Skip to content

Block RWX volume creation for VMFS datastores if policy is not EZT #3729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Block RWX volume creation for VMFS datastores if policy is not EZT #3729

wants to merge 1 commit into from
+459 −5

Conversation

@skogta
Copy link
Contributor

@skogta skogta commented Nov 6, 2025
edited
Loading

What this PR does / why we need it:
Add a validation in CSI to fail RWX volume creation if policy is for VMFS datastores and is NOT EZT.
This is a requirement for multiwriter.

Testing done:

DYNAMIC:

Created RWX volume with vSAN policy - reached Bound state.
Created RWX volume with VMFS EZT policy - reached Bound state.

Created RWX volume with VMFS non-EZT policy - stayed in Pending state. See below:

Name:          rwx-pvc-vmfs-non-ezt
Namespace:     test
StorageClass:  vmfs-1
Status:        Pending
Volume:        
Labels:        <none>
Annotations:   volume.beta.kubernetes.io/storage-provisioner: csi.vsphere.vmware.com
               volume.kubernetes.io/storage-provisioner: csi.vsphere.vmware.com
Finalizers:    [kubernetes.io/pvc-protection]
Capacity:      
Access Modes:  
VolumeMode:    Block
Used By:       <none>
Events:
  Type     Reason                Age               From                                                                                          Message
  ----     ------                ----              ----                                                                                          -------
  Normal   ExternalProvisioning  11s               persistentvolume-controller                                                                   Waiting for a volume to be created either by the external provisioner 'csi.vsphere.vmware.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.
  Normal   Provisioning          4s (x4 over 11s)  csi.vsphere.vmware.com_42153cccacdf638453d78f7d0390adf1_3583e745-e910-4532-aaad-545d77e3d05e  External provisioner is provisioning volume for claim "test/rwx-pvc-vmfs-non-ezt"
  Warning  ProvisioningFailed    4s (x4 over 11s)  csi.vsphere.vmware.com_42153cccacdf638453d78f7d0390adf1_3583e745-e910-4532-aaad-545d77e3d05e  failed to provision volume with StorageClass "vmfs-1": rpc error: code = Unknown desc = Policy 64059831-c138-49f1-a341-86b10564fbb2 is for VMFS datastores. It must be Thick Provision Eager Zero for RWX block volumes

Created RWXOvolume with vSAN policy - reached Bound state.
Created RWO volume with VMFS EZT policy - reached Bound state.
Created RWO volume with VMFS non-EZT policy - reached Bound state.

STATIC:

Create RWX volume with vSAN policy - PVC and PV got created.
Create RWX volume with VMFS EZT policy - PVC and PV got created.
Create RWX volume with VMFS non-EZT policy - PVC and PV failed o get created. Error:

Name:         test4
Namespace:    test
Labels:       <none>
Annotations:  <none>
API Version:  cns.vmware.com/v1alpha1
Kind:         CnsRegisterVolume
Metadata:
  Creation Timestamp:  2025-11-06T13:56:11Z
  Generation:          1
  Resource Version:    3383517
  UID:                 fb1e2c6f-d80c-428d-9dd0-083eeb66c679
Spec:
  Access Mode:  ReadWriteMany
  Pvc Name:     rwx-block-vmfs-non-ezt
  Volume ID:    6658723e-5a2a-45dd-842e-2218739bf2dd
  Volume Mode:  Block
Status:
  Error:       Policy 64059831-c138-49f1-a341-86b10564fbb2 is for VMFS datastores. It must be Thick Provision Eager Zero for RWX block volumes
  Registered:  false
Events:
  Type     Reason                   Age   From            Message
  ----     ------                   ----  ----            -------
  Warning  CnsRegisterVolumeFailed  1s    cns.vmware.com  Policy 64059831-c138-49f1-a341-86b10564fbb2 is for VMFS datastores. It must be Thick Provision Eager Zero for RWX block volumes

Pre-checkin pipelines are in progress.

@skogta skogta marked this pull request as draft November 6, 2025 08:58
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Nov 6, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 6, 2025

Hi @skogta. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 6, 2025
@skogta skogta force-pushed the topic/skogta/validateEztPolicy branch 2 times, most recently from 4a89584 to e56f945 Compare November 6, 2025 10:27
@skogta skogta marked this pull request as ready for review November 6, 2025 13:40
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 6, 2025
@k8s-ci-robot k8s-ci-robot requested a review from kolluria November 6, 2025 13:40
@skogta skogta force-pushed the topic/skogta/validateEztPolicy branch 2 times, most recently from caf55d9 to abfb84f Compare November 6, 2025 14:11
@divyenpatel
Copy link
Member

divyenpatel commented Nov 6, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 6, 2025
@skogta skogta force-pushed the topic/skogta/validateEztPolicy branch from abfb84f to 30da00f Compare November 7, 2025 09:09
divyenpatel
divyenpatel approved these changes Nov 10, 2025
View reviewed changes
Copy link
Member

@divyenpatel divyenpatel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 10, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: divyenpatel, skogta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 10, 2025
@skogta skogta force-pushed the topic/skogta/validateEztPolicy branch from 30da00f to d52d9ca Compare November 11, 2025 06:09
@skogta
Copy link
Contributor Author

skogta commented Nov 11, 2025

/retest-required

@skogta skogta force-pushed the topic/skogta/validateEztPolicy branch 2 times, most recently from 8ec1120 to 1d2aff0 Compare November 11, 2025 08:15
lubronzhan
lubronzhan reviewed Nov 12, 2025
View reviewed changes
@skogta skogta force-pushed the topic/skogta/validateEztPolicy branch 3 times, most recently from e998c2f to 6cb9fea Compare November 26, 2025 09:45
@skogta skogta force-pushed the topic/skogta/validateEztPolicy branch 2 times, most recently from bb4e133 to 7e139b1 Compare November 26, 2025 09:56
@skogta skogta force-pushed the topic/skogta/validateEztPolicy branch from 7e139b1 to 7e0ce64 Compare November 26, 2025 09:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@divyenpatel divyenpatel divyenpatel approved these changes

@xing-yang xing-yang Awaiting requested review from xing-yang

@kolluria kolluria Awaiting requested review from kolluria

+1 more reviewer

@lubronzhan lubronzhan lubronzhan left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@skogta @k8s-ci-robot @divyenpatel @lubronzhan