KEP-5381: Mutable PersistentVolume Node Affinity

[huww98]

• One-line PR description: adding new KEP

• Issue link: Mutable PersistentVolume Node Affinity #5381

• Other comments:

[mowangdk]

Point 2 and 3, though not directly compatible with the title, are connected as upstream and downstream changes. They're currently combined, but if needed, we'll create a new KEP for separation later.

[sunnylovestiramisu]

Is this a new field or it can fit into the mutable parameters map? Actually nvm there is the proto change below.

[mowangdk]

Though it deviates from nodeAffinity's original design（geography related）, this scenario is currently useful for users, hence we include it.

[sunnylovestiramisu]

How do we prevent the new update to the nodeAffinity is not compatible with the current node?

[sunnylovestiramisu]

Or maybe we have some rules around you can only add wider nodeAffinity support but not shrink it.

[huww98]

I think we just don't enforce this. We ask SPs to not disrupt the running workload. With this promise, we allow SP to return any new nodeAffinity, even if it is not compatible with currently published node. The affinity will be ignored for running pod, just like Pod.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.

[sunnylovestiramisu]

How do we measure the consistency guarantee of the "latest" requirements?

[mowangdk]

That's a good question, but after some discussion we don't seem to have a suitable solution, especially since there is also an informer cache, and we noticed that the #4876 doesn't mention this problem either, so can we just ignore it?

[torredil]

No, we can't just ignore it. If I understood Sunny's question correctly, its trying to poke at potential race conditions or issues which could lead to unexpected results. For example, (in the current proposal) if two ModifyVolume calls are made in parallel with different accessibility requirements, how do we know what "latest" is? In other words, what are the mechanisms that ensure the actual state of the world reflects the desired state.

These sorts of questions were addressed in KEP 4876 -#4875 (comment).

[huww98]

I think this is fine. The latest requirement is the one corresponding to the mutable_parameters desired by CO passed in ControllerModifyVolumeRequest. In Kubernetes, external-resizer will save the VAC name to PV status after ModifyVolume finishes. It can save the returned requirement to PV just before that.

If anything wrong happens (race, crash, etc.), CO can always issue another ControllerModifyVolume request to fetch the latest topology. This means we should require SP to return accessible_topology if supported. I will update the KEP.

[sunnylovestiramisu]

Are we still planning to do ControllerModifyVolume with nodeAffinity changes? I was thinking in CSI meetings there was a discussion about using a new CSI API specific for nodeAffinity.

[huww98]

Yes, but maybe delayed. We want to land this KEP as soon as possible. This should extend the ControllerModifyVolume and not blocking it from GA.

[sunnylovestiramisu]

Is this a infeasible error? What is the retry/rollback story for the users?

[huww98]

Kubernetes does not perform any automatic correction for this, it is exposed to Event as other errors.

Currently, external-resizer should just retry with exponential backoff. In the future, maybe we can retry after any ControllerUnpublishVolume succeeded, maybe after external-resizer and external-attacher combined into the same process.

User should just rollback the VAC to the previous value to cancel the request.

[xing-yang]

This should be an alpha_field.

[xing-yang]

We are moving VolumeAttributesClass to GA in 1.34. That means we need to move ControllerModifyVolume in CSI spec from alpha to GA and cut a CSI spec release before 1.34 release.
I'm wondering if we can move this message to GA while adding a new alpha_field.

[mowangdk]

I think we have two options to address this issue:

1. Target the entire KEP in v1.35
2. Isolate the VAC part, limiting mutable PV node affinity to v1.34, we still got one weeks before enhancement freeze

Maybe we can talk about this on the sig-storage meeting

[mowangdk]

Before altering the topology to an unfeasible state, consider adding clearer guidance on handling scheduled pods.

[mowangdk]

We also need a new parameters in mutable_parameters right? Let's include an example demonstrating the usage of ControllerModifyVolumeRequest and ControllerModifyVolumeResponse with allow_topology_updates.

[huww98]

According to the last zoom meeting, I've made the following changes:

• No major changes to the current design. Added a sentence to CSI spec to instruct SP to only loose the topology.
• I propose not to support SPs that don't know the currently attached nodes.
• I propose not to support specifying topology in VAC.

