Merge pull request #343 from hime/upstream/release-9.9

Bring experimental release up to date.

Makefile

@@ -21,7 +21,8 @@ export BUILD_ARM ?= false
 BINDIR ?= $(shell pwd)/bin
 GCSFUSE_PATH ?= $(shell cat cmd/sidecar_mounter/gcsfuse_binary)
 LDFLAGS ?= -s -w -X main.version=${STAGINGVERSION} -extldflags '-static'
-PROJECT ?= $(shell gcloud config get-value project 2>&1 | head -n 1)
+# assume that a GKE cluster identifier follows the format gke_{project-name}_{location}_{cluster-name}
+PROJECT ?= $(shell kubectl config current-context | cut -d '_' -f 2)
 CA_BUNDLE ?= $(shell kubectl config view --raw -o json | jq '.clusters[]' | jq "select(.name == \"$(shell kubectl config current-context)\")" | jq '.cluster."certificate-authority-data"' | head -n 1)
 IDENTITY_PROVIDER ?= $(shell kubectl get --raw /.well-known/openid-configuration | jq -r .issuer)
 
@@ -38,6 +39,7 @@ ifneq ("$(shell docker buildx build --help | grep 'provenance')", "")
 DOCKER_BUILDX_ARGS += --provenance=false
 endif
 
+$(info PROJECT is ${PROJECT})
 $(info OVERLAY is ${OVERLAY})
 $(info STAGINGVERSION is ${STAGINGVERSION})
 $(info DRIVER_IMAGE is ${DRIVER_IMAGE})
@@ -183,9 +185,11 @@ install:
  make generate-spec-yaml OVERLAY=${OVERLAY} REGISTRY=${REGISTRY} STAGINGVERSION=${STAGINGVERSION}
  kubectl apply -f ${BINDIR}/gcs-fuse-csi-driver-specs-generated.yaml
  ./deploy/base/webhook/create-cert.sh --namespace gcs-fuse-csi-driver --service gcs-fuse-csi-driver-webhook --secret gcs-fuse-csi-driver-webhook-secret
+ ./deploy/base/webhook/manage-validating_admission_policy.sh --install
 
 uninstall:
  kubectl delete -k deploy/overlays/${OVERLAY} --wait
+ ./deploy/base/webhook/manage-validating_admission_policy.sh --uninstall
 
 generate-spec-yaml:
  mkdir -p ${BINDIR}

cmd/csi_driver/Dockerfile

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 # Build driver go binary
-FROM golang:1.22.6 AS driver-builder
+FROM golang:1.23.0 AS driver-builder
 
 ARG STAGINGVERSION
 

cmd/csi_driver/main.go

@@ -45,7 +45,7 @@ var (
  identityProvider = flag.String("identity-provider", "", "The Identity Provider to authenticate with GCS API.")
  enableProfiling = flag.Bool("enable-profiling", false, "enable the golang pprof at port 6060")
  informerResyncDurationSec = flag.Int("informer-resync-duration-sec", 1800, "informer resync duration in seconds")
- metricsEndpoint = flag.String("metrics-endpoint", "", "The TCP network address where the prometheus metrics endpoint will listen (example: `:8080`). The default is empty string, which means metrics endpoint is disabled.")
+ metricsEndpoint = flag.String("metrics-endpoint", "", "The TCP network address where the Prometheus metrics endpoint will listen (example: `:8080`). The default is empty string, which means that the metrics endpoint is disabled.")
 
  // These are set at compile time.
  version = "unknown"

cmd/sidecar_mounter/Dockerfile

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 # Build sidecar-mounter go binary
-FROM golang:1.22.6 AS sidecar-mounter-builder
+FROM golang:1.23.0 AS sidecar-mounter-builder
 
 ARG STAGINGVERSION
 

cmd/sidecar_mounter/gcsfuse_binary

@@ -1 +1 @@
-gs://gke-release-staging/gcsfuse/v2.4.0-gke.0/gcsfuse_bin
+gs://gke-release-staging/gcsfuse/v2.4.1-gke.0/gcsfuse_bin

cmd/sidecar_mounter/main.go

@@ -34,9 +34,10 @@ import (
 )
 
 var (
- gcsfusePath = flag.String("gcsfuse-path", "/gcsfuse", "gcsfuse path")
- volumeBasePath = flag.String("volume-base-path", webhook.SidecarContainerTmpVolumeMountPath+"/.volumes", "volume base path")
- _ = flag.Int("grace-period", 0, "grace period for gcsfuse termination. This flag has been deprecated, has no effect and will be removed in the future.")
+ gcsfusePath = flag.String("gcsfuse-path", "/gcsfuse", "gcsfuse path")
+ volumeBasePath = flag.String("volume-base-path", webhook.SidecarContainerTmpVolumeMountPath+"/.volumes", "volume base path")
+ metricsScrapeInterval = flag.Int("metrics-scrape-interval", 10, "Scrape interval in seconds for gcsfuse metrics endpoint.")
+ _ = flag.Int("grace-period", 0, "grace period for gcsfuse termination. This flag has been deprecated, has no effect and will be removed in the future.")
  // This is set at compile time.
  version = "unknown"
 )
@@ -62,7 +63,7 @@ func main() {
  time.Sleep(1500 * time.Millisecond)
  mc := sidecarmounter.NewMountConfig(sp)
  if mc != nil {
- if err := mounter.Mount(ctx, mc); err != nil {
+ if err := mounter.Mount(ctx, mc, *metricsScrapeInterval); err != nil {
  mc.ErrWriter.WriteMsg(fmt.Sprintf("failed to mount bucket %q for volume %q: %v\n", mc.BucketName, mc.VolumeName, err))
  }
  }

cmd/webhook/Dockerfile

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 # Build webhook go binary
-FROM golang:1.22.6 AS webhook-builder
+FROM golang:1.23.0 AS webhook-builder
 
