Merge remote-tracking branch 'cncf' into backport/v20250522

Author: michaelawyu

README.md

@@ -9,14 +9,52 @@ Azure Fleet repo contains the code that the [Azure Kubernetes Fleet Manager](htt
 
 It follows the CNCF sandbox project [KubeFleet](https://github.com/kubefleet-dev/) and most of the development is done in the [KubeFleet](https://github.com/kubefleet-dev/).
 
-## Get Involved 
-For any questions, please see the [KubeFleet discussion board](https://github.com/kubefleet-dev/kubefleet/discussions). 
+## What is KubeFleet?
+KubeFleet contains a set of Kubernetes controllers and CRDs which provide an advanced cloud-native solution for multi-cluster application management.
 
-For any issues, please open an issue in the [KubeFleet](https://github.com/kubefleet-dev/kubefleet/issues)
+Use KubeFleet to schedule workloads smartly, roll out changes progressively, and perform administrative tasks easily, across a group of Kubernetes clusters on any cloud or on-premises clusters.
 
 
-[1]:  https://img.shields.io/github/v/release/Azure/fleet
+## Quickstart
+
+* [Get started here](https://kubefleet-dev.github.io/website/docs/getting-started/kind/)
+
+## Documentation
+
+To learn more about KubeFleet go to the [KubeFleet documentation](https://kubefleet-dev.github.io/website/).
+
+## Community
+
+You can reach the KubeFleet community and developers via the following channels:
+
+* Q & A: [GitHub Discussions](https://github.com/kubefleet-dev/kubefleet/discussions)
+* Slack: [The #KubeFleet Slack channel](https://cloud-native.slack.com/archives/C08KR7589R8) 
+* Mailing list: [mailing list](https://groups.google.com/g/kubefleet-dev)
+
+## Community Meetings
+
+We host bi-weekly community meetings that alternate between US/EU and APAC friendly time. In these sessions the community will showcase demos and discuss the current and future state of the project.
+
+Please refer to the [KubeFleet CNCF meeting calendar](https://zoom-lfx.platform.linuxfoundation.org/meetings/kubefleet?view=month) for the latest schedule.
+
+For more meeting information, minutes and recordings, please see the [KubeFleet community meeting doc](https://docs.google.com/document/d/1iMcHn11fPlb9ZGoMHiGEBvdIc44W1CjZvsPH3eBg6pA/edit?usp=sharing).
+
+## Code of Conduct
+Participation in KubeFleet is governed by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). See the [Code of Conduct](CODE_OF_CONDUCT.md) for more information.
+
+## Contributing
+
+The [contribution guide](CONTRIBUTING.md) covers everything you need to know about how you can contribute to KubeFleet.
+
+## Support
+For more information, see [SUPPORT](SUPPORT.md).
+
+
+[1]:  https://img.shields.io/github/v/release/kubefleet-dev/kubefleet
 [2]:  https://goreportcard.com/badge/go.goms.io/fleet
 [3]:  https://goreportcard.com/report/go.goms.io/fleet
 [4]:  https://codecov.io/gh/Azure/fleet/branch/main/graph/badge.svg?token=D3mtbzACjC
-[5]:  https://img.shields.io/github/go-mod/go-version/Azure/fleet
+[5]:  https://img.shields.io/github/go-mod/go-version/kubefleet-dev/kubefleet
+
+Copyright The KubeFleet Authors.
+The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see [Trademark Usage](https://www.linuxfoundation.org/trademark-usage/).

