-
Notifications
You must be signed in to change notification settings - Fork 30
Add RevokeAccessContext to DriverRevokeBucketAccess API #147
base: master
Are you sure you want to change the base?
Add RevokeAccessContext to DriverRevokeBucketAccess API #147
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: narayviv The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Welcome @narayviv! |
Hi @narayviv. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
bucketAccessClassName := bucketAccess.Spec.BucketAccessClassName | ||
bucketAccessClass, err := bal.bucketAccessClasses().Get(ctx, bucketAccessClassName, metav1.GetOptions{}) | ||
if kubeerrors.IsNotFound(err) { | ||
return bal.recordError(bucketAccess, v1.EventTypeWarning, events.FailedGrantAccess, err) | ||
} else if err != nil { | ||
klog.V(3).ErrorS(err, "Failed to fetch bucketAccessClass", "bucketAccessClass", bucketAccessClassName) | ||
return fmt.Errorf("failed to fetch BucketAccessClass: %w", err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have seen issues with this approach in CSI drivers. This leads to drivers implementing code that looks to the StorageClass (approx equivalent to BucketAccessClass), which is mutable and can change over time (or be deleted). This then results in a situation where the driver is unable to proceed with the latest operation.
Instead, the best pattern I have seen is to have the StorageClass data (including opaque params) copied to the PV so that the PV can be managed regardless of whether the StorageClass has been mutated.
I would suggest that the resolution follow the suggested pattern rather than adding the class name, which in my experience encourages inconsistent expectations.
@xing-yang or @shanduur do you have other thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @BlaineEXE ,
Thanks for your suggestion.
Certainly agree with your point here.
As per your suggestion, there's 2 ways (which I can think of), through which Parameters can be made available to the 'DriverRevokeBucketAccess' API.
-
Approach-1: Take Parameter from the Bucket CR spec
Pros:
- Given that the Bucket is already retrieved within the method, makes it easy to fetch parameters field from its spec.
req := &cosi.DriverRevokeBucketAccessRequest{ BucketId: bucket.Status.BucketID, AccountId: bucketAccess.Status.AccountID, RevokeAccessContext: bucket.Spec.Parameters, }
https://github.com/kubernetes-sigs/container-object-storage-interface-provisioner-sidecar/blob/80979e8992a6a2b2166f3ff1e7d39b4ab03f045c/pkg/bucketaccess/bucketaccess_controller.go#L348
Cons:
- This would imply that the Parameters passed in BucketClass & BucketAccessClass should always be same (which it should not be).
- Given, at the time of BucketAccess Grant, Parameter is retrieved & passed from the BucketAccessClass. The
same should be followed for Revoking BucketAccess as well.
https://github.com/kubernetes-sigs/container-object-storage-interface-provisioner-sidecar/blob/80979e8992a6a2b2166f3ff1e7d39b4ab03f045c/pkg/bucketaccess/bucketaccess_controller.go#L170
- Given that the Bucket is already retrieved within the method, makes it easy to fetch parameters field from its spec.
-
Approach-2: Save Parameter in BucketAccess CR spec at the time of creation
Pros:
- Same approach seems to be followed for Bucket CR
https://github.com/kubernetes-sigs/container-object-storage-interface-api/blob/8f3e219335924b998c49c03056d61674361bd132/crds/objectstorage.k8s.io_buckets.yaml#L97 - At the time of BucketAccess CR creation, parameter would be retrieved from the BucketAccessClass CR & stored in its spec.
- Parameter can be directly retrieved from the BucketAccess CR spec
req := &cosi.DriverRevokeBucketAccessRequest{ BucketId: bucket.Status.BucketID, AccountId: bucketAccess.Status.AccountID, RevokeAccessContext: bucketAccess.Spec.Parameters, }
- Parameters in BucketAccessClass can be different & independent of BucketClass CR ( which seems to be the right way).
Cons:
- Changes has to be made in BucketAccess CRD, to support parameter field in its spec.
https://github.com/kubernetes-sigs/container-object-storage-interface-api/blob/8f3e219335924b998c49c03056d61674361bd132/crds/objectstorage.k8s.io_bucketaccesses.yaml#L34
- Same approach seems to be followed for Bucket CR
I am more in-favor of 'Approach-2', but kindly do guide me if there's another way to retrieve 'Parameters' before 'DriverRevokeBucketAccess' API is invoked.
Will wait for your, suggestion & incorporate changes accordingly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think approach 2 is also the more correct one. That means a change to the API in addition to the sidecar.
The next question I have is a matter of SIG/KEP process. With a CRD change, we may need to change the KEP. @xing-yang is it okay to make this change (what I consider a minor change) to the repos, or should we update the KEP first?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @BlaineEXE , @xing-yang,
Any update on this..?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I can add my 5-cents, I am also in favor of the approach 2. Unfortunately, I think those changes will be required to be added to the KEP for v1alpha2, as this is pretty major breaking change in the controller behavior.
// Copyright 2024 Hewlett Packard Enterprise Development LP. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@xing-yang do you know if there is a K8s/SIG policy about adding copyright attributions like this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will wait for @xing-yang response as well & address this.
In addition to EasyCLA (required), we are working to consolidate controller and sidecar code into one repo for easier management and testing. That would be this repo and branch: https://github.com/kubernetes-sigs/container-object-storage-interface-api/tree/monorepo |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Requesting changes while discussions are still needed.
@@ -3,6 +3,7 @@ module sigs.k8s.io/container-object-storage-interface-provisioner-sidecar | |||
go 1.18 | |||
|
|||
require ( | |||
github.com/agiledragon/gomonkey/v2 v2.12.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have reservations about using a monkey patch library. I realize that monkey patching is a common trend in python and ruby development (and other similar scripting languages), but my understanding is that the Golang devs specifically didn't allow for similar functionality.
When I have investigated monkey patching for unit tests in Go, the advice I have seen is to instead use interfaces (even defining custom ones for unit tests if needed) and mocking using Go's builtin language tools.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, will incorporate this in my next commit.
For the EasyCLA -> Iam waiting for a response from my OSRB team. |
Problem:
The current API 'DriverRevokeBucketAccess' for revoking a bucket's access, when invoked from the sidecar just passes the values for 'BucketId' & 'AccountId' alone.
Whereas the steps for revoking a bucket's access, might as well require the input passed with the 'Parameters' field, in the BucketAccessClass( linked to the Bucket Access CR).
https://github.com/kubernetes-sigs/container-object-storage-interface-api/blob/8f3e219335924b998c49c03056d61674361bd132/crds/objectstorage.k8s.io_bucketaccessclasses.yaml#L43
Implementation/Fix:
The latest available version of 'container-object-storage-interface-spec' supports passing a map<string,string> along with 'BucketId' & 'AccountId' in the API 'DriverRevokeBucketAccess'.
https://github.com/kubernetes-sigs/container-object-storage-interface-spec/blob/af070610a0e16b5713c5e248eb84fa7526626953/cosi.proto#L239
We can leverage this in sidecar code, by fetching the parameters provided in the BucketAccessClass & pass it to the 'DriverRevokeBucketAccess' API along with parameters 'BucketId' & 'AccountId'