chore: backport changes from upstream repo (#1138)

Author: ryanzhang-oss

pkg/controllers/updaterun/execution.go

@@ -170,13 +170,19 @@ func (r *Reconciler) executeUpdatingStage(
 		}
 
 		// Now the cluster has to be updating, the binding should point to the right resource snapshot and the binding should be bound.
-		if !isBindingSyncedWithClusterStatus(resourceSnapshotName, updateRun, binding, clusterStatus) || binding.Spec.State != placementv1beta1.BindingStateBound ||
-			!condition.IsConditionStatusTrue(meta.FindStatusCondition(binding.Status.Conditions, string(placementv1beta1.ResourceBindingRolloutStarted)), binding.Generation) {
-			unexpectedErr := controller.NewUnexpectedBehaviorError(fmt.Errorf("the updating cluster `%s` in the stage %s does not match the cluster status: %+v, binding: %+v, condition: %+v",
-				clusterStatus.ClusterName, updatingStageStatus.StageName, clusterStatus, binding.Spec, binding.GetCondition(string(placementv1beta1.ResourceBindingRolloutStarted))))
-			klog.ErrorS(unexpectedErr, "The binding has been changed during updating, please check if there's concurrent clusterStagedUpdateRun", "clusterStagedUpdateRun", updateRunRef)
-			markClusterUpdatingFailed(clusterStatus, updateRun.Generation, unexpectedErr.Error())
-			return 0, fmt.Errorf("%w: %s", errStagedUpdatedAborted, unexpectedErr.Error())
+		inSync := isBindingSyncedWithClusterStatus(resourceSnapshotName, updateRun, binding, clusterStatus)
+		rolloutStarted := condition.IsConditionStatusTrue(meta.FindStatusCondition(binding.Status.Conditions, string(placementv1beta1.ResourceBindingRolloutStarted)), binding.Generation)
+		if !inSync || !rolloutStarted || binding.Spec.State != placementv1beta1.BindingStateBound {
+			// This issue mostly happens when there are concurrent updateRuns referencing the same clusterResourcePlacement but releasing different versions.
+			// After the 1st updateRun updates the binding, and before the controller re-checks the binding status, the 2nd updateRun updates the same binding, and thus the 1st updateRun is preempted and observes the binding not matching the desired state.
+			preemptedErr := controller.NewUserError(fmt.Errorf("the clusterResourceBinding of the updating cluster `%s` in the stage `%s` is not up-to-date with the desired status, "+
+				"please check the status of binding `%s` and see if there is a concurrent updateRun referencing the same clusterResourcePlacement and updating the same cluster",
+				clusterStatus.ClusterName, updatingStageStatus.StageName, klog.KObj(binding)))
+			klog.ErrorS(preemptedErr, "The binding has been changed during updating",
+				"bindingSpecInSync", inSync, "bindingState", binding.Spec.State,
+				"bindingRolloutStarted", rolloutStarted, "binding", klog.KObj(binding), "clusterStagedUpdateRun", updateRunRef)
+			markClusterUpdatingFailed(clusterStatus, updateRun.Generation, preemptedErr.Error())
+			return 0, fmt.Errorf("%w: %s", errStagedUpdatedAborted, preemptedErr.Error())
 		}
 
 		finished, updateErr := checkClusterUpdateResult(binding, clusterStatus, updatingStageStatus, updateRun)

pkg/controllers/workapplier/metrics.go

@@ -29,7 +29,7 @@ import (
 )
 
 // Note (chenyu1):
-// the metrics for the work applier are added the assumptions that:
+// the metrics for the work applier are added under the assumptions that:
 // a) the applier should provide low-cardinality metrics only to keep the memory footprint low,
 //    as there might be a high number (up to 10K) of works/manifests to process in a member cluster; and
 // b) keep the overhead of metrics collection low, esp. considering that the applier runs in
@@ -47,6 +47,8 @@ const (
 	manifestDriftOrDiffDetectionStatusNotFound = "NotFound"
 )
 
