Add new changes to recover from expansion KEP

gnufied · gnufied · commit d93f2cbf9622 · 2021-07-01T10:09:45.000-04:00
Update the kep
diff --git a/keps/sig-storage/1790-recover-resize-failure/README.md b/keps/sig-storage/1790-recover-resize-failure/README.md
@@ -13,8 +13,9 @@
     - [User flow stories](#user-flow-stories)
       - [Case 0 (default PVC creation):](#case-0-default-pvc-creation)
       - [Case 1 (controller+node expandable):](#case-1-controllernode-expandable)
-      - [Case 2 (controller+node expandable with no GET_VOLUME capability):](#case-2-controllernode-expandable-with-no-get_volume-capability)
+      - [Case 2 (node only expandable volume):](#case-2-node-only-expandable-volume)
       - [Case 3 (Malicious user)](#case-3-malicious-user)
+    - [Case 4(Malicious User and rounding to GB/GiB bounaries)](#case-4malicious-user-and-rounding-to-gbgib-bounaries)
   - [Risks and Mitigations](#risks-and-mitigations)
 - [Graduation Criteria](#graduation-criteria)
   - [Test Plan](#test-plan)
@@ -31,6 +32,7 @@
 - [Alternatives](#alternatives)
   - [Why not use pvc.Status.Capacity for tracking quota?](#why-not-use-pvcstatuscapacity-for-tracking-quota)
   - [Allow admins to manually fix PVCs which are stuck in resizing condition](#allow-admins-to-manually-fix-pvcs-which-are-stuck-in-resizing-condition)
+  - [Solving limitation of allowing restore all the way to original size](#solving-limitation-of-allowing-restore-all-the-way-to-original-size)
 - [Infrastructure Needed [optional]](#infrastructure-needed-optional)
 <!-- /toc -->
 
@@ -77,7 +79,7 @@ the user is using less storage than he/she actually is.
 To solve this problem - we propose that although users are allowed to reduce size of their
 PVC (as long as requested size > `pvc.Status.Capacity`), quota calculation
 will use `max(pvc.Spec.Capacity, pvc.Status.AllocatedResources)` and reduction in `pvc.Status.AllocatedResources`
-is only done by resize-controller after verifying volume size using `ControllerGetVolume` csi RPC call.
+is only done by resize-controller after previously issued expansion has failed with some kind of terminal failure.
 
 ### Goals
 
@@ -94,6 +96,7 @@ As part of this proposal, we are mainly proposing three changes:
 
 1. Relax API validation on PVC update so as reducing `pvc.Spec.Resoures` is allowed, as long as requested size is `>pvc.Status.Capacity`.
 2. Add a new field in PVC API called - `pvc.Status.AllocatedResources` for the purpose of tracking used storage size. By default only api-server or resize-controller can set this field.
+3. Add a new field in PVC API called - `pvc.Status.ResizeStatus` for purpose of tracking status of volume expansion.
 3. Update quota code to use `max(pvc.Spec.Resources, pvc.Status.AllocatedResources)` when evaluating usage for PVC.
 
 ### Implementation
@@ -103,73 +106,139 @@ reduces the PVC request size, for both CSI and in-tree plugins they are designed
 
 We however do have a problem with quota calculation because if a previously issued expansion is successful but is not recorded(or partially recorded) in api-server and user reduces requested size of the PVC, then quota controller will assume it as actual shrinking of volume and reduce used storage size by the user(incorrectly). Since we know actual size of the volume only after performing expansion(either on node or controller), allowing quota to be reduced on PVC size reduction will allow an user to abuse the quota system.
 
