Merge pull request kubernetes#124360 from carlory/kep-3751-quota-2

Add quota support for PVC with VolumeAttributesClass

Author: k8s-ci-robot

pkg/apis/core/helper/helpers.go

@@ -119,6 +119,7 @@ var standardResourceQuotaScopes = sets.New(
 	core.ResourceQuotaScopeBestEffort,
 	core.ResourceQuotaScopeNotBestEffort,
 	core.ResourceQuotaScopePriorityClass,
+	core.ResourceQuotaScopeVolumeAttributesClass,
 )
 
 // IsStandardResourceQuotaScope returns true if the scope is a standard value
@@ -139,6 +140,14 @@ var podComputeQuotaResources = sets.New(
 	core.ResourceRequestsMemory,
 )
 
+var pvcObjectCountQuotaResources = sets.New(
+	core.ResourcePersistentVolumeClaims,
+)
+
+var pvcStorageQuotaResources = sets.New(
+	core.ResourceRequestsStorage,
+)
+
 // IsResourceQuotaScopeValidForResource returns true if the resource applies to the specified scope
 func IsResourceQuotaScopeValidForResource(scope core.ResourceQuotaScope, resource core.ResourceName) bool {
 	switch scope {
@@ -147,6 +156,8 @@ func IsResourceQuotaScopeValidForResource(scope core.ResourceQuotaScope, resourc
 		return podObjectCountQuotaResources.Has(resource) || podComputeQuotaResources.Has(resource)
 	case core.ResourceQuotaScopeBestEffort:
 		return podObjectCountQuotaResources.Has(resource)
+	case core.ResourceQuotaScopeVolumeAttributesClass:
+		return pvcObjectCountQuotaResources.Has(resource) || pvcStorageQuotaResources.Has(resource)
 	default:
 		return true
 	}

pkg/apis/core/types.go

@@ -6048,6 +6048,9 @@ const (
 	ResourceQuotaScopePriorityClass ResourceQuotaScope = "PriorityClass"
 	// Match all pod objects that have cross-namespace pod (anti)affinity mentioned
 	ResourceQuotaScopeCrossNamespacePodAffinity ResourceQuotaScope = "CrossNamespacePodAffinity"
+
+	// Match all pvc objects that have volume attributes class mentioned.
+	ResourceQuotaScopeVolumeAttributesClass ResourceQuotaScope = "VolumeAttributesClass"
 )
 
 // ResourceQuotaSpec defines the desired hard limits to enforce for Quota

pkg/generated/openapi/zz_generated.openapi.go

@@ -22,16 +22,20 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/admission"
 	quota "k8s.io/apiserver/pkg/quota/v1"
 	"k8s.io/apiserver/pkg/quota/v1/generic"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	storagehelpers "k8s.io/component-helpers/storage/volume"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
+	"k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	k8sfeatures "k8s.io/kubernetes/pkg/features"
+	"k8s.io/utils/ptr"
 )
 
 // the name used for object count quota
@@ -90,26 +94,68 @@ func (p *pvcEvaluator) GroupResource() schema.GroupResource {
 
 // Handles returns true if the evaluator should handle the specified operation.
 func (p *pvcEvaluator) Handles(a admission.Attributes) bool {
-	if a.GetSubresource() != "" {
+	op := a.GetOperation()
+	switch a.GetSubresource() {
+	case "":
+		return op == admission.Create || op == admission.Update
+	case "status":
+		pvc, err1 := toExternalPersistentVolumeClaimOrError(a.GetObject())
+		oldPVC, err2 := toExternalPersistentVolumeClaimOrError(a.GetOldObject())
+		if err1 != nil || err2 != nil {
+			return false
+		}
+		return RequiresQuotaReplenish(pvc, oldPVC)
+	default:
 		return false
 	}
-	op := a.GetOperation()
-	return admission.Create == op || admission.Update == op
 }
 
 // Matches returns true if the evaluator matches the specified quota with the provided input item
 func (p *pvcEvaluator) Matches(resourceQuota *corev1.ResourceQuota, item runtime.Object) (bool, error) {
+	if utilfeature.DefaultFeatureGate.Enabled(k8sfeatures.VolumeAttributesClass) {
+		return generic.Matches(resourceQuota, item, p.MatchingResources, pvcMatchesScopeFunc)
+	}
 	return generic.Matches(resourceQuota, item, p.MatchingResources, generic.MatchesNoScopeFunc)
 }
 
 // MatchingScopes takes the input specified list of scopes and input object. Returns the set of scopes resource matches.
-func (p *pvcEvaluator) MatchingScopes(item runtime.Object, scopes []corev1.ScopedResourceSelectorRequirement) ([]corev1.ScopedResourceSelectorRequirement, error) {
+func (p *pvcEvaluator) MatchingScopes(item runtime.Object, scopeSelectors []corev1.ScopedResourceSelectorRequirement) ([]corev1.ScopedResourceSelectorRequirement, error) {
+	if utilfeature.DefaultFeatureGate.Enabled(k8sfeatures.VolumeAttributesClass) {
+		matchedScopes := []corev1.ScopedResourceSelectorRequirement{}
+		for _, selector := range scopeSelectors {
+			match, err := pvcMatchesScopeFunc(selector, item)
+			if err != nil {
+				return []corev1.ScopedResourceSelectorRequirement{}, fmt.Errorf("error on matching scope %v: %w", selector, err)
+			}
+			if match {
+				matchedScopes = append(matchedScopes, selector)
+			}
+		}
+		return matchedScopes, nil
+	}
 	return []corev1.ScopedResourceSelectorRequirement{}, nil
 }
 