+// trackWorkAndManifestProcessingRequestMetrics tracks the work and manifest processing request metrics.
+// It is called right after the status of the work is refreshed.
 func trackWorkAndManifestProcessingRequestMetrics(work *fleetv1beta1.Work) {
 	// Increment the work processing request counter.
 

pkg/metrics/metrics.go

@@ -93,12 +93,18 @@ var (
 	// total number of work object processing requests.
 	//
 	// The following labels are available:
-	// * apply_status: the apply status of the processing request; values can
-	//   be "applied", "failed", or "skipped".
+	// * apply_status: the apply status of the processing request; see the list of
+	//   work apply condition reasons in the work applier source code
+	//   (pkg/controller/workapplier/controller.go) for possible values.
+	//   if the work object does not need to be applied, the value is "Skipped".
 	// * availability_status: the availability check status of the processing request;
-	//   values can be "available", "unavailable", or "skipped".
+	//   see the list of availability check condition reasons in the work applier source
+	//   code (pkg/controller/workapplier/controller.go) for possible values.
+	//   if the work object does not need an availability check, the value is "Skipped".
 	// * diff_reporting_status: the diff reporting status of the processing request;
-	//   values can be "reported", "failed", or "skipped".
+	//   see the list of diff reporting condition reasons in the work applier source
+	//   code (pkg/controller/workapplier/controller.go) for possible values.
+	//   if the work object does not need a diff reporting, the value is "Skipped".
 	FleetWorkProcessingRequestsTotal = prometheus.NewCounterVec(prometheus.CounterOpts{
 		Name: "fleet_work_processing_requests_total",
 		Help: "Total number of processing requests of work objects, including retries and periodic checks",
@@ -110,16 +116,19 @@ var (
 	// The following labels are available:
 	// * apply_status: the apply status of the processing request; see the list of
 	//   apply result types in the work applier source code for possible values.
+	//   if the manifest object does not need to be applied, the value is "Skipped".
 	// * availability_status: the availability check status of the processing request;
 	//   see the list of availability check result types in the work applier source code
 	//   for possible values.
+	//   if the manifest object does not need an availability check, the value is "Skipped".
 	// * diff_reporting_status: the diff reporting status of the processing request;
 	//   see the list of diff reporting result types in the work applier source code
 	//   for possible values.
+	//   if the manifest object does not need a diff reporting, the value is "Skipped".
 	// * drift_detection_status: the drift detection status of the processing request;
-	//   values can be "found" and "not_found".
+	//   values can be "Found" and "NotFound".
 	// * diff_detection_status: the diff detection status of the processing request;
-	//   values can be "found" and "not_found".
+	//   values can be "Found" and "NotFound".
 	FleetManifestProcessingRequestsTotal = prometheus.NewCounterVec(prometheus.CounterOpts{
 		Name: "fleet_manifest_processing_requests_total",
 		Help: "Total number of processing requests of manifest objects, including retries and periodic checks",

pkg/utils/common.go

@@ -171,6 +171,12 @@ var (
 		Kind:    placementv1beta1.ClusterResourcePlacementKind,
 	}
 
+	ClusterResourcePlacementEvictionMetaGVK = metav1.GroupVersionKind{
+		Group:   placementv1beta1.GroupVersion.Group,
+		Version: placementv1beta1.GroupVersion.Version,
+		Kind:    placementv1beta1.ClusterResourcePlacementEvictionKind,
+	}
+
 	ConfigMapGVK = schema.GroupVersionKind{
 		Group:   corev1.GroupName,
 		Version: corev1.SchemeGroupVersion.Version,

pkg/utils/validator/clusterresourceplacementeviction.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2025 The KubeFleet Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package validator provides utils to validate ClusterResourcePlacementEviction resources.
+package validator
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/errors"
+
+	fleetv1beta1 "go.goms.io/fleet/apis/placement/v1beta1"
+)
+
+// ValidateClusterResourcePlacementForEviction validates cluster resource placement fields for eviction and returns error.
+func ValidateClusterResourcePlacementForEviction(crp fleetv1beta1.ClusterResourcePlacement) error {
+	allErr := make([]error, 0)
+
+	// Check Cluster Resource Placement is not deleting
+	if crp.DeletionTimestamp != nil {
+		allErr = append(allErr, fmt.Errorf("cluster resource placement %s is being deleted", crp.Name))
+		return errors.NewAggregate(allErr)
+	}
+	// Check Cluster Resource Placement Policy
+	if crp.Spec.Policy != nil {
+		if crp.Spec.Policy.PlacementType == fleetv1beta1.PickFixedPlacementType {
+			allErr = append(allErr, fmt.Errorf("cluster resource placement policy type %s is not supported", crp.Spec.Policy.PlacementType))
+		}
+	}
+
+	return errors.NewAggregate(allErr)
+}