-To solve aforementioned problem - we propose that, a new field will be added to PVC, called `pvc.Status.AllocatedResources`. When a PVC is created - this field defaults to `pvc.Spec.Resources` but when user expands the PVC,
-and when expansion-controller starts volume expansion - it will set `pvc.Status.AllocatedResources` to user requested value in `pvc.Spec.Resources` before performing expansion. The quota calculation will be updated to use `max(pvc.Spec.Resources, pvc.Status.AllocatedResources)` which will ensure that abusing quota will not be possible.
-
-When user reduces `pvc.Spec.Resources`, expansion-controller will set `pvc.Status.AllocatedResources` to lower value (thereby giving quota back to the user) - only if current actual size of volume is less than or equal to `pvc.Spec.Resources` after entire control-plane and node side expansion is successfully finished. It will fetch actual size of the volume by using `ControllerGetVolume` CSI RPC call. It is possible to track completion of resizing operation in external-resizer via function - https://github.com/kubernetes-csi/external-resizer/blob/master/pkg/controller/controller.go#L394.
-
-If CSI driver does not have `GET_VOLUME` controller capability(or `ControllerGetVolume` does not report volume size) and `pvc.Spec.Resources` < `pvc.Status.AllocatedResources` (i.e user is attempting to reduce size of a volume that expansion controller previously tried to expand) - then although expansion-controller will try volume expansion with value in `pvc.Spec.Resources` - it will not reduce reported value in `pvc.Status.AllocatedResources`, which will result in no quota being restored to the user. In other words - for CSI drivers that don't have `GET_VOLUME` controller capability - `pvc.Status.AllocatedResources` will report highest requested value and reducing `pvc.Spec.Resources` will not result in reduction of used quota.
-
-*Note:* This proposal expects that users can not modify `pvc.Status` directly and cheat quota system. In general this should be fine because users should not have access to edit status of almost anything. Link to discussion on slack - https://kubernetes.slack.com/archives/CJUQN3E4T/p1620059624022100
-
-*Note:* It is expected that `ControllerGetVolume` RPC call returns disk size not filesystem size of the volume. We will ensure that there are sanity test around this and this distinction is made more clear in the CSI spec.
+To solve aforementioned problem - we propose that, a new field will be added to PVC, called `pvc.Status.AllocatedResources`. When user expands the PVC, and when expansion-controller starts volume expansion - it will set `pvc.Status.AllocatedResources` to user requested value in `pvc.Spec.Resources` before performing expansion. The quota calculation will be updated to use `max(pvc.Spec.Resources, pvc.Status.AllocatedResources)` which will ensure that abusing quota will not be possible.
+
+Resizing operation will always work towards full-filling size recorded in `pvc.Status.AllocatedResources` and only when previous operation has finished(i.e `pvc.Status.ResizeStatus` is nil) or when previous operation has failed with a terminal error - it will use new user requested value from `pvc.Spec.Resources`.
+
+When user reduces `pvc.Spec.Resources`, expansion-controller will set `pvc.Status.AllocatedResources` to lower value only if:
+1. If `pvc.Status.ResizeStatus` is `ResizeFailedOnController` (indicating that previous expansion to last known `allocatedResources` failed with a final error).
+2. If `pvc.Status.ResizeStatus` is `ResizeFailedOnNode` and SP supports node-only expansion (indicating that previous expansion to last known `allocatedResources` failed on node with a final error).
+
+One key exception is - `pvc.Status.Allocatedresources` will not be lowered if expansion succeeded on the controller but failed on the node with a final error. The implementation of new `allocatedResources` will look like:
+
+
+```golang
+func (ctrl *resizeController) getNewSize(pvc *v1.PersistentVolumeClaim, pv *v1.PersistentVolume) resource.Quantity {
+    newSize := pvc.Spec.Resources.Requests.Storage()
+    if pvc.Status.ResizeStatus == nil || *pvc.Status.ResizeStatus == "" {
+        return *newSize
+    }
+    resizeStatus := *pvc.Status.ResizeStatus
+    allocatedSize := pvc.Status.AllocatedResources.Storage()
+
+    switch resizeStatus {
+    case v1.PersistentVolumeClaimResizeInProgress:
+        // If resize was inprogress before this means - we should keep trying to finish
+        // previously started expansion to last known `allocatedSize`.
+        if allocatedSize != nil {
+            newSize = allocatedSize
+        }
+    case v1.PersistentVolumeClaimResizeFailedOnController:
+        // if expansion failed on controller with a final error, then we can safely use new user requested size
+        newSize = pvc.Spec.Resources.Requests.Storage()
+    case v1.PersistentVolumeClaimResizeFailedOnNode:
+        if newSize.Cmp(*allocatedSize) > 0 {
+            newSize = pvc.Spec.Resources.Requests.Storage()
+        } else {
+            // newSize is smaller than whatever we tried to expand before
+            // and if expansion failed on the node, but it succeeded in control-plane
+            // then it is not safe to use lower value from pvc.Spec
+            if ctrl.resizer.SupportsControllerExpansion() {
+                newSize = allocatedSize
+            }
+        }
+
+    }
+    return *newSize
+}
+```
+
+One more key design choice is - once expansion on node failed and user requested lower size (by modifying `pvc.Spec.Resources`) - kubelet must not retry expanding the same volume to previous `allocatedResources`, because external-resizer will consider `ResizeFailedOnNode` state as a terminal error and allow lowering of `allocatedResources` - and at the same time kubelet will try to expand the volume to higher `allocatedResources`. This will be solved in kubelet by following code:
+
+```golang
+// read latest version of PVC from api-server
+if pvcStatusCap.Cmp(pvSpecCap) < 0 {
+    // this is the if block where kubelet performs expansion
+    if (pvc.Spec.Resources.Storage < pvc.Status.AllocatedResources ) && pvc.Status.ResizeStatus == ResizeFailedOnNode {
+        return false, nil
+    }
+}
+```
 