 // UncoveredQuotaScopes takes the input matched scopes which are limited by configuration and the matched quota scopes.
 // It returns the scopes which are in limited scopes but don't have a corresponding covering quota scope
 func (p *pvcEvaluator) UncoveredQuotaScopes(limitedScopes []corev1.ScopedResourceSelectorRequirement, matchedQuotaScopes []corev1.ScopedResourceSelectorRequirement) ([]corev1.ScopedResourceSelectorRequirement, error) {
+	if utilfeature.DefaultFeatureGate.Enabled(k8sfeatures.VolumeAttributesClass) {
+		uncoveredScopes := []corev1.ScopedResourceSelectorRequirement{}
+		for _, selector := range limitedScopes {
+			isCovered := false
+			for _, matchedScopeSelector := range matchedQuotaScopes {
+				if matchedScopeSelector.ScopeName == selector.ScopeName {
+					isCovered = true
+					break
+				}
+			}
+
+			if !isCovered {
+				uncoveredScopes = append(uncoveredScopes, selector)
+			}
+		}
+		return uncoveredScopes, nil
+	}
 	return []corev1.ScopedResourceSelectorRequirement{}, nil
 }
 
@@ -202,6 +248,9 @@ func (p *pvcEvaluator) getStorageUsage(pvc *corev1.PersistentVolumeClaim) *resou
 
 // UsageStats calculates aggregate usage for the object.
 func (p *pvcEvaluator) UsageStats(options quota.UsageStatsOptions) (quota.UsageStats, error) {
+	if utilfeature.DefaultFeatureGate.Enabled(k8sfeatures.VolumeAttributesClass) {
+		return generic.CalculateUsageStats(options, p.listFuncByNamespace, pvcMatchesScopeFunc, p.Usage)
+	}
 	return generic.CalculateUsageStats(options, p.listFuncByNamespace, generic.MatchesNoScopeFunc, p.Usage)
 }
 
@@ -230,5 +279,65 @@ func RequiresQuotaReplenish(pvc, oldPVC *corev1.PersistentVolumeClaim) bool {
 			return true
 		}
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(k8sfeatures.VolumeAttributesClass) {
+		oldNames := getReferencedVolumeAttributesClassNames(oldPVC)
+		newNames := getReferencedVolumeAttributesClassNames(pvc)
+		if !oldNames.Equal(newNames) {
+			return true
+		}
+	}
 	return false
 }
+
+// pvcMatchesScopeFunc is a function that knows how to evaluate if a pvc matches a scope
+func pvcMatchesScopeFunc(selector corev1.ScopedResourceSelectorRequirement, object runtime.Object) (bool, error) {
+	pvc, err := toExternalPersistentVolumeClaimOrError(object)
+	if err != nil {
+		return false, err
+	}
+
+	if selector.ScopeName == corev1.ResourceQuotaScopeVolumeAttributesClass {
+		if selector.Operator == corev1.ScopeSelectorOpExists {
+			// This is just checking for existence of a volumeAttributesClass on the pvc,
+			// no need to take the overhead of selector parsing/evaluation.
+			vacNames := getReferencedVolumeAttributesClassNames(pvc)
+			return len(vacNames) != 0, nil
+		}
+		return pvcMatchesSelector(pvc, selector)
+	}
+	return false, nil
+}
+
+func pvcMatchesSelector(pvc *corev1.PersistentVolumeClaim, selector corev1.ScopedResourceSelectorRequirement) (bool, error) {
+	labelSelector, err := helper.ScopedResourceSelectorRequirementsAsSelector(selector)
+	if err != nil {
+		return false, fmt.Errorf("failed to parse and convert selector: %w", err)
+	}
+
+	vacNames := getReferencedVolumeAttributesClassNames(pvc)
+	if len(vacNames) == 0 {
+		return labelSelector.Matches(labels.Set{}), nil
+	}
+	for vacName := range vacNames {
+		m := labels.Set{string(corev1.ResourceQuotaScopeVolumeAttributesClass): vacName}
+		if labelSelector.Matches(m) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func getReferencedVolumeAttributesClassNames(pvc *corev1.PersistentVolumeClaim) sets.Set[string] {
+	vacNames := sets.New[string]()
+	if len(ptr.Deref(pvc.Spec.VolumeAttributesClassName, "")) != 0 {
+		vacNames.Insert(*pvc.Spec.VolumeAttributesClassName)
+	}
+	if len(ptr.Deref(pvc.Status.CurrentVolumeAttributesClassName, "")) != 0 {
+		vacNames.Insert(*pvc.Status.CurrentVolumeAttributesClassName)
+	}
+	modifyStatus := pvc.Status.ModifyVolumeStatus
+	if modifyStatus != nil && len(modifyStatus.TargetVolumeAttributesClassName) != 0 {
+		vacNames.Insert(modifyStatus.TargetVolumeAttributesClassName)
+	}
+	return vacNames
+}

