You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The parameters in VolumeAttributesClass are opaque and immutable. This gives different cloud providers flexibility but at the same time it is up to the specific driver to verify the values set in the parameters. The parameters from VolumeAttributesClass associated with a volume are mutable because they are coming from different VolumeAttributesClasses.
402
403
404
+
**Deal with Volume Reverted to nil VAC**
405
+
406
+
After reverting VAC name to nil, it will not be fully reverted to the previous state, because Kubernetes does not actually know the previous state of the volume. The volume will keep occupying the quota of previously specified VAC. Now user can:
407
+
* If there is no quota, user may not care about this, and just leave it there
408
+
* User can set a (potentially different) VAC name to try again
409
+
* Admin can check the volume status manually and reset PVC.status.modifyStatus to nil to fully revert the change.
410
+
411
+
This may also confuse the higher level controller (e.g. [KEP-4650](https://github.com/kubernetes/enhancements/issues/4650)) when reconciling PVC. Higher level controllers can also special casing nil VAC names to skip waiting for the modification.
412
+
403
413
### Risks and Mitigations
404
414
415
+
**Parameter Conflicts**
416
+
405
417
Users may configure both parameters in StorageClass and parameters in VolumeAttributesClass differently. The mitigation here is to provide a guideline of solving conflicts. Drivers should return an error if they are conflicting. If the MODIFY_VOLUME capability is present, VolumeAttributesClass should be honored.
406
418
419
+
**Quota Abuse**
420
+
421
+
For administrators who want to set up quota on the VACs to control the expense, he should set up each VAC to fully specify the state of the volume. That is to say, each VAC should fully overwrite changes to every other VAC.
422
+
423
+
Consider this bad setup that violates the previous requirement.
Users can switch from A to B then back to A to get 2000 iops without using his quota on VAC B.
428
+
429
+
If this requirement is met, Kubernetes promises to administrators: every PVC with `Status.ModifyVolumeStatus == nil` is properly covered by quota.
430
+
431
+
While Kubernetes will work with storage providers to prevent quota abuse at best effort, the state of volumes with non-nil ModifyVolumeStatus is undefined.
432
+
Consider when a volume is modified from VAC A to B, C, D, E in sequence, all failed with Internal error, the actual state of the volume can be any combination of the 5 VACs, but we cannot charge the quota of all 5 VACs for this volume.
433
+
434
+
To mitigate this, admin should properly setup to VACs and actively monitor the number of volumes with non-nil ModifyVolumeStatus, and driving them to the final state.
435
+
436
+
CSI drivers should try to avoid making volume stuck at partially modified states to improve user experience and avoid quota abuse.
437
+
438
+
CSI drivers should try their best to verify all the parameters before applying any modifications. It should make light-weight and reversible changes first and non-reversible changes last, so that if something still goes wrong in the middle, users can revert the volume to the previous state.
439
+
407
440
## Proposed Changes
408
441
409
442
As part of this proposal, we are proposing:
@@ -429,7 +462,7 @@ A. Count of bound/unbound PVCs per VolumeAttributesClass similar to [existing PV
429
462
430
463
Prior to this enhancement, we loop through all PVCs, check if `pvc.Status.Phase == v1.VolumeBound` and increment the relevant metric only on `namespace` dimension. When the feature flag is enabled, new metrics will take into account `namespace`, `storage_class`, and `volume_attribute_class`.
431
464
432
-
With these additional labels, cluster operators can alarm on these new metrics to detect PVCs that are not able to bind. With the additional StorageClass and VolumeAttributesClass name labels, cluster operators can more easily check whether VolumeAttributeClass or StorageClass object misconfiguration is the cause of these binding issues.
465
+
With these additional labels, cluster operators can alarm on these new metrics to detect PVCs that are not able to bind. With the additional StorageClass and VolumeAttributesClass name labels, cluster operators can more easily check whether VolumeAttributesClass or StorageClass object misconfiguration is the cause of these binding issues.
433
466
434
467
```
435
468
boundPVCCountWithVACDesc = metrics.NewDesc(
@@ -683,11 +716,78 @@ spec:
683
716
684
717
ModifyVolume is only allowed on bound PVCs. Under the ModifyVolume call, it will pass in the mutable parameters and do the update operation based on the `VolumeAttributesClass` parameters.
VolumeAttributesClass parameters can be considered as best-effort parameters, the CSI driver should report the status of bad parameters as INVALID_ARGUMENT and the volume would fall back to a workable default configuration.
719
+
##### Handle failures
720
+
721
+
The design principle of failure handling:
722
+
**Acurate state sync**:
723
+
when `pvc.Status.CurrentVolumeAttributesClassName == pvc.Spec.VolumeAttributesClassName && pvc.Status.ModifyVolumeStatus == nil`,
724
+
the PVC reaches the specified state, the volume is guaranteed to have user specified parameters applied. More formally: `ControllerModifyVolume` has been called with parameters in the specified VAC, returned OK, and no other `ControllerModifyVolume` has been called after that.
725
+
726
+
This is important for user to ensure proper function of workload.
727
+
This also helps to ensure the volumes are properly covered by quota when they reaches the stable state.
728
+
729
+
To balance the predictable and intuitive system behavior with the quota abuse possibility,
730
+
we classify the errors returned by `ControllerModifyVolume` into 3 categories and handle them differently:
731
+
- Non-final errors (such as `DeadlineExceeded`), indicating volume modification is likely still in-progress.
732
+
In this case, We will always retry the request with the same parameters to allow the operation to complete.
733
+
This policy safeguards against potential quota abuse that can occur if users time their requests strategically.
734
+
- Final errors (such as `Internal`), indicating storage provider failed to modify the volume and likely no longer processing the request.
735
+
In this case, We allow changing the parameters to recover from the error.
736
+
- Infeasible Errors (e.g., `InvalidArgument`): This is a subset of final errors indicating the request itself is invalid and is not likely to succeed when retried.
737
+
We will retry at lower frequency.
738
+
If the `Spec.VolumeAttributesClassName` is set to nil, we will not retry the request.
739
+
740
+
For details, please refer to the flow chart below.
741
+
742
+
##### Implementation
743
+
744
+
Flow diagram describes how external-resizer modifies the volume:
0 commit comments