 #### User flow stories
 
 ##### Case 0 (default PVC creation):
 - User creates a 10Gi PVC by setting - `pvc.spec.resources.requests["storage"] = "10Gi"`.
-- API server sets `pvc.Status.AllocatedResources` to "10Gi" on creation.
 
 ##### Case 1 (controller+node expandable):
 - User increases 10Gi PVC to 100Gi by changing - `pvc.spec.resources.requests["storage"] = "100Gi"`.
-- `pvc.Status.AllocatedResources` still reports `10Gi`.
 - Quota controller uses `max(pvc.Status.AllocatedResources, pvc.Spec.Resources)` and adds `90Gi` to used quota.
 - Expansion controller starts expanding the volume and sets `pvc.Status.AllocatedResources` to `100Gi`.
+- Expansion controller also sets `pvc.Status.ResizeStatus` to `ResizeInProgress`.
 - Expansion to 100Gi fails and hence `pv.Spec.Capacity` and `pvc.Status.Capacity `stays at 10Gi.
+- Expansion controller sets `pvc.Status.ResizeStatus` to `ResizeFailedOnController`.
 - User requests size to 20Gi.
 - Expansion controller tries expanding the PVC/PV to `20Gi` size.
+- Expansion controler notices that previous expansion to last known `allocatedresources` failed, so it sets new `allocatedResources` to `20G`
 - Expansion succeeds and `pvc.Status.Capacity` and `pv.Spec.Capacity` report new size as `20Gi`.
-- After completion, expansion controller notices that `pvc.Spec.Resources` < `pvc.Status.AllocatedResources` (meaning user tried to reduce size).
-- Expansion controller fetches actual size of the volume using `ControllerGetVolume` CSI RPC call.
-- Expansion controller sees that `actual_volume_size`(20Gi) < `pvc.Status.AllocatedResources` (100Gi), so it sets `pvc.Status.AllocatedResources` to 20Gi.
 - Quota controller sees a reduction in used quota because `max(pvc.Spec.Resources, pvc.Status.AllocatedResources)` is 20Gi.
 