pkg/controllers/updaterun/execution.go

@@ -170,13 +170,19 @@ func (r *Reconciler) executeUpdatingStage(
 		}
 
 		// Now the cluster has to be updating, the binding should point to the right resource snapshot and the binding should be bound.
-		if !isBindingSyncedWithClusterStatus(resourceSnapshotName, updateRun, binding, clusterStatus) || binding.Spec.State != placementv1beta1.BindingStateBound ||
-			!condition.IsConditionStatusTrue(meta.FindStatusCondition(binding.Status.Conditions, string(placementv1beta1.ResourceBindingRolloutStarted)), binding.Generation) {
-			unexpectedErr := controller.NewUnexpectedBehaviorError(fmt.Errorf("the updating cluster `%s` in the stage %s does not match the cluster status: %+v, binding: %+v, condition: %+v",
-				clusterStatus.ClusterName, updatingStageStatus.StageName, clusterStatus, binding.Spec, binding.GetCondition(string(placementv1beta1.ResourceBindingRolloutStarted))))
-			klog.ErrorS(unexpectedErr, "The binding has been changed during updating, please check if there's concurrent clusterStagedUpdateRun", "clusterStagedUpdateRun", updateRunRef)
-			markClusterUpdatingFailed(clusterStatus, updateRun.Generation, unexpectedErr.Error())
-			return 0, fmt.Errorf("%w: %s", errStagedUpdatedAborted, unexpectedErr.Error())
+		inSync := isBindingSyncedWithClusterStatus(resourceSnapshotName, updateRun, binding, clusterStatus)
+		rolloutStarted := condition.IsConditionStatusTrue(meta.FindStatusCondition(binding.Status.Conditions, string(placementv1beta1.ResourceBindingRolloutStarted)), binding.Generation)
+		if !inSync || !rolloutStarted || binding.Spec.State != placementv1beta1.BindingStateBound {
+			// This issue mostly happens when there are concurrent updateRuns referencing the same clusterResourcePlacement but releasing different versions.
+			// After the 1st updateRun updates the binding, and before the controller re-checks the binding status, the 2nd updateRun updates the same binding, and thus the 1st updateRun is preempted and observes the binding not matching the desired state.
+			preemptedErr := controller.NewUserError(fmt.Errorf("the clusterResourceBinding of the updating cluster `%s` in the stage `%s` is not up-to-date with the desired status, "+
+				"please check the status of binding `%s` and see if there is a concurrent updateRun referencing the same clusterResourcePlacement and updating the same cluster",
+				clusterStatus.ClusterName, updatingStageStatus.StageName, klog.KObj(binding)))
+			klog.ErrorS(preemptedErr, "The binding has been changed during updating",
+				"bindingSpecInSync", inSync, "bindingState", binding.Spec.State,
+				"bindingRolloutStarted", rolloutStarted, "binding", klog.KObj(binding), "clusterStagedUpdateRun", updateRunRef)
+			markClusterUpdatingFailed(clusterStatus, updateRun.Generation, preemptedErr.Error())
+			return 0, fmt.Errorf("%w: %s", errStagedUpdatedAborted, preemptedErr.Error())
 		}
 
 		finished, updateErr := checkClusterUpdateResult(binding, clusterStatus, updatingStageStatus, updateRun)

pkg/controllers/workapplier/metrics.go

@@ -29,7 +29,7 @@ import (
 )
 
 // Note (chenyu1):
-// the metrics for the work applier are added the assumptions that:
+// the metrics for the work applier are added under the assumptions that:
 // a) the applier should provide low-cardinality metrics only to keep the memory footprint low,
 //    as there might be a high number (up to 10K) of works/manifests to process in a member cluster; and
 // b) keep the overhead of metrics collection low, esp. considering that the applier runs in
@@ -47,6 +47,8 @@ const (
 	manifestDriftOrDiffDetectionStatusNotFound = "NotFound"
 )
 
+// trackWorkAndManifestProcessingRequestMetrics tracks the work and manifest processing request metrics.
+// It is called right after the status of the work is refreshed.
 func trackWorkAndManifestProcessingRequestMetrics(work *fleetv1beta1.Work) {
 	// Increment the work processing request counter.
 

pkg/metrics/metrics.go

@@ -93,12 +93,18 @@ var (
 	// total number of work object processing requests.
 	//
 	// The following labels are available:
-	// * apply_status: the apply status of the processing request; values can
-	//   be "applied", "failed", or "skipped".
+	// * apply_status: the apply status of the processing request; see the list of
+	//   work apply condition reasons in the work applier source code
+	//   (pkg/controller/workapplier/controller.go) for possible values.
+	//   if the work object does not need to be applied, the value is "Skipped".
 	// * availability_status: the availability check status of the processing request;
-	//   values can be "available", "unavailable", or "skipped".
+	//   see the list of availability check condition reasons in the work applier source
+	//   code (pkg/controller/workapplier/controller.go) for possible values.
+	//   if the work object does not need an availability check, the value is "Skipped".
 	// * diff_reporting_status: the diff reporting status of the processing request;
-	//   values can be "reported", "failed", or "skipped".
+	//   see the list of diff reporting condition reasons in the work applier source
+	//   code (pkg/controller/workapplier/controller.go) for possible values.
+	//   if the work object does not need a diff reporting, the value is "Skipped".
 	FleetWorkProcessingRequestsTotal = prometheus.NewCounterVec(prometheus.CounterOpts{
 		Name: "fleet_work_processing_requests_total",
 		Help: "Total number of processing requests of work objects, including retries and periodic checks",
@@ -110,16 +116,19 @@ var (
 	// The following labels are available:
 	// * apply_status: the apply status of the processing request; see the list of
 	//   apply result types in the work applier source code for possible values.
+	//   if the manifest object does not need to be applied, the value is "Skipped".
 	// * availability_status: the availability check status of the processing request;
 	//   see the list of availability check result types in the work applier source code
 	//   for possible values.
+	//   if the manifest object does not need an availability check, the value is "Skipped".
 	// * diff_reporting_status: the diff reporting status of the processing request;
 	//   see the list of diff reporting result types in the work applier source code
 	//   for possible values.
+	//   if the manifest object does not need a diff reporting, the value is "Skipped".
 	// * drift_detection_status: the drift detection status of the processing request;
-	//   values can be "found" and "not_found".
+	//   values can be "Found" and "NotFound".
 	// * diff_detection_status: the diff detection status of the processing request;
-	//   values can be "found" and "not_found".
+	//   values can be "Found" and "NotFound".
 	FleetManifestProcessingRequestsTotal = prometheus.NewCounterVec(prometheus.CounterOpts{
 		Name: "fleet_manifest_processing_requests_total",
 		Help: "Total number of processing requests of manifest objects, including retries and periodic checks",

pkg/utils/common.go

@@ -171,6 +171,12 @@ var (
 		Kind:    placementv1beta1.ClusterResourcePlacementKind,
 	}
 
+	ClusterResourcePlacementEvictionMetaGVK = metav1.GroupVersionKind{
+		Group:   placementv1beta1.GroupVersion.Group,
+		Version: placementv1beta1.GroupVersion.Version,
+		Kind:    placementv1beta1.ClusterResourcePlacementEvictionKind,
+	}
+
 	ConfigMapGVK = schema.GroupVersionKind{
 		Group:   corev1.GroupName,
 		Version: corev1.SchemeGroupVersion.Version,

pkg/utils/validator/clusterresourceplacementeviction.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2025 The KubeFleet Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package validator provides utils to validate ClusterResourcePlacementEviction resources.
+package validator
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/errors"
+
+	fleetv1beta1 "go.goms.io/fleet/apis/placement/v1beta1"
+)
+
+// ValidateClusterResourcePlacementForEviction validates cluster resource placement fields for eviction and returns error.
+func ValidateClusterResourcePlacementForEviction(crp fleetv1beta1.ClusterResourcePlacement) error {
+	allErr := make([]error, 0)
+
+	// Check Cluster Resource Placement is not deleting
+	if crp.DeletionTimestamp != nil {
+		allErr = append(allErr, fmt.Errorf("cluster resource placement %s is being deleted", crp.Name))
+		return errors.NewAggregate(allErr)
+	}
+	// Check Cluster Resource Placement Policy
+	if crp.Spec.Policy != nil {
+		if crp.Spec.Policy.PlacementType == fleetv1beta1.PickFixedPlacementType {
+			allErr = append(allErr, fmt.Errorf("cluster resource placement policy type %s is not supported", crp.Spec.Policy.PlacementType))
+		}
+	}
+
+	return errors.NewAggregate(allErr)
+}

pkg/webhook/clusterresourceplacementeviction/clusterresourceplacementeviction_validating_webhook.go

@@ -0,0 +1,82 @@
+/*
+Copyright 2025 The KubeFleet Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package clusterresourceplacementeviction provides a validating webhook for the clusterresourceplacementeviction custom resource in the KubeFleet API group.
+package clusterresourceplacementeviction
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	fleetv1beta1 "go.goms.io/fleet/apis/placement/v1beta1"
+	"go.goms.io/fleet/pkg/utils"
+	"go.goms.io/fleet/pkg/utils/condition"
+	"go.goms.io/fleet/pkg/utils/validator"
+)
+
+var (
+	// ValidationPath is the webhook service path which admission requests are routed to for validating clusterresourceplacementeviction resources.
+	ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, fleetv1beta1.GroupVersion.Group, fleetv1beta1.GroupVersion.Version, "clusterresourceplacementeviction")
+)
+
+type clusterResourcePlacementEvictionValidator struct {
+	client  client.Client
+	decoder webhook.AdmissionDecoder
+}
+
+// Add registers the webhook for K8s bulit-in object types.
+func Add(mgr manager.Manager) error {
+	hookServer := mgr.GetWebhookServer()
+	hookServer.Register(ValidationPath, &webhook.Admission{Handler: &clusterResourcePlacementEvictionValidator{mgr.GetClient(), admission.NewDecoder(mgr.GetScheme())}})
+	return nil
+}
+
+// Handle clusterResourcePlacementEvictionValidator checks to see if resource override is valid.
+func (v *clusterResourcePlacementEvictionValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
+	var crpe fleetv1beta1.ClusterResourcePlacementEviction
+	klog.V(2).InfoS("Validating webhook handling cluster resource placement eviction", "operation", req.Operation, "clusterResourcePlacementEviction", req.Name)
+	if err := v.decoder.Decode(req, &crpe); err != nil {
+		klog.ErrorS(err, "Failed to decode cluster resource placement eviction object for validating fields", "userName", req.UserInfo.Username, "groups", req.UserInfo.Groups, "clusterResourcePlacementEviction", req.Name)
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	// Get the ClusterResourcePlacement object
+	var crp fleetv1beta1.ClusterResourcePlacement
+	if err := v.client.Get(ctx, types.NamespacedName{Name: crpe.Spec.PlacementName}, &crp); err != nil {
+		if k8serrors.IsNotFound(err) {
+			klog.V(2).InfoS(condition.EvictionInvalidMissingCRPMessage, "clusterResourcePlacementEviction", crpe.Name, "clusterResourcePlacement", crpe.Spec.PlacementName)
+			return admission.Denied(err.Error())
+		}
+		return admission.Errored(http.StatusBadRequest, fmt.Errorf("failed to get clusterResourcePlacement %s for clusterResourcePlacementEviction %s: %w", crpe.Spec.PlacementName, crpe.Name, err))
+	}
+
+	if err := validator.ValidateClusterResourcePlacementForEviction(crp); err != nil {
+		klog.V(2).ErrorS(err, "ClusterResourcePlacement has invalid fields, request is denied", "operation", req.Operation, "clusterResourcePlacementEviction", crpe.Name)
+		return admission.Denied(err.Error())
+	}
+
+	klog.V(2).InfoS("ClusterResourcePlacementEviction has valid fields", "clusterResourcePlacementEviction", crpe.Name)
+	return admission.Allowed("clusterResourcePlacementEviction has valid fields")
+}