feat: cleanup feature gates for CSIPersistentVolume

This commit is contained in:
draveness 2019-06-23 16:46:49 +08:00
parent 8c3b7d7679
commit 8e9472ba79
10 changed files with 36 additions and 88 deletions

View File

@ -77,9 +77,7 @@ func ProbeAttachableVolumePlugins() []volume.VolumePlugin {
allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...) allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, iscsi.ProbeVolumePlugins()...) allPlugins = append(allPlugins, iscsi.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...) allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) { allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
}
return allPlugins return allPlugins
} }

View File

@ -52,11 +52,9 @@ import (
"k8s.io/kubernetes/pkg/volume/secret" "k8s.io/kubernetes/pkg/volume/secret"
"k8s.io/kubernetes/pkg/volume/storageos" "k8s.io/kubernetes/pkg/volume/storageos"
"k8s.io/kubernetes/pkg/volume/vsphere_volume" "k8s.io/kubernetes/pkg/volume/vsphere_volume"
// Cloud providers // Cloud providers
_ "k8s.io/kubernetes/pkg/cloudprovider/providers" _ "k8s.io/kubernetes/pkg/cloudprovider/providers"
// features check
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/features"
) )
// ProbeVolumePlugins collects all volume plugins into an easy to use list. // ProbeVolumePlugins collects all volume plugins into an easy to use list.
@ -94,9 +92,7 @@ func ProbeVolumePlugins() []volume.VolumePlugin {
allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...) allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, local.ProbeVolumePlugins()...) allPlugins = append(allPlugins, local.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...) allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) { allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
}
return allPlugins return allPlugins
} }

View File

@ -2037,8 +2037,6 @@ func TestValidateCSIVolumeSource(t *testing.T) {
}, },
} }
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIPersistentVolume, true)()
for i, tc := range testCases { for i, tc := range testCases {
errs := validateCSIPersistentVolumeSource(tc.csi, field.NewPath("field")) errs := validateCSIPersistentVolumeSource(tc.csi, field.NewPath("field"))

View File

@ -180,12 +180,6 @@ const (
// Enable running mount utilities in containers. // Enable running mount utilities in containers.
MountContainers featuregate.Feature = "MountContainers" MountContainers featuregate.Feature = "MountContainers"
// owner: @vladimirvivien
// GA: v1.13
//
// Enable mount/attachment of Container Storage Interface (CSI) backed PVs
CSIPersistentVolume featuregate.Feature = "CSIPersistentVolume"
// owner: @saad-ali // owner: @saad-ali
// alpha: v1.12 // alpha: v1.12
// beta: v1.14 // beta: v1.14
@ -494,7 +488,6 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
CPUCFSQuotaPeriod: {Default: false, PreRelease: featuregate.Alpha}, CPUCFSQuotaPeriod: {Default: false, PreRelease: featuregate.Alpha},
ServiceNodeExclusion: {Default: false, PreRelease: featuregate.Alpha}, ServiceNodeExclusion: {Default: false, PreRelease: featuregate.Alpha},
MountContainers: {Default: false, PreRelease: featuregate.Alpha}, MountContainers: {Default: false, PreRelease: featuregate.Alpha},
CSIPersistentVolume: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.16
CSIDriverRegistry: {Default: true, PreRelease: featuregate.Beta}, CSIDriverRegistry: {Default: true, PreRelease: featuregate.Beta},
CSINodeInfo: {Default: true, PreRelease: featuregate.Beta}, CSINodeInfo: {Default: true, PreRelease: featuregate.Beta},
BlockVolume: {Default: true, PreRelease: featuregate.Beta}, BlockVolume: {Default: true, PreRelease: featuregate.Beta},

View File

@ -64,13 +64,11 @@ func AddGraphEventHandlers(
DeleteFunc: g.deletePV, DeleteFunc: g.deletePV,
}) })
if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) { attachments.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
attachments.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ AddFunc: g.addVolumeAttachment,
AddFunc: g.addVolumeAttachment, UpdateFunc: g.updateVolumeAttachment,
UpdateFunc: g.updateVolumeAttachment, DeleteFunc: g.deleteVolumeAttachment,
DeleteFunc: g.deleteVolumeAttachment, })
})
}
} }
func (g *graphPopulator) addNode(obj interface{}) { func (g *graphPopulator) addNode(obj interface{}) {