pkg/quota/v1/evaluator/core/persistent_volume_claims.go

@@ -20,6 +20,7 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,6 +32,7 @@ import (
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/utils/ptr"
 )
 
 func testVolumeClaim(name string, namespace string, spec core.PersistentVolumeClaimSpec) *core.PersistentVolumeClaim {
@@ -40,6 +42,122 @@ func testVolumeClaim(name string, namespace string, spec core.PersistentVolumeCl
 	}
 }
 
+func TestPersistentVolumeClaimEvaluatorMatchingScopes(t *testing.T) {
+	evaluator := NewPersistentVolumeClaimEvaluator(nil)
+	testCases := map[string]struct {
+		claim         *core.PersistentVolumeClaim
+		selectors     []corev1.ScopedResourceSelectorRequirement
+		wantSelectors []corev1.ScopedResourceSelectorRequirement
+	}{
+		"EmptyPVC": {
+			claim: &core.PersistentVolumeClaim{},
+			selectors: []corev1.ScopedResourceSelectorRequirement{
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpDoesNotExist},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpExists},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpNotIn, Values: []string{"class4"}},
+			},
+			wantSelectors: []corev1.ScopedResourceSelectorRequirement{
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpDoesNotExist},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpNotIn, Values: []string{"class4"}},
+			},
+		},
+		"VolumeAttributesClass": {
+			claim: &core.PersistentVolumeClaim{
+				Spec: core.PersistentVolumeClaimSpec{
+					VolumeAttributesClassName: ptr.To("class1"),
+				},
+			},
+			selectors: []corev1.ScopedResourceSelectorRequirement{
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpDoesNotExist},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpExists},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class4"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpNotIn, Values: []string{"class4"}},
+			},
+			wantSelectors: []corev1.ScopedResourceSelectorRequirement{
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpExists},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpNotIn, Values: []string{"class4"}},
+			},
+		},
+		"VolumeAttributesClassWithTarget": {
+			claim: &core.PersistentVolumeClaim{
+				Spec: core.PersistentVolumeClaimSpec{
+					VolumeAttributesClassName: ptr.To("class1"),
+				},
+				Status: core.PersistentVolumeClaimStatus{
+					CurrentVolumeAttributesClassName: ptr.To("class2"),
+				},
+			},
+			selectors: []corev1.ScopedResourceSelectorRequirement{
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpDoesNotExist},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpExists},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class2"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1", "class2"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1", "class2", "class4"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class4"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpNotIn, Values: []string{"class4"}},
+			},
+			wantSelectors: []corev1.ScopedResourceSelectorRequirement{
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpExists},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class2"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1", "class2"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1", "class2", "class4"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpNotIn, Values: []string{"class4"}},
+			},
+		},
+		"VolumeAttributesClassWithModityStatus": {
+			claim: &core.PersistentVolumeClaim{
+				Spec: core.PersistentVolumeClaimSpec{
+					VolumeAttributesClassName: ptr.To("class1"),
+				},
+				Status: core.PersistentVolumeClaimStatus{
+					CurrentVolumeAttributesClassName: ptr.To("class2"),
+					ModifyVolumeStatus: &core.ModifyVolumeStatus{
+						TargetVolumeAttributesClassName: "class3",
+					},
+				},
+			},
+			selectors: []corev1.ScopedResourceSelectorRequirement{
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpDoesNotExist},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpExists},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class2"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class3"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1", "class2", "class3"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1", "class2", "class3", "class4"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class4"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpNotIn, Values: []string{"class4"}},
+			},
+			wantSelectors: []corev1.ScopedResourceSelectorRequirement{
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpExists},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class2"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class3"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1", "class2", "class3"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpIn, Values: []string{"class1", "class2", "class3", "class4"}},
+				{ScopeName: corev1.ResourceQuotaScopeVolumeAttributesClass, Operator: corev1.ScopeSelectorOpNotIn, Values: []string{"class4"}},
+			},
+		},
+	}
+
+	for testName, testCase := range testCases {
+		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.VolumeAttributesClass, true)
+		t.Run(testName, func(t *testing.T) {
+			gotSelectors, err := evaluator.MatchingScopes(testCase.claim, testCase.selectors)
+			if err != nil {
+				t.Error(err)
+			}
+			if diff := cmp.Diff(testCase.wantSelectors, gotSelectors); diff != "" {
+				t.Errorf("%v: unexpected diff (-want, +got):\n%s", testName, diff)
+			}
+		})
+	}
+}
+
 func TestPersistentVolumeClaimEvaluatorUsage(t *testing.T) {
 	classGold := "gold"
 	validClaim := testVolumeClaim("foo", "ns", core.PersistentVolumeClaimSpec{