-##### Case 2 (controller+node expandable with no GET_VOLUME capability):
+##### Case 2 (node only expandable volume):
 - User increases 10Gi PVC to 100Gi by changing - `pvc.spec.resources.requests["storage"] = "100Gi"`
-- `pvc.Status.AllocatedResources` still reports `10Gi`.
 - Quota controller uses `max(pvc.Status.AllocatedResources, pvc.Spec.Resources)` and adds `90Gi` to used quota.
 - Expansion controller starts expanding the volume and sets `pvc.Status.AllocatedResources` to `100Gi`.
-- Expansion to 100Gi fails and hence `pv.Spec.Capacity` and `pvc.Status.Capacity `stays at 10Gi.
+- Expansion controller also sets `pvc.Status.ResizeStatus` to `ResizeInProgress`.
+- Since expansion operations in control-plane are NO-OP, expansion in control-plane succeeds and `pv.Spec` is set to `100G`.
+- Expansion starts on the node and it fails on the node.
+- Kubelet sets `pvc.Status.ResizeStatus` to `ResizeFailedOnNode`.
 - User requests size to 20Gi.
-- Expansion controller tries expanding the PVC/PV to `20Gi` size.
-- Expansion succeeds and `pvc.Status.Capacity` and `pv.Spec.Capacity` report new size as `20Gi`.
-- Expansion controller notices that `pvc.Spec.Resources` < `pvc.Status.AllocatedResources` (meaning user tried to reduce size).
-- Expansion controller sees that CSI driver does not have `GET_VOLUME` controller capability.
-- `pvc.Status.AllocatedResources` still reports `100Gi` and hence there is no change in used quota.
+- Kubelet notices that `pvc.Status.AllocatedResources > pvc.Spec.Resources` (that means user shrunk the volume) and last resize on node failed, it must not retry expansion to old `allocatedResources`.
+- At this point Kubelet will wait for `pvc.Status.AllocatedResources` to be updated.
+- Expansion controller starts expanding the volume and sees that last expansion failed on the node and driver does not have control-plane expansion.
+- Expansion controller sets `pvc.Status.AllocatedResources` to `20G`.
+- Expansion controller also sets `pvc.Status.ResizeStatus` to `ResizeInProgress`.
+- Since expansion operations in control-plane are NO-OP, expansion in control-plane succeeds and `pv.Spec` is set to `20G`.
+- Expansion succeed on the node with latest `allocatedResources` and `pvc.Status.Size` is set to `20G`.
+- Quota controller sees a reduction in used quota because `max(pvc.Spec.Resources, pvc.Status.AllocatedResources)` is 20Gi.
 
 
 ##### Case 3 (Malicious user)
 - User increases 10Gi PVC to 100Gi by changing `pvc.spec.resources.requests["storage"] = "100Gi"`
-- `pvc.Status.AllocatedResources` still reports `10Gi`.
 - Quota controller uses `max(pvc.Status.AllocatedResources, pvc.Spec.Resources)` and adds `90Gi` to used quota.
 - Expansion controller slowly starts expanding the volume and sets `pvc.Status.AllocatedResources` to `100Gi` (before expanding).
+- Expansion controller also sets `pvc.Status.ResizeStatus` to `ResizeInProgress`.
 - At this point -`pv.Spec.Capacity` and `pvc.Status.Capacity` stays at 10Gi until the resize is finished.
 - While the storage backend is re-sizing the volume, user requests size 20Gi by changing `pvc.spec.resources.requests["storage"] = "20Gi"`
-- Expansion succeeds previous expansion and `pvc.Status.Capacity` and `pv.Spec.Capacity` report new size as `100Gi`.
-- Expansion controller notices that `pvc.Spec.Resources` < `pvc.Status.AllocatedResources` (meaning user tried to reduce size).
-- Expansion controller fetches actual size of the volume using `ControllerGetVolume` CSI RPC call.
-- Expansion controller sees that `actual_volume_size`(100Gi) >= `pvc.Status.AllocatedResources` (100Gi), so it does not make any modifictions to `pvc.Status.AllocatedResources`.
+- Expansion controller notices that previous expansion to last known `allocatedresources` is still in-progress.
+- Expansion controller starts expanding the volume but `allocatedResources` stays at `100G`.
+- Expansion to `100G` succeeds and `pv.Spec.Capacity` and `pvc.Status.Capacity` report new size as `100G`.
+- Although `pvc.Spec.Resources` reports size as `20G`, expansion to `20G` is never attempted.
+- Quota controller sees no change in storage usage by the PVC because `pvc.Status.AllocatedResources` is 100Gi.
+
+#### Case 4(Malicious User and rounding to GB/GiB bounaries)
+- User requests a PVC of 10.1GB but underlying storage provides provisions a volume of 11GB after rounding.
+- Size recorded in `pvc.Status.Capacity` and `pv.Spec.Capacity` is however still 10.1GB.
+- User expands expands the PVC to 100GB.
+- Quota controller uses `max(pvc.Status.AllocatedResources, pvc.Spec.Resources)` and adds `89.9GB` to used quota.
+- Expansion controller starts expanding the volume and sets `pvc.Status.AllocatedResources` to `100GB` (before expanding).
+- Expansion controller also sets `pvc.Status.ResizeStatus` to `ResizeInProgress`.
+- At this point -`pv.Spec.Capacity` and `pvc.Status.Capacity` stays at 10.1GB until the resize is finished.
+- while resize was in progress - expansion controler crashes and loses state.
+- User reduces the size of PVC to 10.5GB.
+- Expansion controller notices that previous expansion to last known `allocatedresources` is still in-progress.
+- Expansion controller starts expanding the volume but `allocatedResources` stays at `100G`.
+- Expansion to `100G` succeeds and `pv.Spec.Capacity` and `pvc.Status.Capacity` report new size as `100G`.
+- Although `pvc.Spec.Resources` reports size as `10.5GB`, expansion to `10.5GB` is never attempted.
 - Quota controller sees no change in storage usage by the PVC because `pvc.Status.AllocatedResources` is 100Gi.
 
 ### Risks and Mitigations
 
 - Once expansion is initiated, the lowering of requested size is only allowed upto a value *greater* than `pvc.Status`. It is not possible to entirely go back to previously requested size. This should not be a problem however in-practice because user can retry expansion with slightly higher value than `pvc.Status` and still recover from previously failing expansion request.
-- One risk as mentioned above is, if expansion failed and user retried expansion(successfully) with smaller value, the quota code will keep reporting higher value unless CSI driver in question has `GET_VOLUME` controller capability and `ControllerGetVolume` actually reports real size of the underlying volume.
 
 
 ## Graduation Criteria
 
-* *Alpha* in 1.22 behind `RecoverExpansionFailure` feature gate with set to a default of `false`. The limitation about quota and CSI capability should be clearly documented.
+* *Alpha* in 1.22 behind `RecoverExpansionFailure` feature gate with set to a default of `false`.
 * *Beta* in 1.23: Since this feature is part of general `ExpandPersistentVolumes` feature which is in beta, we are going to move this to beta with enhanced e2e and more stability improvements.
 * *GA* in 1.25 along with `ExpandPersistentvolumes` feature. The list of issues for volume expansion going GA can be found at - https://github.com/orgs/kubernetes-csi/projects/12.
 
@@ -360,7 +429,7 @@ _This section must be completed when targeting beta graduation to a release._
 
 ## Drawbacks
 
-- One drawback is while this KEP allows an user to reduce requested PVC size, it does not automatically reduce quota.
+- One drawback is while this KEP allows an user to reduce requested PVC size, it does not allow reduction in size all the way to same value as original size recorded in `pvc.Status.Cap`. The reason is currently resize controller and kubelet work on a volume one after the other and we need special logic in both kubelet and control-plane to process reduction in size all the way upto original value. This is somewhat racy and we need a signaling mechanism between control-plane and kubelet when `pvc.Status.AllocatedResources` needs to be adjusted. We plan to revisit and address this in next release.
 
 
 ## Alternatives
@@ -378,4 +447,9 @@ We also considered if it is worth leaving this problem as it is and allow admins
 - A workflow that depends on restarting the pods after resizing is successful - can't complete if resizing is forever stuck. This is the case with current design of statefulset expansion KEP.
 - If a storage type only supports node expansion and it keeps failing then PVC could become unusable and prevent its usage.
 
+### Solving limitation of allowing restore all the way to original size
+
+As mentioned above - one limitation of this KEP is, users can only recover upto a size greater than previous value recorded in `pvc.Status.Cap`.
+
+
 ## Infrastructure Needed [optional]
