From 0277275c7247a0eaf57c1ae7da0172ab3839b319 Mon Sep 17 00:00:00 2001 From: Qiming Date: Wed, 23 May 2018 09:00:00 +0800 Subject: [PATCH 1/3] StorageObjectInUseProtection is GA (#8291) * Feature gate: StorageObjectInUseProtection is GA Update feature gate reference for 1.11 * Trivial commit to re-trigger Netlify --- .../docs/reference/command-line-tools-reference/feature-gates.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 7747cc67742c8..6c07ec08703b8 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -223,3 +223,4 @@ Each feature gate is designed for enabling/disabling a specific feature: type when used together with the `PersistentLocalVolumes` feature gate. {{% /capture %}} + From 05c5f5d116d75346bc96ef910118ed3feb929531 Mon Sep 17 00:00:00 2001 From: Pavel Pospisil Date: Wed, 23 May 2018 20:07:54 +0200 Subject: [PATCH 2/3] Bring StorageObjectInUseProtection feature to GA StorageObjectInUseProtection is Beta in K8s 1.10. It's brought to GA in K8s 1.11. --- .../concepts/storage/persistent-volumes.md | 3 +- .../admission-controllers.md | 3 +- .../administer-cluster/pvc-protection.md | 145 ------------------ .../storage-object-in-use-protection.md | 3 - 4 files changed, 2 insertions(+), 152 deletions(-) delete mode 100644 content/en/docs/tasks/administer-cluster/pvc-protection.md diff --git a/content/en/docs/concepts/storage/persistent-volumes.md b/content/en/docs/concepts/storage/persistent-volumes.md index 27365b615e96d..b4e28a0a72552 100644 --- a/content/en/docs/concepts/storage/persistent-volumes.md +++ b/content/en/docs/concepts/storage/persistent-volumes.md @@ -70,14 +70,13 @@ Pods use claims as volumes. The cluster inspects the claim to find the bound vol Once a user has a claim and that claim is bound, the bound PV belongs to the user for as long as they need it. Users schedule Pods and access their claimed PVs by including a `persistentVolumeClaim` in their Pod's volumes block. [See below for syntax details](#claims-as-volumes). ### Storage Object in Use Protection -{{< feature-state for_k8s_version="v1.10" state="beta" >}} The purpose of the Storage Object in Use Protection feature is to ensure that Persistent Volume Claims (PVCs) in active use by a pod and Persistent Volume (PVs) that are bound to PVCs are not removed from the system as this may result in data loss. {{< note >}} **Note:** PVC is in active use by a pod when the pod status is `Pending` and the pod is assigned to a node or the pod status is `Running`. {{< /note >}} -When the [Storage Object in Use Protection beta feature](/docs/tasks/administer-cluster/storage-object-in-use-protection/) is enabled, if a user deletes a PVC in active use by a pod, the PVC is not removed immediately. PVC removal is postponed until the PVC is no longer actively used by any pods, and also if admin deletes a PV that is bound to a PVC, the PV is not removed immediately. PV removal is postponed until the PV is not bound to a PVC any more. +When the [Storage Object in Use Protection feature](/docs/tasks/administer-cluster/storage-object-in-use-protection/) is enabled, if a user deletes a PVC in active use by a pod, the PVC is not removed immediately. PVC removal is postponed until the PVC is no longer actively used by any pods, and also if admin deletes a PV that is bound to a PVC, the PV is not removed immediately. PV removal is postponed until the PV is not bound to a PVC any more. You can see that a PVC is protected when the PVC's status is `Terminating` and the `Finalizers` list includes `kubernetes.io/pvc-protection`: diff --git a/content/en/docs/reference/access-authn-authz/admission-controllers.md b/content/en/docs/reference/access-authn-authz/admission-controllers.md index dcc5ce623e376..70c3b66a2c888 100644 --- a/content/en/docs/reference/access-authn-authz/admission-controllers.md +++ b/content/en/docs/reference/access-authn-authz/admission-controllers.md @@ -571,8 +571,7 @@ This admission controller will deny any pod that attempts to set certain escalat This admission controller implements automation for [serviceAccounts](/docs/tasks/configure-pod-container/configure-service-account/). We strongly recommend using this admission controller if you intend to make use of Kubernetes `ServiceAccount` objects. -### Storage Object in Use Protection (beta) -{{< feature-state for_k8s_version="v1.10" state="beta" >}} +### Storage Object in Use Protection The `StorageObjectInUseProtection` plugin adds the `kubernetes.io/pvc-protection` or `kubernetes.io/pv-protection` finalizers to newly created Persistent Volume Claims (PVCs) or Persistent Volumes (PV). In case a user deletes a PVC or PV the PVC or PV is not removed until the finalizer is removed from the PVC or PV by PVC or PV Protection Controller. Refer to the [Storage Object in Use Protection](/docs/concepts/storage/persistent-volumes/#storage-object-in-use-protection) for more detailed information. ### ValidatingAdmissionWebhook (alpha in 1.8; beta in 1.9) diff --git a/content/en/docs/tasks/administer-cluster/pvc-protection.md b/content/en/docs/tasks/administer-cluster/pvc-protection.md deleted file mode 100644 index 64bc945332265..0000000000000 --- a/content/en/docs/tasks/administer-cluster/pvc-protection.md +++ /dev/null @@ -1,145 +0,0 @@ ---- -reviewers: -- msau42 -- jsafrane -title: Persistent Volume Claim Protection -content_template: templates/task ---- - -{{% capture overview %}} -{{< feature-state for_k8s_version="v1.9" state="alpha" >}} - -As of Kubernetes 1.9, persistent volume claims (PVCs) that are in active use by a pod can be protected from pre-mature removal. - -{{% /capture %}} - -{{% capture prerequisites %}} - -- A v1.9 or higher Kubernetes must be installed. -- As PVC Protection is a Kubernetes v1.9 alpha feature it must be enabled: -1. [Admission controller](/docs/admin/admission-controllers/) must be started with the [PVC Protection plugin](/docs/admin/admission-controllers/#persistent-volume-claim-protection-alpha). -2. All Kubernetes components must be started with the `PVCProtection` alpha features enabled. - -{{% /capture %}} - -{{% capture steps %}} - -## PVC Protection Verification - -The example below uses a GCE PD `StorageClass`, however, similar steps can be performed for any volume type. - -Create a `StorageClass` for convenient storage provisioning: -```yaml -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: slow -provisioner: kubernetes.io/gce-pd -parameters: - type: pd-standard -``` - -There are two scenarios: a PVC deleted by a user is either in active use or not in active use by a pod. - -### Scenario 1: The PVC is not in active use by a pod - -- Create a PVC: - -```yaml -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: slzc -spec: - accessModes: - - ReadWriteOnce - storageClassName: slow - resources: - requests: - storage: 3.7Gi -``` - -- Check that the PVC has the finalizer `kubernetes.io/pvc-protection` set: -```shell -$ kubectl describe pvc slzc -Name: slzc -Namespace: default -StorageClass: slow -Status: Bound -Volume: pvc-bee8c30a-d6a3-11e7-9af0-42010a800002 -Labels: -Annotations: pv.kubernetes.io/bind-completed=yes - pv.kubernetes.io/bound-by-controller=yes - volume.beta.kubernetes.io/storage-provisioner=kubernetes.io/gce-pd -Finalizers: [kubernetes.io/pvc-protection] -Capacity: 4Gi -Access Modes: RWO -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal ProvisioningSucceeded 2m persistentvolume-controller Successfully provisioned volume pvc-bee8c30a-d6a3-11e7-9af0-42010a800002 using kubernetes.io/gce-pd -``` - -- Delete the PVC and check that the PVC (not in active use by a pod) was removed successfully. - -### Scenario 2: The PVC is in active use by a pod - -- Again, create the same PVC. -- Create a pod that uses the PVC: - -```yaml -kind: Pod -apiVersion: v1 -metadata: - name: app1 -spec: - containers: - - name: test-pod - image: k8s.gcr.io/busybox:1.24 - command: - - "/bin/sh" - args: - - "-c" - - "date > /mnt/app1.txt; sleep 60 && exit 0 || exit 1" - volumeMounts: - - name: path-pvc - mountPath: "/mnt" - restartPolicy: "Never" - volumes: - - name: path-pvc - persistentVolumeClaim: - claimName: slzc -``` - -- Wait until the pod status is `Running`, i.e. the PVC becomes in active use. -- Delete the PVC that is now in active use by a pod and verify that the PVC is not removed but its status is `Terminating`: - -```shell -Name: slzc -Namespace: default -StorageClass: slow -Status: Terminating (since Fri, 01 Dec 2017 14:47:55 +0000) -Volume: pvc-803a1f4d-d6a6-11e7-9af0-42010a800002 -Labels: -Annotations: pv.kubernetes.io/bind-completed=yes - pv.kubernetes.io/bound-by-controller=yes - volume.beta.kubernetes.io/storage-provisioner=kubernetes.io/gce-pd -Finalizers: [kubernetes.io/pvc-protection] -Capacity: 4Gi -Access Modes: RWO -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal ProvisioningSucceeded 52s persistentvolume-controller Successfully provisioned volume pvc-803a1f4d-d6a6-11e7-9af0-42010a800002 using kubernetes.io/gce-pd -``` -- Wait until the pod status is `Terminated` (either delete the pod or wait until it finishes). Afterwards, check that the PVC is removed. - - -{{% /capture %}} - -{{% capture discussion %}} - - -{{% /capture %}} - - diff --git a/content/en/docs/tasks/administer-cluster/storage-object-in-use-protection.md b/content/en/docs/tasks/administer-cluster/storage-object-in-use-protection.md index ae67d40387592..37472126d92a1 100644 --- a/content/en/docs/tasks/administer-cluster/storage-object-in-use-protection.md +++ b/content/en/docs/tasks/administer-cluster/storage-object-in-use-protection.md @@ -7,7 +7,6 @@ content_template: templates/task --- {{% capture overview %}} -{{< feature-state for_k8s_version="v1.10" state="beta" >}} Persistent volume claims (PVCs) that are in active use by a pod and persistent volumes (PVs) that are bound to PVCs can be protected from pre-mature removal. @@ -312,5 +311,3 @@ No resources found. {{% /capture %}} - - From 5fd3d3e1fcc6c8bc34f2231022968b8fb9202666 Mon Sep 17 00:00:00 2001 From: Pavel Pospisil Date: Wed, 23 May 2018 20:10:33 +0200 Subject: [PATCH 3/3] Fixed typo and added feature state tags. --- .../administer-cluster/storage-object-in-use-protection.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/content/en/docs/tasks/administer-cluster/storage-object-in-use-protection.md b/content/en/docs/tasks/administer-cluster/storage-object-in-use-protection.md index 37472126d92a1..d5e90dd3497b6 100644 --- a/content/en/docs/tasks/administer-cluster/storage-object-in-use-protection.md +++ b/content/en/docs/tasks/administer-cluster/storage-object-in-use-protection.md @@ -8,13 +8,15 @@ content_template: templates/task {{% capture overview %}} -Persistent volume claims (PVCs) that are in active use by a pod and persistent volumes (PVs) that are bound to PVCs can be protected from pre-mature removal. +Persistent volume claims (PVCs) that are in active use by a pod and persistent volumes (PVs) that are bound to PVCs can be protected from premature removal. {{% /capture %}} {{% capture prerequisites %}} -- The Storage Object in Use Protection feature is enabled in a version of Kubernetes in which it is supported. +The Storage Object in Use Protection feature is enabled in one of the below Kubernetes versions: +- {% assign for_k8s_version = "1.10" %} {% include feature-state-beta.md %} +- {% assign for_k8s_version = "1.11" %} {% include feature-state-stable.md %} {{% /capture %}}