pkg/webhook/clusterresourceplacementeviction/clusterresourceplacementeviction_validating_webhook.go

@@ -0,0 +1,82 @@
+/*
+Copyright 2025 The KubeFleet Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package clusterresourceplacementeviction provides a validating webhook for the clusterresourceplacementeviction custom resource in the KubeFleet API group.
+package clusterresourceplacementeviction
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	fleetv1beta1 "go.goms.io/fleet/apis/placement/v1beta1"
+	"go.goms.io/fleet/pkg/utils"
+	"go.goms.io/fleet/pkg/utils/condition"
+	"go.goms.io/fleet/pkg/utils/validator"
+)
+
+var (
+	// ValidationPath is the webhook service path which admission requests are routed to for validating clusterresourceplacementeviction resources.
+	ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, fleetv1beta1.GroupVersion.Group, fleetv1beta1.GroupVersion.Version, "clusterresourceplacementeviction")
+)
+
+type clusterResourcePlacementEvictionValidator struct {
+	client  client.Client
+	decoder webhook.AdmissionDecoder
+}
+
+// Add registers the webhook for K8s bulit-in object types.
+func Add(mgr manager.Manager) error {
+	hookServer := mgr.GetWebhookServer()
+	hookServer.Register(ValidationPath, &webhook.Admission{Handler: &clusterResourcePlacementEvictionValidator{mgr.GetClient(), admission.NewDecoder(mgr.GetScheme())}})
+	return nil
+}
+
+// Handle clusterResourcePlacementEvictionValidator checks to see if resource override is valid.
+func (v *clusterResourcePlacementEvictionValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
+	var crpe fleetv1beta1.ClusterResourcePlacementEviction
+	klog.V(2).InfoS("Validating webhook handling cluster resource placement eviction", "operation", req.Operation, "clusterResourcePlacementEviction", req.Name)
+	if err := v.decoder.Decode(req, &crpe); err != nil {
+		klog.ErrorS(err, "Failed to decode cluster resource placement eviction object for validating fields", "userName", req.UserInfo.Username, "groups", req.UserInfo.Groups, "clusterResourcePlacementEviction", req.Name)
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	// Get the ClusterResourcePlacement object
+	var crp fleetv1beta1.ClusterResourcePlacement
+	if err := v.client.Get(ctx, types.NamespacedName{Name: crpe.Spec.PlacementName}, &crp); err != nil {
+		if k8serrors.IsNotFound(err) {
+			klog.V(2).InfoS(condition.EvictionInvalidMissingCRPMessage, "clusterResourcePlacementEviction", crpe.Name, "clusterResourcePlacement", crpe.Spec.PlacementName)
+			return admission.Denied(err.Error())
+		}
+		return admission.Errored(http.StatusBadRequest, fmt.Errorf("failed to get clusterResourcePlacement %s for clusterResourcePlacementEviction %s: %w", crpe.Spec.PlacementName, crpe.Name, err))
+	}
+
+	if err := validator.ValidateClusterResourcePlacementForEviction(crp); err != nil {
+		klog.V(2).ErrorS(err, "ClusterResourcePlacement has invalid fields, request is denied", "operation", req.Operation, "clusterResourcePlacementEviction", crpe.Name)
+		return admission.Denied(err.Error())
+	}
+
+	klog.V(2).InfoS("ClusterResourcePlacementEviction has valid fields", "clusterResourcePlacementEviction", crpe.Name)
+	return admission.Allowed("clusterResourcePlacementEviction has valid fields")
+}