View File

@ -108,10 +108,7 @@ func (r *NodeAuthorizer) Authorize(attrs authorizer.Attributes) (authorizer.Deci
case pvResource: case pvResource:
return r.authorizeGet(nodeName, pvVertexType, attrs) return r.authorizeGet(nodeName, pvVertexType, attrs)
case vaResource: case vaResource:
if r.features.Enabled(features.CSIPersistentVolume) { return r.authorizeGet(nodeName, vaVertexType, attrs)
return r.authorizeGet(nodeName, vaVertexType, attrs)
}
return authorizer.DecisionNoOpinion, fmt.Sprintf("disabled by feature gate %s", features.CSIPersistentVolume), nil
case svcAcctResource: case svcAcctResource:
if r.features.Enabled(features.TokenRequest) { if r.features.Enabled(features.TokenRequest) {
return r.authorizeCreateToken(nodeName, serviceAccountVertexType, attrs) return r.authorizeCreateToken(nodeName, serviceAccountVertexType, attrs)

View File

@ -40,8 +40,6 @@ import (
) )
var ( var (
csiEnabledFeature = featuregate.NewFeatureGate()
csiDisabledFeature = featuregate.NewFeatureGate()
trEnabledFeature = featuregate.NewFeatureGate() trEnabledFeature = featuregate.NewFeatureGate()
trDisabledFeature = featuregate.NewFeatureGate() trDisabledFeature = featuregate.NewFeatureGate()
leaseEnabledFeature = featuregate.NewFeatureGate() leaseEnabledFeature = featuregate.NewFeatureGate()
@ -51,12 +49,6 @@ var (
) )
func init() { func init() {
if err := csiEnabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.CSIPersistentVolume: {Default: true}}); err != nil {
panic(err)
}
if err := csiDisabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.CSIPersistentVolume: {Default: false}}); err != nil {
panic(err)
}
if err := trEnabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.TokenRequest: {Default: true}}); err != nil { if err := trEnabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.TokenRequest: {Default: true}}); err != nil {
panic(err) panic(err)
} }
@ -204,22 +196,9 @@ func TestAuthorizer(t *testing.T) {
expect: authorizer.DecisionNoOpinion, expect: authorizer.DecisionNoOpinion,
}, },
{ {
name: "disallowed attachment - no relationship", name: "allowed attachment",
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "volumeattachments", APIGroup: "storage.k8s.io", Name: "attachment0-node1"}, attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "volumeattachments", APIGroup: "storage.k8s.io", Name: "attachment0-node0"},
features: csiEnabledFeature, expect: authorizer.DecisionAllow,
expect: authorizer.DecisionNoOpinion,
},
{
name: "disallowed attachment - feature disabled",
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "volumeattachments", APIGroup: "storage.k8s.io", Name: "attachment0-node0"},
features: csiDisabledFeature,
expect: authorizer.DecisionNoOpinion,
},
{
name: "allowed attachment - feature enabled",
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "volumeattachments", APIGroup: "storage.k8s.io", Name: "attachment0-node0"},
features: csiEnabledFeature,
expect: authorizer.DecisionAllow,
}, },
{ {
name: "allowed svcacct token create - feature enabled", name: "allowed svcacct token create - feature enabled",
@ -777,22 +756,14 @@ func BenchmarkAuthorization(b *testing.B) {
expect: authorizer.DecisionNoOpinion, expect: authorizer.DecisionNoOpinion,
}, },
{ {
name: "disallowed attachment - no relationship", name: "disallowed attachment - no relationship",
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "volumeattachments", APIGroup: "storage.k8s.io", Name: "attachment0-node1"}, attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "volumeattachments", APIGroup: "storage.k8s.io", Name: "attachment0-node1"},
features: csiEnabledFeature, expect: authorizer.DecisionNoOpinion,
expect: authorizer.DecisionNoOpinion,
}, },
{ {
name: "disallowed attachment - feature disabled", name: "allowed attachment",
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "volumeattachments", APIGroup: "storage.k8s.io", Name: "attachment0-node0"}, attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "volumeattachments", APIGroup: "storage.k8s.io", Name: "attachment0-node0"},
features: csiDisabledFeature, expect: authorizer.DecisionAllow,
expect: authorizer.DecisionNoOpinion,
},
{
name: "allowed attachment - feature enabled",
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "volumeattachments", APIGroup: "storage.k8s.io", Name: "attachment0-node0"},
features: csiEnabledFeature,
expect: authorizer.DecisionAllow,
}, },
} }

