KEP-5040: Remove gitRepo volume driver.

[vinayakankugoyal]

• One-line PR description: Initial KEP to remove support for gitRepo volume driver.

• Issue link: Remove gitRepo volume driver #5040

• Other comments:

[xing-yang]

Can you open an enhancement issue? Are you planning to target Alpha in 1.33?

[vinayakankugoyal]

Can you open an enhancement issue? Are you planning to target Alpha in 1.33?

#5040. Yeah we are planning to target Alpha in 1.33

[vinayakankugoyal]

/ok-to-test

[vinayakankugoyal]

/retest

[thockin]

I am LGTM on technicals - need th testing and release and PRR sections.

[thockin]

/lgtm
/approve

[thockin]

sig-storage officially owns this, but to save you effort, I will apply the leads label -- stop me if you disagree!

[saad-ali]

Thanks Tim and Vinayak.

We are supportive of this plan from the SIG Storage side of things.

/lgtm
/approve

[vinayakankugoyal]

/assign @jpbetz
For PRR.

[sftim]

💭 Who's “we“? KEPs are usually written in the persona of the Kubernetes project, or maybe of a lead SIG.

[vinayakankugoyal]

We here and in other locations is meant to represent the author(s). Would you like me to say the following instead?

"Give this, Kubernetes thinks it should EOL this feature with urgency."

[sftim]

Suggested change

	### Timeline:
	### Timeline

This is the delivery plan, not a design detail.

[vinayakankugoyal]

This is the delivery plan, not a design detail.

I am not seeing a concrete suggestion here. Do you prefer this section be dropped or moved out of Design Details?

[sftim]

Check that this is right. You might mean “deprecated”.

[vinayakankugoyal]

I wasn't sure what values this can take.

But based on your feedback about using “deprecated” in the graduation criteria maybe it makes sense to change this to "removed with opt-out"?

[thockin]

We had a discussion on adding Deprecated but that PR didn't merge, let me go look for it.

[thockin]

Turns out it was waiting for me. Oops. #4898

Since we are jumping to off-by-default, I think the Stage you want is "disabled"

[vinayakankugoyal]

Gotcha, Ill wait for #4898 to be merged before updating this.

[thockin]

AFAICT nothing is validating this, so don't block on it :)

[vinayakankugoyal]

Done.

[vinayakankugoyal]

😭

"map[/home/prow/go/src/github.com/kubernetes/enhancements/keps/sig-storage/5040-remove-gitrepo-driver/kep.yaml:[getting PRR approver for diabled stage: invalid stage: diabled, should be one of [alpha beta stable]]]"

[vinayakankugoyal]

Opened #5049 to fix validation.

[sftim]

@saad-ali I support this change, but the KEP document is not not ready to merge as implementable. It needs work.

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: saad-ali, thockin, vinayakankugoyal
Once this PR has been reviewed and has the lgtm label, please ask for approval from jpbetz. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS
• keps/sig-storage/OWNERS [saad-ali]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[BenTheElder]

[took a first pass as PRR Shadow]

Independently: personal +1 for this effort overall, thank you.

[BenTheElder]

Was there a KEP for this? Did we offer any migration like CSI migration?

[vinayakankugoyal]

I don't think there was a KEP. I searched for the "glusterfs" under /keps/ and got only one hit but that KEP had nothing to do with removal.

[BenTheElder]

Noting: We do not have a conformance test for this volume type: https://github.com/kubernetes/kubernetes/blob/master/test/conformance/testdata/conformance.yaml

node_e2e tests are not conformance tests, and I think for this "feature" it's reasonable to not have one.

[vinayakankugoyal]

Hmm.. I see that the following test in node_e2e saying NodeConformance.

https://github.com/kubernetes/kubernetes/blob/b66142831a98278a21105101454edcce3ee38c42/test/e2e_node/apparmor_test.go#L50

[BenTheElder]

Presumably the user could monitor for pods being rejected?
(If there isn't a suitable signal, there's a section for that below)

[vinayakankugoyal]

We aren't removing the gitRepo volume from the API so pods won't be rejected by kube-apiserver, kubelet will fail to start them. Maybe the recommendation should be around Pods that are failing to start?

[thockin]

The VAP I have locally is a little different, perhaps @jpbetz or @cici37 can clarify which is more idiomatic or preferred? I think you started from an earlier draft of mine, because I had forgotten ReplicationController, too.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "deny-git-repo-volumes"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE"]
      resources:   ["pods"]
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["podtemplates", "replicationcontrollers"]
    - apiGroups:   ["apps"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["daemonsets", "deployments", "replicasets", "statefulsets"]
    - apiGroups:   ["batch"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["jobs", "cronjobs"]
  validations:
    - expression: |
        (object.kind == "Pod" &&
            object.spec.?volumes.orValue([]).all(v, !has(v.gitRepo))) ||
        (object.kind == "PodTemplate" &&
            object.template.spec.?volumes.orValue([]).all(v, !has(v.gitRepo))) ||
        (["DaemonSet","Deployment","ReplicaSet",'StatefulSet','Job','ReplicationController'].filter(kind, object.kind == kind) != [] &&
            object.spec.template.spec.?volumes.orValue([]).all(v, !has(v.gitRepo))) ||
        (object.kind == "CronJob" &&
            object.spec.jobTemplate.spec.template.spec.?volumes.orValue([]).all(v, !has(v.gitRepo)))
      message: "gitRepo volumes are forbidden"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "deny-git-repo-volumes"
spec:
  policyName: "deny-git-repo-volumes"
  validationActions: [Deny]
  # empty matchResources means match all

Your uses multiple expressions, which I am assuming is a logical AND? Mine uses postive polarity, but that results in OR.

Mine includes ReplicationController which yours misses.

[vinayakankugoyal]

The VAP I have locally is a little different, perhaps @jpbetz or @cici37 can clarify which is more idiomatic or preferred? I think you started from an earlier draft of mine, because I had forgotten ReplicationController, too.

I used this as a starting point. I looks like they forgot ReplicationController as well 😅

Your uses multiple expressions, which I am assuming is a logical AND? Mine uses postive polarity, but that results in OR.

I tend to always use multiple expression other wise things become really hard to read and yes these are ANDed. According to the documentation

"If an expression evaluates to false, the validation check is enforced according to the spec.failurePolicy field."

Also verified this with some tests.

[thockin]

Should we discuss creating a git repo to hold VAPs like this?

[vinayakankugoyal]

Should we just put the VAP in the gitRepo volume documentation here?