From eee4f5c6d71392dca8d524d1ab86bb654e28bd6f Mon Sep 17 00:00:00 2001 From: Pavel Pospisil Date: Sun, 18 Mar 2018 19:56:50 +0100 Subject: [PATCH] Bring StorageObjectInUseProtection feature to GA StorageObjectInUseProtection is Beta in K8s 1.10. It's brought to GA in K8s 1.11. --- docs/admin/admission-controllers.md | 3 +- docs/concepts/storage/persistent-volumes.md | 3 +- .../administer-cluster/pvc-protection.md | 144 ------------------ .../storage-object-in-use-protection.md | 1 - 4 files changed, 2 insertions(+), 149 deletions(-) delete mode 100644 docs/tasks/administer-cluster/pvc-protection.md diff --git a/docs/admin/admission-controllers.md b/docs/admin/admission-controllers.md index 6a88e6b17a21d..fb0b68da0e4bc 100644 --- a/docs/admin/admission-controllers.md +++ b/docs/admin/admission-controllers.md @@ -565,8 +565,7 @@ This admission controller will deny any pod that attempts to set certain escalat This admission controller implements automation for [serviceAccounts](/docs/user-guide/service-accounts). We strongly recommend using this admission controller if you intend to make use of Kubernetes `ServiceAccount` objects. -### Storage Object in Use Protection (beta) -{% assign for_k8s_version="v1.10" %}{% include feature-state-beta.md %} +### Storage Object in Use Protection The `StorageObjectInUseProtection` plugin adds the `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection` finalizers to newly created Persistent Volume Claims (PVCs) or Persistent Volumes (PV). In case a user deletes a PVC or PV the PVC or PV is not removed until the finalizer is removed from the PVC or PV by PVC or PV Protection Controller. Refer to the [Storage Object in Use Protection](/docs/concepts/storage/persistent-volumes/#storage-object-in-use-protection) for more detailed information. ### ValidatingAdmissionWebhook (alpha in 1.8; beta in 1.9) diff --git a/docs/concepts/storage/persistent-volumes.md b/docs/concepts/storage/persistent-volumes.md index 7a0e88796473e..f44ac3cc209e0 100644 --- a/docs/concepts/storage/persistent-volumes.md +++ b/docs/concepts/storage/persistent-volumes.md @@ -71,13 +71,12 @@ Pods use claims as volumes. The cluster inspects the claim to find the bound vol Once a user has a claim and that claim is bound, the bound PV belongs to the user for as long as they need it. Users schedule Pods and access their claimed PVs by including a `persistentVolumeClaim` in their Pod's volumes block. [See below for syntax details](#claims-as-volumes). ### Storage Object in Use Protection -{% assign for_k8s_version="v1.10" %}{% include feature-state-beta.md %} The purpose of the Storage Object in Use Protection feature is to ensure that Persistent Volume Claims (PVCs) in active use by a pod and Persistent Volume (PVs) that are bound to PVCs are not removed from the system as this may result in data loss. **Note:** PVC is in active use by a pod when the pod status is `Pending` and the pod is assigned to a node or the pod status is `Running`. {: .note} -When the [Storage Object in Use Protection beta feature](/docs/tasks/administer-cluster/storage-object-in-use-protection/) is enabled, if a user deletes a PVC in active use by a pod, the PVC is not removed immediately. PVC removal is postponed until the PVC is no longer actively used by any pods, and also if admin deletes a PV that is bound to a PVC, the PV is not removed immediately. PV removal is postponed until the PV is not bound to a PVC any more. +When the [Storage Object in Use Protection feature](/docs/tasks/administer-cluster/storage-object-in-use-protection/) is enabled, if a user deletes a PVC in active use by a pod, the PVC is not removed immediately. PVC removal is postponed until the PVC is no longer actively used by any pods, and also if admin deletes a PV that is bound to a PVC, the PV is not removed immediately. PV removal is postponed until the PV is not bound to a PVC any more. You can see that a PVC is protected when the PVC's status is `Terminating` and the `Finalizers` list includes `kubernetes.io/pvc-protection`: diff --git a/docs/tasks/administer-cluster/pvc-protection.md b/docs/tasks/administer-cluster/pvc-protection.md deleted file mode 100644 index 49bddc9dc60c0..0000000000000 --- a/docs/tasks/administer-cluster/pvc-protection.