Add support for emptyDir volume type #11669
Conversation
knative-prow-robot
added
size/L
Codecov Report
@@ Coverage Diff @@
## main #11669 +/- ##
==========================================
- Coverage 87.82% 87.78% -0.05%
==========================================
Files 190 190
Lines 9249 9275 +26
==========================================
+ Hits 8123 8142 +19
- Misses 876 879 +3
- Partials 250 254 +4
Continue to review full report at Codecov.
|
hack/schemapatch-config.yaml
Outdated
| @@ -9,6 +9,7 @@ k8s.io/api/core/v1.VolumeSource: | |||
| - Secret | |||
| - ConfigMap | |||
| - Projected | |||
| - EmptyDir | |||
There was a problem hiding this comment.
We should add a preserveUnknownFields: true # for feature flagged fields here in accordance with the other types. So far, all of the fields that require a feature flag are not actually in the schema but allowed this way.
There was a problem hiding this comment.
Ok yes let me try that, want to check what it means from a validation perspective.
There was a problem hiding this comment.
a few drive-by comments. Looks good overall.
/assign @dprotaso
pkg/apis/config/features.go
Outdated
| @@ -72,7 +73,8 @@ func NewFeaturesConfigFromMap(data map[string]string) (*Features, error) { | |||
| asFlag("kubernetes.containerspec-addcapabilities", &nc.ContainerSpecAddCapabilities), | |||
| asFlag("kubernetes.podspec-tolerations", &nc.PodSpecTolerations), | |||
| asFlag("tag-header-based-routing", &nc.TagHeaderBasedRouting), | |||
| asFlag("autodetect-http2", &nc.AutoDetectHTTP2)); err != nil { | |||
| asFlag("autodetect-http2", &nc.AutoDetectHTTP2), | |||
| asFlag("kubernetes.podspec-volumes-emptydir", &nc.PodSpecVolumesEmptyDir)); err != nil { | |||
There was a problem hiding this comment.
nit: group with the others?
pkg/apis/config/features.go
Outdated
| @@ -97,6 +99,7 @@ type Features struct { | |||
| PodSpecTolerations Flag | |||
| TagHeaderBasedRouting Flag | |||
| AutoDetectHTTP2 Flag | |||
| PodSpecVolumesEmptyDir Flag | |||
pkg/apis/serving/k8s_validation.go
Outdated
| if volume.EmptyDir != nil { | ||
| if features.PodSpecVolumesEmptyDir != config.Enabled { |
There was a problem hiding this comment.
| if volume.EmptyDir != nil { | |
| if features.PodSpecVolumesEmptyDir != config.Enabled { | |
| if volume.EmptyDir != nil && features.PodSpecVolumesEmptyDir != config.Enabled { |
pkg/apis/serving/fieldmask.go
Outdated
| @@ -57,6 +58,7 @@ func VolumeSourceMask(in *corev1.VolumeSource) *corev1.VolumeSource { | |||
| out.Secret = in.Secret | |||
| out.ConfigMap = in.ConfigMap | |||
| out.Projected = in.Projected | |||
| out.EmptyDir = in.EmptyDir | |||
There was a problem hiding this comment.
Any reason we don't check the feature flag here like we do for example for the SecurtityContext types?
There was a problem hiding this comment.
A few lines above before a volumeValidation call is done, we check the features flags and emit an error.
Creating more errors from that point on seemed verbose to me. Otherwise we could create two errors (volumeMask and volumeSourceMask) and avoid the top one or have them all anyway.
config/core/configmaps/features.yaml
Outdated
| @@ -131,3 +131,8 @@ data: | |||
| # 1. Enabled: http2 connection will be attempted via upgrade. | |||
| # 2. Disabled: http2 connection will only be attempted when port name is set to "h2c". | |||
| autodetect-http2: "disabled" | |||
|
|
|||
| # Controls whether volume supporty for EmptyDir is enabled or not. | |||
There was a problem hiding this comment.
| # Controls whether volume supporty for EmptyDir is enabled or not. | |
| # Controls whether volume support for EmptyDir is enabled or not. |
pkg/apis/serving/k8s_validation.go
Outdated
| for i, volume := range vs { | ||
| // skip validating empty dir volumes if the feature is not enabled |
There was a problem hiding this comment.
Im not sure I understand this comment; we skip validating if the feature (that is, allowing this type of volume) is enabled. (If the feature is disabled then we DO validate that the volume is not there). Is the comment supposed to be further down maybe, above the validateEmptyDirFields line?
There was a problem hiding this comment.
Yeah this needs to be removed initially I had a different logic here.
pkg/apis/serving/k8s_validation.go
Outdated
| if len(specified) == 0 { | ||
| errs = errs.Also(apis.ErrMissingOneOf("secret", "configMap", "projected")) | ||
| errs = errs.Also(apis.ErrMissingOneOf("secret", "configMap", "projected", "emptyDir")) |
There was a problem hiding this comment.
presumably "emptydir" should only be in this list if the flag is enabled?
|
A question for everyone (@julz, @skonto, @markusthoemmes) - what do people thing about allowing |
|
Personally, I'm game, but what are the ramifications of that? Do we need to change specs? |
|
interesting! I'm pretty ok with it, on balance, from a security perspective: it's technically more surface area, but not dramatically (although as it happens there was a recent upstream cve that not supporting arbitrary volumes meant we weren't exposed to). Thinking out loud it does seems possible though to imagine a more opinionated administrator wanting to turn this off it in order to prevent patterns that might be difficult to support (like downloading models on startup), and if we add it without a feature flag then as @markusthoemmes says arguably we should probably add it to the spec, and it may not be a feature all implementations could support so.. I'd probably vote for keeping it flagged, though not very strongly and I'm super ok going another way if y'all disagree. (I do wish we could have a more generic way to exclude fields so we could get out of the PodSpec validation business; maybe the openapi stuff eventually?..) |
So the specs are more about conformance - and technically the OSS implementation can be a superset of that. ie. We surface replica counts in the revision status though it's not in the spec at this moment. When we bring that to the KTC it could be veto'd by a member. Similarly this is the same case with multiple containers. |
|
My motivation for |
|
I'm ok being conservative and having the flag to introduce this feature. ie. I'm not sure there are resourceLimits on emptyDir volumes etc. But long term I think it's beneficial to open it up |
|
oh interesting you can have limits and requests on ephemeral storage |
Yah I actually double-checked that before writing the sentence about being ok with it from a security perspective 😇 |
|
I would vote to keep it flagged but open it up later for sure (if we see no issues). Btw if an emptyDir should not be allowed in an app it could be caught at the deployment level eg. yaml file when people submit code or by setting a podSecurityPolicy that does not allow this volume type (same approach to avoid hostPath mounts in arbitrary pods). However, the flag is an easier way to do so in any case (but not that flexible as it is an on/off approach). |
|
Sounds good |
skonto
force-pushed
the
add_emptydir_support
branch
from
943b8c9 to
6392811
Compare
|
Ready for another review round. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dprotaso, skonto The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow-robot
added
the
approved
|
Awesome to see this. I was just asking in slack about this because I want it for something I'm playing with! 🎉 |
* support emptyDir volume * fixes * reorder feature
* support emptyDir volume * fixes * reorder feature
* Add support for emptyDir volume type (knative#11669) * support emptyDir volume * fixes * reorder feature * Add support for emptydir rw access and e2e testing (knative#11705) * add support for emptydir rw access, e2e * fix header * fix quantity * set to alpha feature * toggle feature * fixes * fix fmt * fix nit Co-authored-by: Stavros Kontopoulos <[email protected]>
Part of work in #11664
Proposed Changes
kubernetes.podspec-volumes-emptydir, updates the related CRD and apis.Tested manually, test cases and results here.
/cc @dprotaso @julz @markusthoemmes