 ARG STAGINGVERSION
 

deploy/base/webhook/manage-validating_admission_policy.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# Copyright 2018 The Kubernetes Authors.
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+usage() {
+ cat <<EOF
+Install or uninstall ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+usage: ${0} [OPTIONS]
+One of the following flags are required: --install or --uninstall
+EOF
+ exit 1
+}
+
+while [[ $# -gt 0 ]]; do
+ case ${1} in
+ --install)
+ install=true
+ ;;
+ --uninstall)
+ uninstall=true
+ ;;
+ *)
+ usage
+ ;;
+ esac
+ shift
+done
+
+[ -z ${install} ] && install=false
+[ -z ${uninstall} ] && uninstall=false
+
+versionStr=$(kubectl version | sed -n '3p' | cut -d " " -f 3)
+
+# Extract the version number
+versionRegex="^v([0-9]+)\.([0-9]+)\.([0-9]+).*$"
+if [[ $versionStr =~ $versionRegex ]]; then
+ majorVersion=${BASH_REMATCH[1]}
+ minorVersion=${BASH_REMATCH[2]}
+
+ # Check if version is greater than or equal to 1.30
+ if (( majorVersion >= 1 && minorVersion >= 30 )) || (( majorVersion > 1 )); then
+ echo "Cluster version is greater than or equal to 1.30"
+ script_path=$(dirname "$(realpath "$0")")
+
+ if ( $install == "true" ); then
+ echo "Installing ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding"
+ kubectl apply -f "${script_path}/validating_admission_policy.yaml"
+ fi
+
+ if ( $uninstall == "true" ); then
+ echo "Uninstalling ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding"
+ kubectl delete -f "${script_path}/validating_admission_policy.yaml"
+ fi
+
+ else
+ echo "Cluster version is less than 1.30, skip ValidatingAdmissionPolicy management"
+ fi
+else
+ echo "Invalid version format: ${versionStr}"
+fi

deploy/base/webhook/validating_admission_policy.yaml

@@ -0,0 +1,60 @@
+# Copyright 2018 The Kubernetes Authors.
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+ name: "gcsfuse-sidecar-validator.csi.storage.gke.io"
+spec:
+ failurePolicy: Ignore # will not block other Pod requests
+ matchConstraints:
+ resourceRules:
+ - apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ operations: ["CREATE"]
+ matchConditions:
+ - name: "include-pods-with-gcsfuse-volumes"
+ expression: 'has(object.metadata.annotations) && "gke-gcsfuse/volumes" in object.metadata.annotations && object.metadata.annotations["gke-gcsfuse/volumes"] == "true"'
+ - name: "include-pods-with-native-sidecar"
+ expression: 'has(object.spec.initContainers) && object.spec.initContainers.exists(c, c.name == "gke-gcsfuse-sidecar")'
+ variables:
+ - name: "sidecar"
+ expression: 'object.spec.initContainers.filter(c, c.name == "gke-gcsfuse-sidecar")[0]'
+ validations:
+ - messageExpression: '"the native gcsfuse sidecar init container must have restartPolicy:Always."'
+ reason: Invalid
+ expression: |-
+ has(variables.sidecar.restartPolicy) &&
+ variables.sidecar.restartPolicy == "Always"
+ - messageExpression: '"the native gcsfuse sidecar init container must have env var NATIVE_SIDECAR with value TRUE."'
+ reason: Invalid
+ expression: |-
+ has(variables.sidecar.env) &&
+ variables.sidecar.env.exists(e, e.name == "NATIVE_SIDECAR" && e.value == "TRUE")
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+ name: "gcsfuse-sidecar-validator-binding.csi.storage.gke.io"
+spec:
+ policyName: "gcsfuse-sidecar-validator.csi.storage.gke.io"
+ validationActions: [Deny]
+ matchResources:
+ resourceRules:
+ - apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ operations: ["CREATE"]

deploy/overlays/dev/node_pprof.yaml

@@ -31,4 +31,4 @@ spec:
  - --metrics-endpoint=:9920
  - --enable-profiling=true
  ports:
- - containerPort: 6060
+ - containerPort: 6060

docs/metrics/metrics.md

@@ -116,6 +116,7 @@ In the CSI driver, each metric record includes the following extra labels so tha
 - namespace_name
 - volume_name
 - bucket_name
+- pod_uid
 
 The Prometheus UI provides an easy interface to query and visualize metrics. See [Querying Prometheus documentation](https://prometheus.io/docs/prometheus/latest/querying/basics/) for details.