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -reviewers: -- msau42 -- jsafrane -title: Persistent Volume Claim Protection ---- - -{% capture overview %} -{% assign for_k8s_version="v1.9" %}{% include feature-state-alpha.md %} - -As of Kubernetes 1.9, persistent volume claims (PVCs) that are in active use by a pod can be protected from pre-mature removal. - -{% endcapture %} - -{% capture prerequisites %} - -- A v1.9 or higher Kubernetes must be installed. -- As PVC Protection is a Kubernetes v1.9 alpha feature it must be enabled: -1. [Admission controller](/docs/admin/admission-controllers/) must be started with the [PVC Protection plugin](/docs/admin/admission-controllers/#persistent-volume-claim-protection-alpha). -2. All Kubernetes components must be started with the `PVCProtection` alpha features enabled. - -{% endcapture %} - -{% capture steps %} - -## PVC Protection Verification - -The example below uses a GCE PD `StorageClass`, however, similar steps can be performed for any volume type. - -Create a `StorageClass` for convenient storage provisioning: -```yaml -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: slow -provisioner: kubernetes.io/gce-pd -parameters: - type: pd-standard -``` - -There are two scenarios: a PVC deleted by a user is either in active use or not in active use by a pod. - -### Scenario 1: The PVC is not in active use by a pod - -- Create a PVC: - -```yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: slzc -spec: - accessModes: - - ReadWriteOnce - storageClassName: slow - resources: - requests: - storage: 3.7Gi -``` - -- Check that the PVC has the finalizer `kubernetes.io/pvc-protection` set: -```shell -$ kubectl describe pvc slzc -Name: slzc -Namespace: default -StorageClass: slow -Status: Bound -Volume: pvc-bee8c30a-d6a3-11e7-9af0-42010a800002 -Labels: -Annotations: pv.kubernetes.io/bind-completed=yes - pv.kubernetes.io/bound-by-controller=yes - volume.beta.kubernetes.io/storage-provisioner=kubernetes.io/gce-pd -Finalizers: [kubernetes.io/pvc-protection] -Capacity: 4Gi -Access Modes: RWO -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal ProvisioningSucceeded 2m persistentvolume-controller Successfully provisioned volume pvc-bee8c30a-d6a3-11e7-9af0-42010a800002 using kubernetes.io/gce-pd -``` - -- Delete the PVC and check that the PVC (not in active use by a pod) was removed successfully. - -### Scenario 2: The PVC is in active use by a pod - -- Again, create the same PVC. -- Create a pod that uses the PVC: - -```yaml -kind: Pod -apiVersion: v1 -metadata: - name: app1 -spec: - containers: - - name: test-pod - image: k8s.gcr.io/busybox:1.24 - command: - - "/bin/sh" - args: - - "-c" - - "date > /mnt/app1.txt; sleep 60 && exit 0 || exit 1" - volumeMounts: - - name: path-pvc - mountPath: "/mnt" - restartPolicy: "Never" - volumes: - - name: path-pvc - persistentVolumeClaim: - claimName: slzc -``` - -- Wait until the pod status is `Running`, i.e. the PVC becomes in active use. -- Delete the PVC that is now in active use by a pod and verify that the PVC is not removed but its status is `Terminating`: - -```shell -Name: slzc -Namespace: default -StorageClass: slow -Status: Terminating (since Fri, 01 Dec 2017 14:47:55 +0000) -Volume: pvc-803a1f4d-d6a6-11e7-9af0-42010a800002 -Labels: -Annotations: pv.kubernetes.io/bind-completed=yes - pv.kubernetes.io/bound-by-controller=yes - volume.beta.kubernetes.io/storage-provisioner=kubernetes.io/gce-pd -Finalizers: [kubernetes.io/pvc-protection] -Capacity: 4Gi -Access Modes: RWO -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal ProvisioningSucceeded 52s persistentvolume-controller Successfully provisioned volume pvc-803a1f4d-d6a6-11e7-9af0-42010a800002 using kubernetes.io/gce-pd -``` -- Wait until the pod status is `Terminated` (either delete the pod or wait until it finishes). Afterwards, check that the PVC is removed. - - -{% endcapture %} - -{% capture discussion %} - - -{% endcapture %} - -{% include templates/task.md %} diff --git a/docs/tasks/administer-cluster/storage-object-in-use-protection.md b/docs/tasks/administer-cluster/storage-object-in-use-protection.md index 76b552edfdf4c..fef23d3387963 100644 --- a/docs/tasks/administer-cluster/storage-object-in-use-protection.md +++ b/docs/tasks/administer-cluster/storage-object-in-use-protection.md @@ -6,7 +6,6 @@ title: Storage Object in Use Protection --- {% capture overview %} -{% assign for_k8s_version="v1.10" %}{% include feature-state-beta.md %} Persistent volume claims (PVCs) that are in active use by a pod and persistent volumes (PVs) that are bound to PVCs can be protected from pre-mature removal.