Merge pull request kubernetes#85268 from yue9944882/feat/flow-control-defaulting

Bootstrap flow-control objects

Author: k8s-ci-robot

api/openapi-spec/swagger.json

@@ -43,6 +43,11 @@ const (
 	PriorityLevelConfigurationConditionConcurrencyShared = "ConcurrencyShared"
 )
 
+// Constants used by api validation.
+const (
+	FlowSchemaMaxMatchingPrecedence int32 = 10000
+)
+
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -88,8 +93,8 @@ type FlowSchemaSpec struct {
 	PriorityLevelConfiguration PriorityLevelConfigurationReference
 	// `matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen
 	// FlowSchema is among those with the numerically lowest (which we take to be logically highest)
-	// MatchingPrecedence.  Each MatchingPrecedence value must be non-negative.
-	// Note that if the precedence is not specified or zero, it will be set to 1000 as default.
+	// MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000].
+	// Note that if the precedence is not specified, it will be set to 1000 as default.
 	// +optional
 	MatchingPrecedence int32
 	// `distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema.

pkg/apis/flowcontrol/types.go

@@ -87,7 +87,10 @@ func ValidateFlowSchemaUpdate(old, fs *flowcontrol.FlowSchema) field.ErrorList {
 func ValidateFlowSchemaSpec(spec *flowcontrol.FlowSchemaSpec, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 	if spec.MatchingPrecedence <= 0 {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("matchingPrecedence"), spec.MatchingPrecedence, "must be positive value"))
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("matchingPrecedence"), spec.MatchingPrecedence, "must be a positive value"))
+	}
+	if spec.MatchingPrecedence > flowcontrol.FlowSchemaMaxMatchingPrecedence {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("matchingPrecedence"), spec.MatchingPrecedence, fmt.Sprintf("must not be greater than %v", flowcontrol.FlowSchemaMaxMatchingPrecedence)))
 	}
 	if spec.DistinguisherMethod != nil {
 		if !supportedDistinguisherMethods.Has(string(spec.DistinguisherMethod.Type)) {

pkg/apis/flowcontrol/validation/validation.go

@@ -547,6 +547,41 @@ func TestFlowSchemaValidation(t *testing.T) {
 				field.Invalid(field.NewPath("spec").Child("rules").Index(0).Child("resourceRules").Index(0).Child("namespaces").Index(0), "-foo", nsErrIntro+`a DNS-1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')`),
 			},
 		},
+		{
+			name: "MatchingPrecedence must not be greater than 10000",
+			flowSchema: &flowcontrol.FlowSchema{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "system-foo",
+				},
+				Spec: flowcontrol.FlowSchemaSpec{
+					MatchingPrecedence: 10001,
+					PriorityLevelConfiguration: flowcontrol.PriorityLevelConfigurationReference{
+						Name: "system-bar",
+					},
+					Rules: []flowcontrol.PolicyRulesWithSubjects{
+						{
+							Subjects: []flowcontrol.Subject{
+								{
+									Kind: flowcontrol.SubjectKindUser,
+									User: &flowcontrol.UserSubject{Name: "noxu"},
+								},
+							},
+							ResourceRules: []flowcontrol.ResourcePolicyRule{
+								{
+									Verbs:      []string{flowcontrol.VerbAll},
+									APIGroups:  []string{flowcontrol.APIGroupAll},
+									Resources:  []string{flowcontrol.ResourceAll},
+									Namespaces: []string{flowcontrol.NamespaceEvery},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedErrors: field.ErrorList{
+				field.Invalid(field.NewPath("spec").Child("matchingPrecedence"), int32(10001), "must not be greater than 10000"),
+			},
+		},
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {

pkg/apis/flowcontrol/validation/validation_test.go

@@ -1,4 +1,4 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 
 go_library(
     name = "go_default_library",
@@ -8,13 +8,21 @@ go_library(
     deps = [
         "//pkg/api/legacyscheme:go_default_library",
         "//pkg/apis/flowcontrol:go_default_library",
+        "//pkg/apis/flowcontrol/v1alpha1:go_default_library",
         "//pkg/registry/flowcontrol/flowschema/storage:go_default_library",
         "//pkg/registry/flowcontrol/prioritylevelconfiguration/storage:go_default_library",
         "//staging/src/k8s.io/api/flowcontrol/v1alpha1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/registry/generic:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/registry/rest:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server/storage:go_default_library",
+        "//staging/src/k8s.io/client-go/kubernetes/typed/flowcontrol/v1alpha1:go_default_library",
+        "//vendor/k8s.io/klog:go_default_library",
     ],
 )
 
@@ -31,3 +39,17 @@ filegroup(
     tags = ["automanaged"],
     visibility = ["//visibility:public"],
 )
+
+go_test(
+    name = "go_default_test",
+    srcs = ["storage_flowcontrol_test.go"],
+    embed = [":go_default_library"],
+    deps = [
+        "//pkg/apis/flowcontrol/v1alpha1:go_default_library",
+        "//staging/src/k8s.io/api/flowcontrol/v1alpha1:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap:go_default_library",
+        "//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library",
+        "//vendor/github.com/stretchr/testify/assert:go_default_library",
+        "//vendor/github.com/stretchr/testify/require:go_default_library",
+    ],
+)

pkg/registry/flowcontrol/rest/BUILD

@@ -17,20 +17,36 @@ limitations under the License.
 package rest
 
 import (
+	"fmt"
+	"time"
+
 	flowcontrolv1alpha1 "k8s.io/api/flowcontrol/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/equality"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	flowcontrolbootstrap "k8s.io/apiserver/pkg/apis/flowcontrol/bootstrap"
 	"k8s.io/apiserver/pkg/registry/generic"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
+	flowcontrolclient "k8s.io/client-go/kubernetes/typed/flowcontrol/v1alpha1"
+	"k8s.io/klog"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/flowcontrol"
+	flowcontrolapisv1alpha1 "k8s.io/kubernetes/pkg/apis/flowcontrol/v1alpha1"
 	flowschemastore "k8s.io/kubernetes/pkg/registry/flowcontrol/flowschema/storage"
 	prioritylevelconfigurationstore "k8s.io/kubernetes/pkg/registry/flowcontrol/prioritylevelconfiguration/storage"
 )
 
-// RESTStorageProvider implements
+var _ genericapiserver.PostStartHookProvider = RESTStorageProvider{}
+
+// RESTStorageProvider is a provider of REST storage
 type RESTStorageProvider struct{}
 
