachinery/BUILD
+++ b/test/e2e/apimachinery/BUILD
@ -27,6 +27,7 @@ go_library(
        "protocol.go",
        "resource_quota.go",
        "server_version.go",
+        "storage_version.go",
        "table_conversion.go",
        "watch.go",
        "webhook.go",
@ -37,6 +38,7 @@ go_library(
        "//pkg/apis/rbac/v1:go_default_library",
        "//pkg/quota/v1/evaluator/core:go_default_library",
        "//staging/src/k8s.io/api/admissionregistration/v1:go_default_library",
+        "//staging/src/k8s.io/api/apiserverinternal/v1alpha1:go_default_library",
        "//staging/src/k8s.io/api/apps/v1:go_default_library",
        "//staging/src/k8s.io/api/authorization/v1:go_default_library",
        "//staging/src/k8s.io/api/batch/v1:go_default_library",
--- a/test/e2e/apimachinery/storage_version.go
+++ b/test/e2e/apimachinery/storage_version.go
@ -0,0 +1,82 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apimachinery
+
+import (
+	"context"
+	"time"
+
+	apiserverinternalv1alpha1 "k8s.io/api/apiserverinternal/v1alpha1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/kubernetes/test/e2e/framework"
+
+	"github.com/onsi/ginkgo"
+)
+
+const (
+	svName     = "storageversion.e2e.test.foos"
+	idNonExist = "id-non-exist"
+)
+
+var _ = SIGDescribe("StorageVersion resources [Feature:StorageVersionAPI]", func() {
+	f := framework.NewDefaultFramework("storage-version")
+
+	ginkgo.It("storage version with non-existing id should be GC'ed", func() {
+		client := f.ClientSet
+		sv := &apiserverinternalv1alpha1.StorageVersion{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: svName,
+			},
+		}
+		createdSV, err := client.InternalV1alpha1().StorageVersions().Create(context.TODO(), sv, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "creating storage version")
+
+		// update the created sv with server storage version
+		version := "v1"
+		createdSV.Status = apiserverinternalv1alpha1.StorageVersionStatus{
+			StorageVersions: []apiserverinternalv1alpha1.ServerStorageVersion{
+				{
+					APIServerID:       idNonExist,
+					EncodingVersion:   version,
+					DecodableVersions: []string{version},
+				},
+			},
+			CommonEncodingVersion: &version,
+		}
+		_, err = client.InternalV1alpha1().StorageVersions().UpdateStatus(
+			context.TODO(), createdSV, metav1.UpdateOptions{})
+		framework.ExpectNoError(err, "updating storage version")
+
+		// wait for sv to be GC'ed
+		framework.Logf("Waiting for storage version %v to be garbage collected", createdSV.Name)
+		err = wait.PollImmediate(100*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
+			_, err := client.InternalV1alpha1().StorageVersions().Get(
+				context.TODO(), createdSV.Name, metav1.GetOptions{})
+			if apierrors.IsNotFound(err) {
+				return true, nil
+			}
+			if err != nil {
+				return false, err
+			}
+			framework.Logf("The storage version %v hasn't been garbage collected yet. Retrying", createdSV.Name)
+			return false, nil
+		})
+		framework.ExpectNoError(err, "garbage-collecting storage version")
+	})
+})