Add StatefulSet Volume Expansion Kep

[SidakM-zz]

Add Kep for StatefulSet Volume Expansion.
Wrote this up quickly after the discussion here:
kubernetes/kubernetes#71384

Feature tracking issue: #661

Let me know if something is missing or if this is the right way to merge this 🤔

[SidakM-zz]

/assign @janetkuo

[mlmhl]

Maybe we can check if the ExpandInUsePersistentVolumes feature gate enabled, and restart the pods immediately without waiting controller side resizing finished if it is enabled.

[SidakM-zz]

Indeed we can. That would just translate into not running the following check if that feature flag in enabled in the current implementation: https://github.com/kubernetes/kubernetes/pull/71384/files#diff-988743e0eb9313bcfa8fd43ac3a0977fR229

[janetkuo]

@kubernetes/sig-apps-feature-requests @kubernetes/sig-storage-api-reviews

[janetkuo]

nit: "The StatefulSet controller will delete and recreate the pod after..."

[janetkuo]

Also, if ExpandInUsePersistentVolumes feature is enabled, we don't need to kill the pod.

[SidakM-zz]

I was looking into this right now and to not kill the pod we would have to recognize that only the the volumeClaimTemplate storage requests have been modified and ExpandInUsePersistentVolumes is enabled. This would be achieved by comparing the current and updated version of the statefulsets which are formed by applying the patches in the updateRevision and currentRevision to a representation of the statefulset (in this case it's just named set).

The issue is that the representation of the statefulset these patches are applied to seems to be the updated version of the StatefulSet. This is problematic whilst forming the current representation of the statefulset. For example, if the updated representation of the set has two labels {"label1": "value1", "label2": "value2"} while the current version only has 1 label {"label1": "value1"}. Applying the currentRevision patch yields a set with labels {"label1": "value1", "label2": "value2"} which is not the current version of the StatefulSet. This issue is problematic as it makes comparisons between the currentSet and updateSet unreliable to determine if termination of pods is required(as we are trying to achieve above).

[kow3ns]

I think we can start with destroying the Pod and recreating it. It's a trade off in that workloads that need to rebuild a large in memory working set from persistent data would greatly benefit from in place resizing. However, all other operations that operate on a StatefulSet Pod currently require that the Pod be destroyed and recreated. If we want to support in place mutation later we can do so.

[SidakM-zz]

Alright, that's also how its currently implemented in the PR so I will leave that as is. I'll make changes to this proposal to reflect that.

[janetkuo]

VolumeClaimTemplate should be recorded in the StatefulSet's ControllerRevision object as well for rollback.

[SidakM-zz]

Being done in implementation forgot to record it here 🤦‍♂️

[janetkuo]

Change should be detected by looking at the StatefulSet's ControllerRevision objects.

[SidakM-zz]

The updateSet is formed by applying the updateRevision (ControllerRevision) to the current set. That should be adequate right?

[janetkuo]

It's optional, but you can include the name of the feature gate of this new feature in this proposal, e.g. StatefulSetVolumeExpansion (just a candidate, feel free to propose other names).

[SidakM-zz]

StatefulSetVolumeExpansion sound good to me :)

[msau42]

/assign @gnufied
who is looking at potential changes to the online volume resizing feature

[gnufied]

I am not sure I like this bit. It kinda circumvents the fact that currently volume resizing is offline by default and it kinda implements a redundant mechanism that will become unnecessary when online resizing graduates to beta.

[gnufied]

At least for alpha feature I propose skipping this mechanism because once we implement this - user will come to rely on it and it will be harder to go back on it. We should also recognize the fact that certain volume types can not be resized when in-use (like AzureDisk for example). Currently this information is surfaced to the user via PVC events if a PVC can't be resized when used in a pod.

[SidakM-zz]

I am not sure I like this bit. It kinda circumvents the fact that currently volume resizing is offline by default and it kinda implements a redundant mechanism that will become unnecessary when online resizing graduates to beta.

Not sure what mechanism you are referring to here. Is it the mechanism of detecting the Alpha feature being enabled and not killing the pod? Or are you suggesting that we don't kill the pod in any case since online resizing will eventually graduate to beta.

[gnufied]

Yeah I am suggesting we skip killing the pods in stateful set controller since online resizing will eventually graduate to beta (most likely in 1.14 release itself).

[SidakM-zz]

Oh ok makes sense. I was just confused because it is killing the pod by default and a mechanism would need to be implemented to ensure that the pod is not killed at the end of the update loop*.

We should also recognize the fact that certain volume types can not be resized when in-use (like AzureDisk for example). Currently this information is surfaced to the user via PVC events if a PVC can't be resized when used in a pod.

So do we want to make an exception in this case to kill the pod from the controller or just update and let the event surface on the PVCs(and possibly add an additional indicator) ?

[kow3ns]

I'd like to start with always restarting the Pod after the volume increase request is fulfilled. (As below) the workloads controllers don't to in place updates for any other container or Pod modifications today. We can (maybe should) consider optimizing to detect and implement in place updates at a later point in time.

[kow3ns]

You need to think about the patch mechanism used to apply controller revisions and the implications to rollback (both of StatefulSets and Kubernetes API Servers) when this feature is enabled. Also, you to think about modifications to validation that are necessary to allow mutation of the VolumeClaimsTemplate and how that effects backward compatibility during upgrade. It may be necessary to relax the constraint in the API server one release prior to adding the expansion feature into StatefulSet to enable upgrade in multi-API Server clusters and to allow for safe downgrades/rollbacks.

[SidakM-zz]

In the implementation PR, the apiserver only allows increases to storageRequests if the feature is enabled (relaxing validation). Mentioned it here in this proposal.

I don't think there should be issues with backwards compatibility for the api, unless a client has (possibly inadvertently) built functionality that relied upon receiving an error response while modifying storageRequests in volumeClaimTemplates before this feature is added.

In regards to patches, for the implementation PR I just added the volumeClaimTemplates to the patch. However, rollbacks seem to be a problem since only volume expansion is supported. So rolling back to a previous revision after expanding a volume would imply the client is attempting to shrink volumes (which is unsupported). Currently the apiserver will err if the client attempts such a rollback and relay to the client that storage requests can only be increased. This can be an issue if the client has attempted a volume expansion, which for some reason failed on all PVCs, and then attempts to rollback the change. In all other cases of rolling back volume expansion changes (partial or full successes) I'm not sure if a rollback should be allowed. On the other hand, this can be problematic if the client attempts to rollback some other change but is prevented from using that functionality as they had also expanded a volumeClaimTemplate in the same or any following revision.

[gnufied]

For PVC expansion feature, we also check if expansion is explicitly enabled in SC via an admission controller. Will this be possible to do that here for Stateful sets? It looks like - if feature gate is enabled volume expansion will generally be available for all volume types which is problematic (since not all volume types support expansion).

The other tricky bit this design does not address is - how it will handle expansion of volumes that only can be expanded offline. For PVC themselves, it is not that big of deal. But for stateful sets - user must take the Pod offline before volume that the pod was using can be expanded. So in effect - will this mean scaling entire stateful set to 0?

[SidakM-zz]

The other tricky bit this design does not address is - how it will handle expansion of volumes that only can be expanded offline. For PVC themselves, it is not that big of deal. But for stateful sets - user must take the Pod offline before volume that the pod was using can be expanded. So in effect - will this mean scaling entire stateful set to 0?

As it says in the design The Statefulset controller will delete and recreate the pod after the FileSystemResizePending condition is True on all updated persistent volume claims it references.. Thus it will wait until that condition is reached before deleting the pod. This is how I have it implemented in the PR. This way the pod will continue to be available until all updated PVCs that must be expanded offline have the FileSystemResizePending condition (and be deleted and recreated after that).

Let me know if this addresses that concern.

For PVC expansion feature, we also check if expansion is explicitly enabled in SC via an admission controller. Will this be possible to do that here for Stateful sets? It looks like - if feature gate is enabled volume expansion will generally be available for all volume types which is problematic (since not all volume types support expansion).

I did see the PersistentVolumeClaimResize admission controller when initially implementing this. I wasn't sure if it would be necessary to build a similar(perhaps redundant) admission controller for a statefulset as when the statefulset controller eventually attempts to update the pvc it would catch the error sent by the admission controller and the update to the statefulset would not succeed. On the other hand building a specific admission controller for this would ensure that such an update to a statefulset is never validated.

[gnufied]

Let me know if this addresses that concern.

Hmm not entirely. Thing is for some volume types(Azure Disk for example), the volume can not be expanded via control-plane call if volume is being used. So literally no expansion can happen to volume while it is in use. The user must first detach the volume from the node before he can call Azure API call that expands the volume. So in this case - there will not be a FileSystemResizePending added to PVC because control-plane call itself has not succeeded (and will not succeed until volume is taken offline).

I wasn't sure if it would be necessary to build a similar(perhaps redundant) admission controller for a statefulset as when the statefulset controller eventually attempts to update the pvc it would catch the error sent by the admission controller and the update to the statefulset would not succeed.

I think, this is already too late. api-server has at this point "accepted" the API request that it can not fulfill. Will stateful set controller not retry PVC update if first update has failed? The idea behind rejecting the request as early as possible is - controllers shouldn't have to keep retrying it. It may be worth expanding existing admission controller to reject stateful set updates in similar fashion.

[SidakM-zz]

Thing is for some volume types(Azure Disk for example), the volume can not be expanded via control-plane call if volume is being used. So literally no expansion can happen to volume while it is in use.

Oh ok. I read through this PR and I think I get what you mean now. I see two issues with trying to get it to work with such volumes types.

1. For each pvc template in the statefulset it would now be necessary to query the api for its storage class to find the provisioner. Then it would be possible to determine how to apply the update. This is doable.

2. The statefulset controller is structured so that all updates to associated resources and the pod spec occur before the pod it deleted and recreated (as this makes sense in almost every context when updating a statefulset). However, to support the volume types above we would be required to delete the pod before its associated PVCs can be updated. This changes/breaks the flow of how the statefulset is currently updated even though it should be possible to implement.

So in effect - will this mean scaling entire stateful set to 0?

Well since there is a 1:1 map from PVC to PV monotonic updates should still be possible. (delete pod, update pvc request, wait until condition reached, restart pod).

@kow3ns how do you think this should this be addressed

[kow3ns]

Might want to add a bit more (as suggested above) about we plan to roll the feature out and how we plan to test it.

[kow3ns]

I'd also like a notional outline of GA graduation criteria. Another concern that should be addressed is that, as the modification effects a GA API, enabling by default at Beta will effectively release it globally. This should at least be called out.

[SidakM-zz]

What is a notional outline? 😅 Is it an outline which attempts to identify possible scenarios and the suggested approach to handling them?

[kow3ns]

I don't see any API changes proposed so I don't think this needs API approvers. I'd like to discuss this at SIG Apps. Generally, I think its something that is necessary to do in order to support the volume resizing feature implemented at that storage layer, and I think we should (pending a few changes) merge it as accepted and work on getting it to implementable.
@mattfarina @prydonius

[justaugustus]

Please remove any references to NEXT_KEP_NUMBER and rename the KEP to just be the draft date and KEP title.
KEP numbers will be obsolete once #703 merges.

[gnufied]

@kow3ns since this relies on relaxing an API validation, it was decided to run this by api reviewers as well.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[ayanamist]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
• Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: login-issues@jira.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[travisghansen]

/reopen

[k8s-ci-robot]

@travisghansen: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Bessonov]

/remove-lifecycle rotten

[cprivitere]

So...where is this at?

[m-yosefpor]

So...where is this at?

See here #2842