adapt implementation to new API

The structured parameter allocation logic was written from scratch in
staging/src/k8s.io/dynamic-resource-allocation/structured. Besides the new
features (amount, admin access) and API it now supports backtracking when the
initial device selection doesn't lead to a complete allocation of all claims.

DRA: use VAP to control "admin access" permissions

The advantages of using a validation admission policy (VAP) are that no changes
are needed in Kubernetes and that admins have full flexibility if and how they
want to control which users are allowed to use "admin access" in their
requests.

The downside is that without admins taking actions, the feature is enabled
out-of-the-box in a cluster. Documentation for DRA will have to make it very
clear that something needs to be done in multi-tenant clusters.

The test/e2e/testing-manifests/dra/admin-access-policy.yaml shows how to do
this. The corresponding E2E tests ensures that it actually works as intended.

For some reason, adding the namespace to the message expression leads to a
type check errors, so it's currently commented out.

DRA kubelet: always call NodePrepareResources, even if not used

This could be useful for drivers where that call has some effect other than
injecting CDI device IDs into containers.

DRA: remove obsolete support for deterministic claim name

Now only the claim name as recorded in the pod status matters, which can be
looked up without listing claims.

DRA kubelet: extend and clean up logging

Because of a faulty E2E test, kubelet was told to contact the wrong driver for
a claim. This was not visible in the kubelet log output. Now changes to the
claim info cache are getting logged. While at it, naming of variables and some
existing log output gets harmonized.

Co-authored-by: Oksana Baranova <oksana.baranova@intel.com>
Co-authored-by: Ed Bartosh <eduard.bartosh@intel.com>

Author: 3 people

pkg/apis/resource/validation/validation.go

@@ -55,7 +55,11 @@ func validatePoolName(name string, fldPath *field.Path) field.ErrorList {
 		}
 		parts := strings.Split(name, "/")
 		for i, part := range parts {
-			allErrs = append(allErrs, corevalidation.ValidateDNS1123Subdomain(part, fldPath.Index(i))...)
+			idxPath := fldPath
+			if len(parts) > 1 {
+				idxPath = idxPath.Index(i)
+			}
+			allErrs = append(allErrs, corevalidation.ValidateDNS1123Subdomain(part, idxPath)...)
 		}
 	}
 	return allErrs
@@ -72,7 +76,9 @@ func ValidateResourceClaim(resourceClaim *resource.ResourceClaim) field.ErrorLis
 func ValidateResourceClaimUpdate(resourceClaim, oldClaim *resource.ResourceClaim) field.ErrorList {
 	allErrs := corevalidation.ValidateObjectMetaUpdate(&resourceClaim.ObjectMeta, &oldClaim.ObjectMeta, field.NewPath("metadata"))
 	allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(resourceClaim.Spec, oldClaim.Spec, field.NewPath("spec"))...)
-	// Not really necessary as the spec must have been valid before and is immutable, but let's check anyway.
+	// Because the spec is immutable, all CEL expressions in it must have been stored.
+	// If the user tries an update, this is not true and checking is less strict, but
+	// as there are errors, it doesn't matter.
 	allErrs = append(allErrs, validateResourceClaimSpec(&resourceClaim.Spec, field.NewPath("spec"), true)...)
 	return allErrs
 }
@@ -352,7 +358,7 @@ func validateDeviceRequestAllocationResult(result resource.DeviceRequestAllocati
 	var allErrs field.ErrorList
 	allErrs = append(allErrs, validateRequestNameRef(result.Request, fldPath.Child("request"), requestNames)...)
 	allErrs = append(allErrs, validateDriverName(result.Driver, fldPath.Child("driver"))...)
-	allErrs = append(allErrs, validatePoolName(result.Driver, fldPath.Child("pool"))...)
+	allErrs = append(allErrs, validatePoolName(result.Pool, fldPath.Child("pool"))...)
 	allErrs = append(allErrs, validateDeviceName(result.Device, fldPath.Child("device"))...)
 	return allErrs
 }
@@ -468,15 +474,10 @@ func validatePodSchedulingClaim(status resource.ResourceClaimSchedulingStatus, f
 	return allErrs
 }
 
-// ValidateClaimTemplace validates a ResourceClaimTemplate.
+// ValidateResourceClaimTemplate validates a ResourceClaimTemplate.
 func ValidateResourceClaimTemplate(template *resource.ResourceClaimTemplate) field.ErrorList {
-	var allErrs field.ErrorList
-	return allErrs
-}
-
-func validateResourceClaimTemplate(template *resource.ResourceClaimTemplate, stored bool) field.ErrorList {
 	allErrs := corevalidation.ValidateObjectMeta(&template.ObjectMeta, true, corevalidation.ValidateResourceClaimTemplateName, field.NewPath("metadata"))
-	allErrs = append(allErrs, validateResourceClaimTemplateSpec(&template.Spec, field.NewPath("spec"), stored)...)
+	allErrs = append(allErrs, validateResourceClaimTemplateSpec(&template.Spec, field.NewPath("spec"), false)...)
 	return allErrs
 }
 
@@ -490,7 +491,10 @@ func validateResourceClaimTemplateSpec(spec *resource.ResourceClaimTemplateSpec,
 func ValidateResourceClaimTemplateUpdate(template, oldTemplate *resource.ResourceClaimTemplate) field.ErrorList {
 	allErrs := corevalidation.ValidateObjectMetaUpdate(&template.ObjectMeta, &oldTemplate.ObjectMeta, field.NewPath("metadata"))
 	allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(template.Spec, oldTemplate.Spec, field.NewPath("spec"))...)
-	allErrs = append(allErrs, ValidateResourceClaimTemplate(template)...)
+	// Because the spec is immutable, all CEL expressions in it must have been stored.
+	// If the user tries an update, this is not true and checking is less strict, but
+	// as there are errors, it doesn't matter.
+	allErrs = append(allErrs, validateResourceClaimTemplateSpec(&template.Spec, field.NewPath("spec"), true)...)
 	return allErrs
 }
 
@@ -518,9 +522,6 @@ func ValidateResourceSliceUpdate(resourceSlice, oldResourceSlice *resource.Resou
 
 func validateResourceSliceSpec(spec, oldSpec *resource.ResourceSliceSpec, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
-	if spec.NodeName != "" {
-		allErrs = append(allErrs, validateNodeName(spec.NodeName, fldPath.Child("nodeName"))...)
-	}
 	allErrs = append(allErrs, validateDriverName(spec.Driver, fldPath.Child("driver"))...)
 	allErrs = append(allErrs, validateResourcePool(spec.Pool, fldPath.Child("pool"))...)
 	nodeSelectionFields := sets.New[string]()
@@ -556,7 +557,7 @@ func validateResourceSliceSpec(spec, oldSpec *resource.ResourceSliceSpec, fldPat
 
 func validateResourcePool(pool resource.ResourcePool, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
-	allErrs = append(allErrs, validatePoolName(pool.Name, fldPath.Child("pool"))...)
+	allErrs = append(allErrs, validatePoolName(pool.Name, fldPath.Child("name"))...)
 	if pool.ResourceSliceCount <= 0 {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("resourceSliceCount"), pool.ResourceSliceCount, "must be greater than zero"))
 	}
@@ -605,7 +606,7 @@ var (
 		`$`)
 )
 
-func validateDeviceAttributes(attribute resource.DeviceAttribute, fldPath *field.Path) field.ErrorList {
+func validateDeviceAttribute(attribute resource.DeviceAttribute, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 	numFields := 0
 	if attribute.BoolValue != nil {
@@ -635,11 +636,6 @@ func validateDeviceAttributes(attribute resource.DeviceAttribute, fldPath *field
 	return allErrs
 }
 
-func validateDeviceAttribute(attribute resource.DeviceAttribute, fldPath *field.Path) field.ErrorList {
-	var allErrs field.ErrorList
-	return allErrs
-}
-
 func validateQuantity(quantity apiresource.Quantity, fldPath *field.Path) field.ErrorList {
 	// Any parsed quantity is valid.
 	return nil
@@ -722,6 +718,8 @@ func validateSet[T any, K comparable](slice []T, maxSize int, validateItem func(
 		}
 		if allItems.Has(key) {
 			allErrs = append(allErrs, field.Duplicate(childPath, key))
+		} else {
+			allItems.Insert(key)
 		}
 	}
 	return allErrs

pkg/apis/resource/validation/validation_deviceclass_test.go

@@ -0,0 +1,247 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/apis/resource"
+	"k8s.io/utils/pointer"
+)
+
+func testClass(name string) *resource.DeviceClass {
+	return &resource.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+	}
+}
+
+func TestValidateClass(t *testing.T) {
+	goodName := "foo"
+	now := metav1.Now()
+	badName := "!@#$%^"
+	badValue := "spaces not allowed"
+
+	scenarios := map[string]struct {
+		class        *resource.DeviceClass
+		wantFailures field.ErrorList
+	}{
+		"good-class": {
+			class: testClass(goodName),
+		},
+		"missing-name": {
+			wantFailures: field.ErrorList{field.Required(field.NewPath("metadata", "name"), "name or generateName is required")},
+			class:        testClass(""),
+		},
+		"bad-name": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("metadata", "name"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')")},
+			class:        testClass(badName),
+		},
+		"generate-name": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.GenerateName = "pvc-"
+				return class
+			}(),
+		},
+		"uid": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.UID = "ac051fac-2ead-46d9-b8b4-4e0fbeb7455d"
+				return class
+			}(),
+		},
+		"resource-version": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.ResourceVersion = "1"
+				return class
+			}(),
+		},
+		"generation": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.Generation = 100
+				return class
+			}(),
+		},
+		"creation-timestamp": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.CreationTimestamp = now
+				return class
+			}(),
+		},
+		"deletion-grace-period-seconds": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.DeletionGracePeriodSeconds = pointer.Int64(10)
+				return class
+			}(),
+		},
+		"owner-references": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.OwnerReferences = []metav1.OwnerReference{
+					{
+						APIVersion: "v1",
+						Kind:       "pod",
+						Name:       "foo",
+						UID:        "ac051fac-2ead-46d9-b8b4-4e0fbeb7455d",
+					},
+				}
+				return class
+			}(),
+		},
+		"finalizers": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.Finalizers = []string{
+					"example.com/foo",
+				}
+				return class
+			}(),
+		},
+		"managed-fields": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.ManagedFields = []metav1.ManagedFieldsEntry{
+					{
+						FieldsType: "FieldsV1",
+						Operation:  "Apply",
+						APIVersion: "apps/v1",
+						Manager:    "foo",
+					},
+				}
+				return class
+			}(),
+		},
+		"good-labels": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.Labels = map[string]string{
+					"apps.kubernetes.io/name": "test",
+				}
+				return class
+			}(),
+		},
+		"bad-labels": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("metadata", "labels"), badValue, "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')")},
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.Labels = map[string]string{
+					"hello-world": badValue,
+				}
+				return class
+			}(),
+		},
+		"good-annotations": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.Annotations = map[string]string{
+					"foo": "bar",
+				}
+				return class
+			}(),
+		},
+		"bad-annotations": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("metadata", "annotations"), badName, "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')")},
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.Annotations = map[string]string{
+					badName: "hello world",
+				}
+				return class
+			}(),
+		},
+		"invalid-node-selector": {
+			wantFailures: field.ErrorList{field.Required(field.NewPath("suitableNodes", "nodeSelectorTerms"), "must have at least one node selector term")},
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.Spec.SuitableNodes = &core.NodeSelector{
+					// Must not be empty.
+				}
+				return class
+			}(),
+		},
+		"valid-node-selector": {
+			class: func() *resource.DeviceClass {
+				class := testClass(goodName)
+				class.Spec.SuitableNodes = &core.NodeSelector{
+					NodeSelectorTerms: []core.NodeSelectorTerm{{
+						MatchExpressions: []core.NodeSelectorRequirement{{
+							Key:      "foo",
+							Operator: core.NodeSelectorOpDoesNotExist,
+						}},
+					}},
+				}
+				return class
+			}(),
+		},
+	}
+
+	for name, scenario := range scenarios {
+		t.Run(name, func(t *testing.T) {
+			errs := ValidateDeviceClass(scenario.class)
+			assert.Equal(t, scenario.wantFailures, errs)
+		})
+	}
+}
+
+func TestValidateClassUpdate(t *testing.T) {
+	validClass := testClass(goodName)
+
+	scenarios := map[string]struct {
+		oldClass     *resource.DeviceClass
+		update       func(class *resource.DeviceClass) *resource.DeviceClass
+		wantFailures field.ErrorList
+	}{
+		"valid-no-op-update": {
+			oldClass: validClass,
+			update:   func(class *resource.DeviceClass) *resource.DeviceClass { return class },
+		},
+		"update-node-selector": {
+			oldClass: validClass,
+			update: func(class *resource.DeviceClass) *resource.DeviceClass {
+				class = class.DeepCopy()
+				class.Spec.SuitableNodes = &core.NodeSelector{
+					NodeSelectorTerms: []core.NodeSelectorTerm{{
+						MatchExpressions: []core.NodeSelectorRequirement{{
+							Key:      "foo",
+							Operator: core.NodeSelectorOpDoesNotExist,
+						}},
+					}},
+				}
+				return class
+			},
+		},
+	}
+
+	for name, scenario := range scenarios {
+		t.Run(name, func(t *testing.T) {
+			scenario.oldClass.ResourceVersion = "1"
+			errs := ValidateDeviceClassUpdate(scenario.update(scenario.oldClass.DeepCopy()), scenario.oldClass)
+			assert.Equal(t, scenario.wantFailures, errs)
+		})
+	}
+}