The SELinuxWarningController does not necessarily need permissions to read
the objects, because it gets them through a shared informer instantiated by
KCM itself, but let's list the permissions for completeness.
This makes a configuration with --feature-gates=AllAlpha=true valid
again. Without this change, that flag enabled DRAAdminAccess without
DynamicResourceAllocation being enabled (default off!) and the kube-apiserver
refused to start.
While DRAAdminAccess isn't usable without DynamicResourceAllocation, it's also
not really wrong to allow it - it simply won't matter.
Supporting the alpha gRPC interface isn't enough anymore to be compatible
with kubelet 1.31: the "supported versions" must contain version numbers,
otherwise the older kubelet refuses to register the driver.
With this change, a DRA driver can decide to support both kubelet 1.31 and
kubelet 1.32 by registering *only* the alpha gRPC interface (NodeV1alpha4(true)
and NodeV1beta1(false) as options for Start).
The default is to provide both interfaces and using the registration mechanism
for 1.32, which makes DRA drivers compatible only with Kubernetes >= 1.32.
Listing supported gRPC services (e.g. drav1alpha3.Node, drav1beta1.DRAPlugin)
during registration enables the kubelet to determine in advance which methods
it can call.
Versioning by Kubernetes release makes less sense because it doesn't say
anything about which gRPC service is supported. New ones might get added and
obsolete ones removed. Some services might be optional.
In the past, this versioning support wasn't really used. At least one version
had to be provided and kubelet tried to use the plugin with the highest
version. This version comparison gets dropped. In the unlikely situation
that different plugins register under the same name, the most recent one is
used.
Because advertising gRPC services is a new convention, plugins only reporting
some version are treated as providing the old alpha gRPC service.
Using 1.0 was a workaround to grant Kubernetes 1.31 access to things introduce
in that same release. In Kubernetes 1.32 we don't need that workaround anymore
because everything is still available after a downgrade and thus usable.
This becomes relevant once DynamicResourceAllocation becomes beta with
"disabled" as default. Otherwise AllAlpha=true enables DRAAdminAccess which
depends on DynamicResourceAllocation, which is disabled.
This enables a future extension where capacity of a single device gets consumed
by different claims. The semantic without any additional fields is the same as
before: a capacity cannot be split up and is only an attribute of a device.
Because its semantically the same as before, two-way conversion to v1alpha3 is
possible.
This is meant to make it easier to remove the v1alpha3 because it won't be used
in clusters that started with DRA as beta in Kubernetes 1.32 when all clients
support v1beta1.
The tag is about the version/type combination, not just the type. The v1beta1
types will become deprecated automatically after three releases, starting in
1.32.
The v1alpha3 types get marked as replaced to ensure that the compatibility
version code doesn't force using v1alpha3 as storage
version (https://github.com/kubernetes/kubernetes/issues/128448).
The line coverage is now at 98.5% and several more corner cases are
covered. The remaining lines are hard or impossible to reach.
The actual validation is the same as before, with some small tweaks to the
generated errors.
When failures are not as expected, it is useful to show what the expected and
actual failures look like to a user. Perhaps even better would be to put the
expected texts into the test files instead of the error structs. That would
be easier to review and shorter.
selinux_volume_conflict should not have space in its label value - it's
harder to query for that value. Use SELinuxLabel as both human friendly (in
an event) and label value.
* Remove Controller.recorder field, there already is eventRecorder.
* Start the event broadcaster in Run(), to save a bit of CPU and memory
when something initializes the controller, but does not Run() it.
* Log events with log level 3, as the other contollers usually do.
* Use StartStructuredLogging(), which looks fancier than StartLogging
Rename old CreateVolumeSpec to CreateVolumeSpecWithNodeMigration that
extracts volume.Spec with node specific CSI migration.
Add CreateVolumeSpec that does the same, only without evaluating node CSI
migration.
The v1beta1 API is identical to the previous v1alpha4, which erroneously was
still called "v1alpha3" in a few places, including the gRPC interface
definition itself.
The only reason for v1beta1 is to document the increased maturity of this API.
To simplify the transition, kubelet supports both v1alpha4 and v1beta1, picking
the more recent one automatically. All that DRA driver authors need to do to
implement v1beta1 is to update to the latest
k8s.io/dynamic-resource-allocation/kubeletplugin: it will automatically
register both API versions unless explicitly configured otherwise, which is
mostly just for testing.
DRA driver authors may replace their package import of v1alpha4 with v1beta1,
but they don't have to because the types in both packages are the same.