+// PostStartHookName is the name of the post-start-hook provided by flow-control storage
+const PostStartHookName = "apiserver/bootstrap-system-flowcontrol-configuration"
+
 // NewRESTStorage creates a new rest storage for flow-control api models.
 func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, bool, error) {
 	apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(flowcontrol.GroupName, legacyscheme.Scheme, legacyscheme.ParameterCodec, legacyscheme.Codecs)
@@ -71,3 +87,166 @@ func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstora
 func (p RESTStorageProvider) GroupName() string {
 	return flowcontrol.GroupName
 }
+
+func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {
+	return PostStartHookName, func(hookContext genericapiserver.PostStartHookContext) error {
+		flowcontrolClientSet := flowcontrolclient.NewForConfigOrDie(hookContext.LoopbackClientConfig)
+		go func() {
+			const retryCreatingSuggestedSettingsInterval = time.Second
+			_ = wait.PollImmediateUntil(
+				retryCreatingSuggestedSettingsInterval,
+				func() (bool, error) {
+					shouldEnsureSuggested, err := lastMandatoryExists(flowcontrolClientSet)
+					if err != nil {
+						klog.Errorf("failed getting exempt flow-schema, will retry later: %v", err)
+						return false, nil
+					}
+					if !shouldEnsureSuggested {
+						return true, nil
+					}
+					err = ensure(
+						flowcontrolClientSet,
+						flowcontrolbootstrap.SuggestedFlowSchemas,
+						flowcontrolbootstrap.SuggestedPriorityLevelConfigurations)
+					if err != nil {
+						klog.Errorf("failed ensuring suggested settings, will retry later: %v", err)
+						return false, nil
+					}
+					return true, nil
+				},
+				hookContext.StopCh)
+			const retryCreatingMandatorySettingsInterval = time.Minute
+			_ = wait.PollImmediateUntil(
+				retryCreatingMandatorySettingsInterval,
+				func() (bool, error) {
+					if err := upgrade(
+						flowcontrolClientSet,
+						flowcontrolbootstrap.MandatoryFlowSchemas,
+						// Note: the "exempt" priority-level is supposed tobe the last item in the pre-defined
+						// list, so that a crash in the midst of the first kube-apiserver startup does not prevent
+						// the full initial set of objects from being created.
+						flowcontrolbootstrap.MandatoryPriorityLevelConfigurations,
+					); err != nil {
+						klog.Errorf("failed creating mandatory flowcontrol settings: %v", err)
+						return false, nil
+					}
+					return false, nil // always retry
+				},
+				hookContext.StopCh)
+		}()
+		return nil
+	}, nil
+
+}
+
+// Returns false if there's a "exempt" priority-level existing in the cluster, otherwise returns a true
+// if the "exempt" priority-level is not found.
+func lastMandatoryExists(flowcontrolClientSet flowcontrolclient.FlowcontrolV1alpha1Interface) (bool, error) {
+	if _, err := flowcontrolClientSet.PriorityLevelConfigurations().Get(flowcontrol.PriorityLevelConfigurationNameExempt, metav1.GetOptions{}); err != nil {
+		if apierrors.IsNotFound(err) {
+			return true, nil
+		}
+		return false, err
+	}
+	return false, nil
+}
+
+func ensure(flowcontrolClientSet flowcontrolclient.FlowcontrolV1alpha1Interface, flowSchemas []*flowcontrolv1alpha1.FlowSchema, priorityLevels []*flowcontrolv1alpha1.PriorityLevelConfiguration) error {
+	for _, flowSchema := range flowSchemas {
+		_, err := flowcontrolClientSet.FlowSchemas().Create(flowSchema)
+		if apierrors.IsAlreadyExists(err) {
+			klog.V(3).Infof("system preset FlowSchema %s already exists, skipping creating", flowSchema.Name)
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("cannot create FlowSchema %s due to %v", flowSchema.Name, err)
+		}
+		klog.V(3).Infof("created system preset FlowSchema %s", flowSchema.Name)
+	}
+	for _, priorityLevelConfiguration := range priorityLevels {
+		_, err := flowcontrolClientSet.PriorityLevelConfigurations().Create(priorityLevelConfiguration)
+		if apierrors.IsAlreadyExists(err) {
+			klog.V(3).Infof("system preset PriorityLevelConfiguration %s already exists, skipping creating", priorityLevelConfiguration.Name)
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("cannot create PriorityLevelConfiguration %s due to %v", priorityLevelConfiguration.Name, err)
+		}
