Add DRA status feedback to hub-and-spoke ManifestWork#1293
Conversation
✅ Deploy Preview for kubernetes-sigs-kmm ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: TomerNewman The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cc @yevgeny-shnaidman @ybettan |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1293 +/- ##
==========================================
- Coverage 79.09% 73.67% -5.43%
==========================================
Files 51 67 +16
Lines 5109 5056 -53
==========================================
- Hits 4041 3725 -316
- Misses 882 1158 +276
+ Partials 186 173 -13 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
| func validateDRAVolumes(dra *kmmv1beta1.DRASpec) error { | ||
| if dra == nil { | ||
| return nil | ||
| } | ||
|
|
||
| for i, vol := range dra.Volumes { | ||
| if vol.HostPath != nil && !isAllowedHostPath(vol.HostPath.Path) { | ||
| return fmt.Errorf( | ||
| "spec.dra.volumes[%d]: hostPath %q is not allowed; only /dev, /sys, /var and /opt paths are permitted", | ||
| i, vol.HostPath.Path, | ||
| ) | ||
| } | ||
| } | ||
|
|
||
| return nil | ||
| } |
There was a problem hiding this comment.
What do you think about creating a shared volume checker function to be used in both devicePlugin and DRA.
The function can look something like:
func validateHostPathVolumes(fieldPath string, volumes []v1.Volume) error {
for i, vol := range volumes {
if vol.HostPath != nil && !isAllowedHostPath(vol.HostPath.Path) {
return fmt.Errorf(
"%s.volumes[%d]: hostPath %q is not allowed; only /dev, /sys, /var and /opt paths are permitted",
fieldPath, i, vol.HostPath.Path,
)
}
}
return nil
}
and then the callers boils down to
// in validateModule():
if mod.Spec.DRA != nil {
if err := validateHostPathVolumes("spec.dra", mod.Spec.DRA.Volumes); err != nil {
return nil, fmt.Errorf("failed to validate DRA volumes: %v", err)
}
}
if mod.Spec.DevicePlugin != nil {
if err := validateHostPathVolumes("spec.devicePlugin", mod.Spec.DevicePlugin.Volumes); err != nil {
return nil, fmt.Errorf("failed to validate device plugin volumes: %v", err)
}
}
Add three DRA status feedback JSON path entries (dra.availableNumber, dra.desiredNumber, dra.nodesMatchingSelectorNumber) to the ManifestWork feedback rules, mirroring the existing devicePlugin pattern. Validate DRA hostPath volumes against the same allowlist (/dev, /sys, /var, /opt) used for DevicePlugin volumes, ensuring the hub webhook rejects disallowed mounts before they reach spoke clusters.
412d715 to
4dcedf3
Compare
|
/lgtm |
|
/retest |
1 similar comment
|
/retest |
Summary
dra.availableNumber,dra.desiredNumber,dra.nodesMatchingSelectorNumber) to the ManifestWork feedback rules, mirroring the existingdevicePlugin.*pattern so DRA status is reported back from spoke to hub./dev,/sys,/var,/opt) used for DevicePlugin volumes.Changes
internal/manifestwork/manifestwork.goAdded 3
JsonPathentries for DRA status tomoduleStatusJSONPaths, maintaining alphabetical grouping betweendevicePlugin.*andmoduleLoader.*.internal/manifestwork/manifestwork_test.goAdded a
Describe("moduleStatusJSONPaths")block usingConsistOfto assert all 9 expected feedback paths (3 devicePlugin + 3 DRA + 3 moduleLoader).internal/webhook/module.goAdded
validateDRAVolumes()function and wired it intovalidateModule(). This validatesspec.dra.volumeshostPath entries against the same allowlist used for DevicePlugin, with path traversal protection viafilepath.Clean.internal/webhook/module_test.goAdded
Describe("validateDRAVolumes")with 6 test cases covering: nil DRA, no volumes, non-hostPath, allowed hostPath, disallowed hostPath, and path traversal.Test plan
go test ./internal/manifestwork/ ./internal/webhook/)dra.desiredNumber,dra.nodesMatchingSelectorNumber) flowing back to hub/etc/shadow)/dev/../etc/shadow)/dev/vfio,/sys/bus/pci)/cc @yevgeny-shnaidman @ybettan
/assign @ybettan @yevgeny-shnaidman
/uncc @mresvanis