View File

@ -68,17 +68,15 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
rbacv1helpers.NewRule("patch", "update").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), rbacv1helpers.NewRule("patch", "update").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("pods").RuleOrDie(), rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
eventsRule(), eventsRule(),
rbacv1helpers.NewRule("get", "create", "delete", "list", "watch").Groups(storageGroup).Resources("volumeattachments").RuleOrDie(),
}, },
} }
if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) { if utilfeature.DefaultFeatureGate.Enabled(features.CSIDriverRegistry) {
role.Rules = append(role.Rules, rbacv1helpers.NewRule("get", "create", "delete", "list", "watch").Groups(storageGroup).Resources("volumeattachments").RuleOrDie()) role.Rules = append(role.Rules, rbacv1helpers.NewRule("get", "watch", "list").Groups("storage.k8s.io").Resources("csidrivers").RuleOrDie())
if utilfeature.DefaultFeatureGate.Enabled(features.CSIDriverRegistry) { }
role.Rules = append(role.Rules, rbacv1helpers.NewRule("get", "watch", "list").Groups("storage.k8s.io").Resources("csidrivers").RuleOrDie()) if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) && utilfeature.DefaultFeatureGate.Enabled(features.CSIMigration) {
} role.Rules = append(role.Rules, rbacv1helpers.NewRule("get", "watch", "list").Groups("storage.k8s.io").Resources("csinodes").RuleOrDie())
if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) && utilfeature.DefaultFeatureGate.Enabled(features.CSIMigration) {
role.Rules = append(role.Rules, rbacv1helpers.NewRule("get", "watch", "list").Groups("storage.k8s.io").Resources("csinodes").RuleOrDie())
}
} }
return role return role

View File

@ -139,6 +139,9 @@ func NodeRules() []rbacv1.PolicyRule {
// Used to create a certificatesigningrequest for a node-specific client certificate, and watch // Used to create a certificatesigningrequest for a node-specific client certificate, and watch
// for it to be signed. This allows the kubelet to rotate it's own certificate. // for it to be signed. This allows the kubelet to rotate it's own certificate.
rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(), rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
// CSI
rbacv1helpers.NewRule("get").Groups(storageGroup).Resources("volumeattachments").RuleOrDie(),
} }
if utilfeature.DefaultFeatureGate.Enabled(features.ExpandPersistentVolumes) { if utilfeature.DefaultFeatureGate.Enabled(features.ExpandPersistentVolumes) {
@ -156,13 +159,9 @@ func NodeRules() []rbacv1.PolicyRule {
} }
// CSI // CSI
if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) { if utilfeature.DefaultFeatureGate.Enabled(features.CSIDriverRegistry) {
volAttachRule := rbacv1helpers.NewRule("get").Groups(storageGroup).Resources("volumeattachments").RuleOrDie() csiDriverRule := rbacv1helpers.NewRule("get", "watch", "list").Groups("storage.k8s.io").Resources("csidrivers").RuleOrDie()
nodePolicyRules = append(nodePolicyRules, volAttachRule) nodePolicyRules = append(nodePolicyRules, csiDriverRule)
if utilfeature.DefaultFeatureGate.Enabled(features.CSIDriverRegistry) {
csiDriverRule := rbacv1helpers.NewRule("get", "watch", "list").Groups("storage.k8s.io").Resources("csidrivers").RuleOrDie()
nodePolicyRules = append(nodePolicyRules, csiDriverRule)
}
} }
if utilfeature.DefaultFeatureGate.Enabled(features.KubeletPluginsWatcher) && if utilfeature.DefaultFeatureGate.Enabled(features.KubeletPluginsWatcher) &&
utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) { utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {

View File

@ -957,6 +957,12 @@ items:
- get - get
- list - list
- watch - watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -971,12 +977,6 @@ items:
- serviceaccounts/token - serviceaccounts/token
verbs: verbs:
- create - create
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- apiGroups: - apiGroups:
- storage.k8s.io - storage.k8s.io
resources: resources: