Add document for Provision volumes from cross namespace data sources #37802
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
👷 Deploy Preview for kubernetes-io-vnext-staging processing.
|
k8s-ci-robot
added
the
size/XS
k8s-ci-robot
added
the
sig/docs
ttakahashi21
force-pushed
the
dev-1.26-KEP-3294-doc
branch
from
d5e3277 to
9eb5a89
Compare
sftim
left a comment
sftim
left a comment
There was a problem hiding this comment.
Thanks. Please also update https://kubernetes.io/docs/concepts/storage/volume-snapshots/#provisioning-volumes-from-snapshots to document the new optional / alpha feature.
| This feature gate guards *a group* of CPUManager options whose quality level is beta. | ||
| This feature gate will never graduate to stable. | ||
| - `CPUManagerPolicyOptions`: Allow fine-tuning of CPUManager policies. | ||
| - `CrossNamespaceVolumeDataSource`: Enable usage of Provision of PVCs from VolumeSnasphot in other namespaces. |
There was a problem hiding this comment.
| - `CrossNamespaceVolumeDataSource`: Enable usage of Provision of PVCs from VolumeSnasphot in other namespaces. | |
| - `CrossNamespaceVolumeDataSource`: Enable provisioning a {{< glossary_tooltip text="PersistentVolumeClaim" term_id="persistent-volume-claim" >}} | |
| (PVC) that is based on VolumeSnapshot in a different namespace from the PVC. |
There was a problem hiding this comment.
@sftim
https://github.com/kubernetes/website/pull/37802/files#diff-f937c4715e7d2fa6db515660503a56c87c317122dc2860873c7022e20e452141R414-R415
I checked the contents of the description again and fixed.
|
BTW: |
k8s-ci-robot
added
the
needs-rebase
ttakahashi21
changed the title
k8s-ci-robot
added
do-not-merge/work-in-progress
ttakahashi21
force-pushed
the
dev-1.26-KEP-3294-doc
branch
from
fc83165 to
ac84088
Compare
k8s-ci-robot
removed
the
needs-rebase
ttakahashi21
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/assign msau42 |
|
|
||
| ## Provision of PersistentVolumeClaims from VolumeSnasphot in other namespaces | ||
|
|
||
| {{< feature-state for_k8s_version="v1.26" state="alpha" >}} |
There was a problem hiding this comment.
I think it would be good to incorporate this section into the "Data source references" above.
k8s-ci-robot
added
the
needs-rebase
| resources: | ||
| requests: | ||
| storage: 1Gi | ||
| dataSourceRef2: |
There was a problem hiding this comment.
dataSourceRef2 -> dataSourceRef
There was a problem hiding this comment.
I don't see the fix. Did you reupload?
There was a problem hiding this comment.
Sorry, I mistake. I fixed now.
|
|
||
| * While the `dataSource` field only allows two specific types of objects, the `dataSourceRef` field allows any non-core object, as well as PersistentVolumeClaim objects. | ||
| * While the `dataSource` field ignores disallowed values (dropping them), the `dataSourceRef` field preserves all values, and generates an error if a disallowed value is specified. | ||
| * While the `dataSource`field only allows local objects, the `dataSourceRef` field allows objects in any namespaces. |
There was a problem hiding this comment.
I think the first 2 are repeats of L979-L983.
Probably can reword this to say something like
When the CrossNamespaceVolumeDataSource feature is enabled, there are additional differences:
* The `dataSource`field only allows local objects, while the `dataSourceRef` field allows objects in any namespaces.
* `dataSource` and `dataSourceRef` are not synced.
| same namespace, except for core objects other than PVCs. For clusters that have the feature | ||
| gate enabled, use of the `dataSourceRef` is preferred over `dataSource`. | ||
|
|
||
| ## Cross Namespace Volume Data Source and data sources |
There was a problem hiding this comment.
Reword to "Cross namespace data sources"
| resources: | ||
| requests: | ||
| storage: 1Gi | ||
| dataSourceRef2: |
There was a problem hiding this comment.
I don't see the fix. Did you reupload?
| the process. | ||
|
|
||
| ### Using Cross Namespace Volume Data Source | ||
|
|
There was a problem hiding this comment.
Can you add the feature gate tag here, and also add an example of the ReferenceGrant?
There was a problem hiding this comment.
Add feature gate tag and example.
ttakahashi21
force-pushed
the
dev-1.26-KEP-3294-doc
branch
from
3a3578c to
7cfe0a3
Compare
| * The `dataSourceRef` field may contain different types of objects, while the `dataSource` field | ||
| only allows PVCs and VolumeSnapshots. | ||
|
|
||
| When the CrossNamespaceVolumeDataSource feature is enabled, there are additional differences: |
There was a problem hiding this comment.
Add the backtick, ie CrossNamespaceVolumeDataSource
| When the CrossNamespaceVolumeDataSource feature is enabled, there are additional differences: | ||
|
|
||
| * The `dataSource` field only allows local objects, while the `dataSourceRef` field allows objects in any namespaces. | ||
| * `dataSource` and `dataSourceRef` are not synced. |
There was a problem hiding this comment.
Oh one more clarification: "When namespace is specified, dataSource and dataSourceRef are not synced"
| apiVersion: gateway.networking.k8s.io/v1beta1 | ||
| kind: ReferenceGrant | ||
| metadata: | ||
| name: bar |
There was a problem hiding this comment.
a more descriptive name may be "allow-ns1-pvc"
|
tech review lgtm, just some minor nits. Looks like the PR needs to be rebased as well. |
ttakahashi21
force-pushed
the
dev-1.26-KEP-3294-doc
branch
from
7cfe0a3 to
b955024
Compare
k8s-ci-robot
removed
the
needs-rebase
| When the `CrossNamespaceVolumeDataSource` feature is enabled, there are additional differences: | ||
|
|
||
| * The `dataSource` field only allows local objects, while the `dataSourceRef` field allows objects in any namespaces. | ||
| * When namespace is specified, dataSource and dataSourceRef are not synced. |
There was a problem hiding this comment.
Add the backticks for dataSource and dataSourceRef
ttakahashi21
force-pushed
the
dev-1.26-KEP-3294-doc
branch
3 times, most recently
from
6b17ed0 to
c97489e
Compare
|
cc @krol3 |
sftim
left a comment
sftim
left a comment
There was a problem hiding this comment.
For beta, we must make sure mention ReferenceGrants in the authorization documentation - see https://kubernetes.io/docs/reference/access-authn-authz/
A mention in https://kubernetes.io/docs/concepts/security/ would be nice-to-have for beta, too.
It'd be even better to make those changes early, for alpha, but it's not mandatory.
| ## Cross namespace data sources | ||
| {{< feature-state for_k8s_version="v1.26" state="alpha" >}} | ||
|
|
||
| Kubernetes supports cross namespace volume data source. |
There was a problem hiding this comment.
(nit)
| Kubernetes supports cross namespace volume data source. | |
| Kubernetes supports cross namespace volume data sources. |
| To use cross namespace volume datasource, you must enable the `AnyVolumeDataSource` and `CrossNamespaceVolumeDataSource` | ||
| [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) for |
There was a problem hiding this comment.
(nit)
| To use cross namespace volume datasource, you must enable the `AnyVolumeDataSource` and `CrossNamespaceVolumeDataSource` | |
| [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) for | |
| To use cross namespace volume data sources, you must enable the `AnyVolumeDataSource` and `CrossNamespaceVolumeDataSource` | |
| [feature gates](/docs/reference/command-line-tools-reference/feature-gates/) for |
| To use cross namespace volume datasource, you must enable the `AnyVolumeDataSource` and `CrossNamespaceVolumeDataSource` | ||
| [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) for | ||
| the kube-apiserver, kube-controller-manager. | ||
| Also, you must enable the `CrossNamespaceVolumeDataSource` feature gate for csi-provisioner. |
There was a problem hiding this comment.
(nit)
| Also, you must enable the `CrossNamespaceVolumeDataSource` feature gate for csi-provisioner. | |
| Also, you must enable the `CrossNamespaceVolumeDataSource` feature gate for the csi-provisioner. |
| Also, you must enable the `CrossNamespaceVolumeDataSource` feature gate for csi-provisioner. | ||
|
|
||
| Enabling the `CrossNamespaceVolumeDataSource` feature gate allow you to specify a namespace in the dataSourceRef field. | ||
| {{< note >}} When a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the [ReferenceGrant documentation](https://gateway-api.sigs.k8s.io/api-types/referencegrant/) for details. |
There was a problem hiding this comment.
| {{< note >}} When a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the [ReferenceGrant documentation](https://gateway-api.sigs.k8s.io/api-types/referencegrant/) for details. | |
| {{< note >}} | |
| When you specify a namespace for a volume data source, Kubernetes checks for a | |
| ReferenceGrant in the other namespace before accepting the reference. | |
| ReferenceGrant is part of the `gateway.networking.k8s.io` extension APIs. | |
| See [ReferenceGrant](https://gateway-api.sigs.k8s.io/api-types/referencegrant/) in the Gateway API documentation for details. | |
| This means that you must extend your Kubernetes cluster with at least ReferenceGrant from the | |
| Gateway API before you can use this mechanism. | |
| {{< /note >}} |
Ideally, we'd also add a glossary entry for ReferenceGrant. We'll definitely need that if this feature moves to beta
and ReferenceGrant is still part of Gateway rather than a general Kubernetes extension.
| responsibility of that populator controller to report Events that relate to volume creation and issues during | ||
| the process. | ||
|
|
||
| ### Using Cross Namespace Volume Data Source |
There was a problem hiding this comment.
| ### Using Cross Namespace Volume Data Source | |
| ### Using a cross-namespace volume data source |
Even better: add a separate task page, and hyperlink to that task page here. The task can include deploying the CRD for ReferenceGrant.
| ### Using Cross Namespace Volume Data Source | ||
| {{< feature-state for_k8s_version="v1.26" state="alpha" >}} | ||
|
|
||
| Create a gateway.networking.k8s.io/ReferenceGrant to allow the namespace owner to accept the reference. |
There was a problem hiding this comment.
| Create a gateway.networking.k8s.io/ReferenceGrant to allow the namespace owner to accept the reference. | |
| Create a ReferenceGrant to allow the namespace owner to accept the reference. |
The API group is gateway.networking.k8s.io/v1beta1. I don't want to mention gateway.networking.k8s.io as a bare thing for an odd reason: we can't name what this is. I mean, it's a domain name but we don't have a name for “an API group, but just the bit before the slash, no version details”.
| namespace: default | ||
| spec: | ||
| from: | ||
| - group: "" |
There was a problem hiding this comment.
Optionally, add a comment about why this is blank.
There was a problem hiding this comment.
Because PersistentVolumeClaim API is core API
There was a problem hiding this comment.
(don't tell me - tell the readers!)
| This feature gate will never graduate to stable. | ||
| - `CPUManagerPolicyOptions`: Allow fine-tuning of CPUManager policies. | ||
| - `CrossNamespaceVolumeDataSource`: Enable the usage of cross namespace volume data source | ||
| to allow you to specify a namespace in the dataSourceRef field. |
There was a problem hiding this comment.
| to allow you to specify a namespace in the dataSourceRef field. | |
| to allow you to specify a source namespace in the `dataSourceRef` field of a | |
| PersistentVolumeClaim. |
| {{< feature-state for_k8s_version="v1.26" state="alpha" >}} | ||
|
|
||
| Create a gateway.networking.k8s.io/ReferenceGrant to allow the namespace owner to accept the reference. | ||
| Users create a populated volume by referring cross namespace volume data source using the `dataSourceRef` field: |
There was a problem hiding this comment.
| Users create a populated volume by referring cross namespace volume data source using the `dataSourceRef` field: | |
| You define a populated volume by specifying a cross namespace volume data source using the `dataSourceRef` field. You must already have a valid ReferenceGrant in the source namespace: |
|
Hi @ttakahashi21, This PR needs a doc review by Mon Nov 28th to get this into the release. Please reach out to required SIGs to get their review. Thank you! |
ttakahashi21
force-pushed
the
dev-1.26-KEP-3294-doc
branch
from
c97489e to
e837f0f
Compare
|
@sftim I fixed those that needed fixing. |
ttakahashi21
changed the title
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 1a00b607ebc0d37c6473d91365cd6ce3a22d5c67
|
| the kube-apiserver, kube-controller-manager. | ||
| Also, you must enable the `CrossNamespaceVolumeDataSource` feature gate for the csi-provisioner. | ||
|
|
||
| Enabling the `CrossNamespaceVolumeDataSource` feature gate allow you to specify a namespace in the dataSourceRef field. |
There was a problem hiding this comment.
(nit)
| Enabling the `CrossNamespaceVolumeDataSource` feature gate allow you to specify a namespace in the dataSourceRef field. | |
| Enabling the `CrossNamespaceVolumeDataSource` feature gate allow you to specify a | |
| namespace in the `dataSourceRef` field of a PersistentVolumeClaim. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
7 participants
Add document for Provision volumes from cross namespace data sources
■KEP
Please see CrossNamespaceVolumeDataSource
■API Change (Merge)
kubernetes/kubernetes#113186
■Controller (Under Review)
kubernetes-csi/external-provisioner#805