+		klog.V(3).Infof("created system preset PriorityLevelConfiguration %s", priorityLevelConfiguration.Name)
+	}
+	return nil
+}
+
+func upgrade(flowcontrolClientSet flowcontrolclient.FlowcontrolV1alpha1Interface, flowSchemas []*flowcontrolv1alpha1.FlowSchema, priorityLevels []*flowcontrolv1alpha1.PriorityLevelConfiguration) error {
+	for _, expectedFlowSchema := range flowSchemas {
+		actualFlowSchema, err := flowcontrolClientSet.FlowSchemas().Get(expectedFlowSchema.Name, metav1.GetOptions{})
+		if err == nil {
+			// TODO(yue9944882): extract existing version from label and compare
+			// TODO(yue9944882): create w/ version string attached
+			identical, err := flowSchemaHasWrongSpec(expectedFlowSchema, actualFlowSchema)
+			if err != nil {
+				return fmt.Errorf("failed checking if mandatory FlowSchema %s is up-to-date due to %v, will retry later", expectedFlowSchema.Name, err)
+			}
+			if !identical {
+				if _, err := flowcontrolClientSet.FlowSchemas().Update(expectedFlowSchema); err != nil {
+					return fmt.Errorf("failed upgrading mandatory FlowSchema %s due to %v, will retry later", expectedFlowSchema.Name, err)
+				}
+			}
+			continue
+		}
+		if !apierrors.IsNotFound(err) {
+			return fmt.Errorf("failed getting FlowSchema %s due to %v, will retry later", expectedFlowSchema.Name, err)
+		}
+		_, err = flowcontrolClientSet.FlowSchemas().Create(expectedFlowSchema)
+		if apierrors.IsAlreadyExists(err) {
+			klog.V(3).Infof("system preset FlowSchema %s already exists, skipping creating", expectedFlowSchema.Name)
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("cannot create FlowSchema %s due to %v", expectedFlowSchema.Name, err)
+		}
+		klog.V(3).Infof("created system preset FlowSchema %s", expectedFlowSchema.Name)
+	}
+	for _, expectedPriorityLevelConfiguration := range priorityLevels {
+		actualPriorityLevelConfiguration, err := flowcontrolClientSet.PriorityLevelConfigurations().Get(expectedPriorityLevelConfiguration.Name, metav1.GetOptions{})
+		if err == nil {
+			// TODO(yue9944882): extract existing version from label and compare
+			// TODO(yue9944882): create w/ version string attached
+			identical, err := priorityLevelHasWrongSpec(expectedPriorityLevelConfiguration, actualPriorityLevelConfiguration)
+			if err != nil {
+				return fmt.Errorf("failed checking if mandatory PriorityLevelConfiguration %s is up-to-date due to %v, will retry later", expectedPriorityLevelConfiguration.Name, err)
+			}
+			if !identical {
+				if _, err := flowcontrolClientSet.PriorityLevelConfigurations().Update(expectedPriorityLevelConfiguration); err != nil {
+					return fmt.Errorf("failed upgrading mandatory PriorityLevelConfiguration %s due to %v, will retry later", expectedPriorityLevelConfiguration.Name, err)
+				}
+			}
+			continue
+		}
+		if !apierrors.IsNotFound(err) {
+			return fmt.Errorf("failed getting PriorityLevelConfiguration %s due to %v, will retry later", expectedPriorityLevelConfiguration.Name, err)
+		}
+		_, err = flowcontrolClientSet.PriorityLevelConfigurations().Create(expectedPriorityLevelConfiguration)
+		if apierrors.IsAlreadyExists(err) {
+			klog.V(3).Infof("system preset PriorityLevelConfiguration %s already exists, skipping creating", expectedPriorityLevelConfiguration.Name)
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("cannot create PriorityLevelConfiguration %s due to %v", expectedPriorityLevelConfiguration.Name, err)
+		}
+		klog.V(3).Infof("created system preset PriorityLevelConfiguration %s", expectedPriorityLevelConfiguration.Name)
+	}
+	return nil
+}
+
+func flowSchemaHasWrongSpec(expected, actual *flowcontrolv1alpha1.FlowSchema) (bool, error) {
+	copiedExpectedFlowSchema := expected.DeepCopy()
+	flowcontrolapisv1alpha1.SetObjectDefaults_FlowSchema(copiedExpectedFlowSchema)
+	return !equality.Semantic.DeepEqual(copiedExpectedFlowSchema.Spec, actual.Spec), nil
+}
+
+func priorityLevelHasWrongSpec(expected, actual *flowcontrolv1alpha1.PriorityLevelConfiguration) (bool, error) {
+	copiedExpectedPriorityLevel := expected.DeepCopy()
+	flowcontrolapisv1alpha1.SetObjectDefaults_PriorityLevelConfiguration(copiedExpectedPriorityLevel)
+	return !equality.Semantic.DeepEqual(copiedExpectedPriorityLevel.Spec, actual.Spec), nil
+}