Please see the KEP for the reasons and details.

[sunnylovestiramisu]

Consider a scenario where the scheduler selects "node-A" for a pod and annotates the corresponding PVC with volume.kubernetes.io/selected-node: node-A. If an administrator concurrently modifies the nodeAffinity of the underlying PV to only allow scheduling on "node-B," a conflict will arise. The pod, when it attempts to start on "node-A," may fail if the volume cannot be mounted there due to the updated affinity rules.

How do we resolve this?

Or do we have a list of scenarios that is considered against the guideline so the admin or user should not be doing that?

[huww98]

@sunnylovestiramisu I think this is discussed in the Caveats section as "Possible race condition".

I've just learnt we reject pod when attachment limit is exceeded. I think we can use similar method to deal with the mis-scheduled pods, i.e., when we detect PV node affinity violation and a specific error code at ControllerPublishVolume, we mark the Pod as Failed and hope some controller to re-create it.

[xing-yang]

If the PVC is used by a Pod and user changes the PersistentVolume.spec.nodeAffinity, the nodeAffinity rule may be out of sync with the node where the pod is running?

[mowangdk]

Yeah, we think the modified PersistentVolume.spec.nodeAffinity shouldn't impact running pods; its will effects during the next scheduling or when a new pod claims it.

[huww98]

Whoever modifies nodeAffinity should ensure this will not affect the running pods.

[xing-yang]

Can you summarize what the solution is?

[mowangdk]

Should we propose a separate KEP to discuss this to avoid confusion in this one? (btw we already write about this part in previous version of this KEP)

[huww98]

For that previous version, please refer to the previous commit in this PR

[xing-yang]

Who will be updating PersistentVolume.spec.nodeAffinity? Some downstream controller?

[mowangdk]

Yeah, We initially planned to implement this in VAC, but due to unresolved questions from last few month's meetings, we've decided to focus on making pv nodeaffinity mutable for now.

[huww98]

Eventually we want external-resizer to update it. Currently, we are intended to do this in our fork of external-resizer, or with a dedicated controller.

[huww98]

I've done a prototype implementation at kubernetes/kubernetes#134339

Also added kubelet behavior when pod with incompatible PV nodeAffinity running on the node, tested with the implementation mentioned above.

[mowangdk]

I think we should periodically emit the error event since it doesn't cause pod failures, but it may block volume-related node operations like filesystem expansion. Alerting the user and guiding them to fix PV affinity is necessary.

[wojtek-t]

I'm probably missing something, so let me try to understand the proposal better.

Imagine that my PV is attached to node:

• node N1 where pod P1 using it is running
• node N2 where pod P2 using it is running
  I want to update nodeAffinity in a way that N2 no longer satisfies the new affinity.

1. What happens to pod P2 if I don't delete it manually?

2. What happens to the PV itself after its nodeAffinity is updated. Will it be automatically detached from N2?

[huww98]

What happens to pod P2 if I don't delete it manually?

It will continue to run if the volume is actually accessible, with some known limitations listed in the next paragraph.

What happens to the PV itself after its nodeAffinity is updated. Will it be automatically detached from N2?

No. We will still detach it from N2 after P2 deleted. Basically the new affinity only affects new pods.

[wojtek-t]

Can you add that explicitly to the doc to make it clear?

[wojtek-t]

So what happens to those pods? In what state do they stuck? Is it ContainerCreating?

Ensuring that kubelet is able to handle that correctly (i.e. all supported kubelets handle that) seems like at least a GA blocker to me.

[huww98]

So what happens to those pods? In what state do they stuck? Is it ContainerCreating?

Yes, ContainerCreating.

seems like at least a GA blocker to me.

If user does not actually modify PV node affinity, there will be no such mis-scheduled pods. User should upgrade and enable feature gate for all components before using this new feature, right?

[wojtek-t]

I don't understand this - the whole goal of this KEP is to allow to update it.

[huww98]

I mean this should be rare before enabling this feature. So that when the feature is enabled, it is rare that some pod existing in the cluster will be affected by the behavior change.

[wojtek-t]

I'm wondering if we shouldn't actually roll this out with two separate feature-gates:

1. the kubelet one that handles the mis-scheduled pods
   Ensure that this graduated to GA on all supported versions, before graduating the apiserver FG.
2. the FG that allows for mutating nodeAffinity.

[huww98]

That may be an option. But we can instruct user not to use this feature before kubelet rollout finished to avoid the race condition.

Another KEP also embrace similar mechanism to handle race condition when node volume count exceeded. It also use one feature gate.

If we do use two feature-gate, should we track them in two KEP?

[wojtek-t]

The different that I see between these KEPs is that:

• in the mutable allocatable, the whole workflow is generally through system components, there is no user in the picture (the update is triggered by the CSI driver); so as an administrator I have full control over it

• in this particular KEP:
  (a) we additionally have a user in the picture [a user is the one that can trigger nodeAffinity change]
  (b) they can do that in a setup where kubelet will keep the pod stuck in ContainerCreating

(b) is my primary concern here.

No - definitely not two keps. There are different keps with multiple FGs.

[huww98]

For that KEP, there is likely a human operation that triggers the allocatable count change. Someone may re-configured the node, attached another device to the node, etc.

And note this should be rare, it is a race condition that only happens when user update PV and create Pod at the same time. And is easily resolvable by upgrade kubelet afterwards or manually delete Pod.

If I understand this correctly, we need to wait for at least 3 release between enable these two feature gate. That is not a short time. Would it be too careful? Since the enhancement freeze is near. Can we merge this PR and keep the discussion in its dedicated PR? I think this is not blocking for alpha.

[jsafrane]

For me, changing PV object is an operation that is highly privileged, very similar to Node change. I think we could assume that users who have such permissions know enough about what they can cause by such a change. They may choose to ensure that no Pod users the PV, manually resolve the race, or postpone their PV modification until all kubelets have the feature gate enabled.

[wojtek-t]

OK fair. I would like these thoughts to be better reflected in the KEP.
But let's work on updating the KEP to better reflect all those tradeoffs before Beta - I will let it go for Alpha to not block you for the next 4 months.

[wojtek-t]

Can you add that explicitly to the doc to make it clear?

[wojtek-t]

I would like to see feedback from someone from the SIG node about that.
It sounds fine to me, but I'm not an expert here.

@SergeyKanzhelev

[jsafrane]

We (sig-storage) are marking pods as Failed when kubelet detects the CSI driver can't attach more volumes to it here

Similarly to this KEP, it solves a race condition and we expect the owner (Deployment/StatefulSet) re-creates the Pod.

[wojtek-t]

The different that I see between these KEPs is that:

• in the mutable allocatable, the whole workflow is generally through system components, there is no user in the picture (the update is triggered by the CSI driver); so as an administrator I have full control over it

• in this particular KEP:
  (a) we additionally have a user in the picture [a user is the one that can trigger nodeAffinity change]
  (b) they can do that in a setup where kubelet will keep the pod stuck in ContainerCreating

(b) is my primary concern here.

No - definitely not two keps. There are different keps with multiple FGs.

[wojtek-t]

I think this is answer is misleading, as many of those are indirect consequences of this feature.

I think the answer really is:

1. nodeAffinity can now be updated for existing volumes
2. pods that cannot be run due volume that can't be attached are now being failed by kubelet

[huww98]

Yes, you are right that many of those are indirect. I will also add the direct part as you describe.

But those are written to be corresponding to the "Motivation" part of this doc. I'm interpreting the subtitle "working for their instance" as meeting the initial motivation when proposing this change.

[jsafrane]

I think it's good enough for alpha. I actually like the extra thoughts about mis-scheduled pods and failing them in kiubelet.
/lgmt
/approve

[jsafrane]

/lgtm

[wojtek-t]

I think it's acceptable for Alpha from PRR POV.

That said, we should much better reflect all the tradeoffs we're making (e.g. PV update being previliged operation etc.) in the KEP before Beta - the way it is currently described doesn't meet the Beta bar, so I will be more conservative the next release.

@huww98 @jsafrane ^^

/approve PRR

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: huww98, jsafrane, wojtek-t

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS [wojtek-t]
• keps/sig-storage/OWNERS [jsafrane]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment