feat: Added Disruption control for Sandbox

vicentefb · vicentefb · commit 40162871eb32 · 2025-10-09T23:14:03.000Z
feat: added PDB to Sandbox spec

updated rbac generated file

nit

nit

refacted pdb into its own controller

nit sandbox controller test
diff --git a/api/v1alpha1/sandbox_types.go b/api/v1alpha1/sandbox_types.go
@@ -27,6 +27,10 @@ func (c ConditionType) String() string { return string(c) }
 const (
 	// SandboxConditionReady indicates readiness for Sandbox
 	SandboxConditionReady ConditionType = "Ready"
+
+	// PDBRequiredAnnotation is the annotation that the sandbox-policy-controller
+	// looks for to create a PodDisruptionBudget for a Sandbox.
+	PDBRequiredAnnotation = "policy.agents.x-k8s.io/pdb"
 )
 
 type PodMetadata struct {
diff --git a/cmd/agent-sandbox-controller/main.go b/cmd/agent-sandbox-controller/main.go
@@ -69,6 +69,12 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "Sandbox")
 		os.Exit(1)
 	}
+	if err = (&controllers.SandboxPolicyReconciler{
+		Client: mgr.GetClient(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "SandboxPolicy")
+		os.Exit(1)
+	}
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
diff --git a/codegen.go b/codegen.go
@@ -17,5 +17,5 @@
 package agentsandbox
 
 // Generate CRDs and RBAC rules
-//go:generate go tool -modfile=tools.mod sigs.k8s.io/controller-tools/cmd/controller-gen object crd:maxDescLen=0 paths="./api/..." output:crd:dir=k8s/crds output:rbac:dir=k8s rbac:roleName=agent-sandbox-controller,fileName=rbac.generated.yaml
+//go:generate go tool -modfile=tools.mod sigs.k8s.io/controller-tools/cmd/controller-gen rbac:roleName=agent-sandbox-controller,fileName=rbac.generated.yaml crd:maxDescLen=0 paths="./..." output:crd:dir=k8s/crds output:rbac:dir=k8s
 //go:generate go tool -modfile=tools.mod sigs.k8s.io/controller-tools/cmd/controller-gen object crd:maxDescLen=0 paths="./extensions/..." output:crd:dir=k8s/crds output:rbac:dir=k8s rbac:roleName=agent-sandbox-controller,fileName=rbac.generated.yaml
diff --git a/controllers/sandboxpolicy_controller.go b/controllers/sandboxpolicy_controller.go
@@ -0,0 +1,133 @@
+package controllers
+
+import (
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	policyv1 "k8s.io/api/policy/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	sandboxv1alpha1 "sigs.k8s.io/agent-sandbox/api/v1alpha1"
+)
+
+// SandboxPolicyReconciler reconciles a Sandbox object for policy purposes
+type SandboxPolicyReconciler struct {
+	client.Client
+}
+
+const (
+	safeToEvictAnnotation = "cluster-autoscaler.kubernetes.io/safe-to-evict"
+)
+
+//+kubebuilder:rbac:groups=agents.x-k8s.io,resources=sandboxes,verbs=get;list;watch
+//+kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;patch;update
+
+func (r *SandboxPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx)
+
+	sandbox := &sandboxv1alpha1.Sandbox{}
+	if err := r.Get(ctx, req.NamespacedName, sandbox); err != nil {
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+
+	// Reconcile the PodDisruptionBudget
+	if err := r.reconcilePDB(ctx, sandbox); err != nil {
+		log.Error(err, "Failed to reconcile PDB")
+		return ctrl.Result{}, err
+	}
+
+	// Reconcile the safe-to-evict annotation on the Pod
+	if err := r.reconcilePodAnnotation(ctx, sandbox); err != nil {
+		log.Error(err, "Failed to reconcile Pod annotation")
+		return ctrl.Result{}, err
+	}
+
+	return ctrl.Result{}, nil
+}
+
+// reconcilePDB manages the PDB for a Sandbox based on its annotation.
+func (r *SandboxPolicyReconciler) reconcilePDB(ctx context.Context, sandbox *sandboxv1alpha1.Sandbox) error {
+	log := log.FromContext(ctx)
+	pdb := &policyv1.PodDisruptionBudget{}
+	pdbName := types.NamespacedName{Name: sandbox.Name, Namespace: sandbox.Namespace}
+	nameHash := NameHash(sandbox.Name)
+
+	// Check if the annotation requests a PDB
+	pdbRequested := sandbox.Annotations[sandboxv1alpha1.PDBRequiredAnnotation] == "true"
+
+	if !pdbRequested {
+		// If PDB is not requested, ensure it is deleted.
+		if err := r.Get(ctx, pdbName, pdb); err != nil {
+			return client.IgnoreNotFound(err) // PDB doesn't exist, which is correct.
+		}
+		log.Info("Deleting PDB as policy annotation is not set", "PDB.Name", pdb.Name)
+		return r.Delete(ctx, pdb)
+	}
+
+	// If PDB is requested, ensure it exists.
+	if err := r.Get(ctx, pdbName, pdb); err != nil {
+		if !k8serrors.IsNotFound(err) {
+			return fmt.Errorf("PDB Get Failed: %w", err)
+		}
+		// PDB does not exist, so create it.
+		log.Info("Creating a new PodDisruptionBudget", "PDB.Name", sandbox.Name)
+		minAvailable := intstr.FromInt(1)
+		newPDB := &policyv1.PodDisruptionBudget{
+			ObjectMeta: metav1.ObjectMeta{Name: sandbox.Name, Namespace: sandbox.Namespace},
+			Spec: policyv1.PodDisruptionBudgetSpec{
+				MinAvailable: &minAvailable,
+				Selector:     &metav1.LabelSelector{MatchLabels: map[string]string{sandboxLabel: nameHash}},
+			},
+		}
+		if err := ctrl.SetControllerReference(sandbox, newPDB, r.Scheme()); err != nil {
+			return err
+		}
+		return r.Create(ctx, newPDB)
+	}
+	return nil // PDB exists, which is correct.
+}
+
+// reconcilePodAnnotation manages the safe-to-evict annotation on the Pod.
+func (r *SandboxPolicyReconciler) reconcilePodAnnotation(ctx context.Context, sandbox *sandboxv1alpha1.Sandbox) error {
+	pod := &corev1.Pod{}
+	if err := r.Get(ctx, client.ObjectKeyFromObject(sandbox), pod); err != nil {
+		return client.IgnoreNotFound(err) // Pod may not have been created yet.
+	}
+
+	pdbRequested := sandbox.Annotations[sandboxv1alpha1.PDBRequiredAnnotation] == "true"
+	patch := client.MergeFrom(pod.DeepCopy())
+
+	if pdbRequested {
+		if pod.Annotations[safeToEvictAnnotation] == "false" {
+			return nil // Annotation is already correct.
+		}
+		if pod.Annotations == nil {
+			pod.Annotations = make(map[string]string)
+		}
+		pod.Annotations[safeToEvictAnnotation] = "false"
+	} else {
+		if _, exists := pod.Annotations[safeToEvictAnnotation]; !exists {
+			return nil // Annotation is already absent.
+		}
+		delete(pod.Annotations, safeToEvictAnnotation)
+	}
+
+	return r.Patch(ctx, pod, patch)
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *SandboxPolicyReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&sandboxv1alpha1.Sandbox{}).
+		Owns(&policyv1.PodDisruptionBudget{}).
+		Named("sandboxpolicy").
+		Complete(r)
+}
diff --git a/controllers/sandboxpolicy_controller_test.go b/controllers/sandboxpolicy_controller_test.go
@@ -0,0 +1,178 @@
+// Copyright 2025 The Kubernetes Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	policyv1 "k8s.io/api/policy/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	sandboxv1alpha1 "sigs.k8s.io/agent-sandbox/api/v1alpha1"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+// TestSandboxPolicyReconciler_Reconcile covers creation and no-op scenarios.
+func TestSandboxPolicyReconciler_Reconcile(t *testing.T) {
+	sandboxName := "test-sandbox"
+	sandboxNs := "default"
+	sandboxKey := types.NamespacedName{Name: sandboxName, Namespace: sandboxNs}
+
+	// A pod that would be created by the main sandbox-controller
+	existingPod := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      sandboxName,
+			Namespace: sandboxNs,
+			Labels: map[string]string{
+				// Assume this label is present for the selector to match
+				sandboxLabel: NameHash(sandboxName),
+			},
+		},
+	}
+
+	testCases := []struct {
+		name             string
+		initialSandbox   *sandboxv1alpha1.Sandbox
+		expectPDB        bool
+		expectAnnotation bool
+	}{
+		{
+			name: "should create PDB and add annotation when annotation is present",
+			initialSandbox: &sandboxv1alpha1.Sandbox{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      sandboxName,
+					Namespace: sandboxNs,
+					Annotations: map[string]string{
+						sandboxv1alpha1.PDBRequiredAnnotation: "true",
+					},
+				},
+			},
+			expectPDB:        true,
+			expectAnnotation: true,
+		},
+		{
+			name: "should do nothing when annotation is absent",
+			initialSandbox: &sandboxv1alpha1.Sandbox{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      sandboxName,
+					Namespace: sandboxNs,
+				},
+			},
+			expectPDB:        false,
+			expectAnnotation: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			fakeClient := fake.NewClientBuilder().
+				WithScheme(Scheme).
+				WithRuntimeObjects(tc.initialSandbox.DeepCopy(), existingPod.DeepCopy()).
+				Build()
+
+			r := &SandboxPolicyReconciler{Client: fakeClient}
+			req := ctrl.Request{NamespacedName: sandboxKey}
+
+			_, err := r.Reconcile(context.Background(), req)
+			require.NoError(t, err)
+
+			// Check PDB state
+			pdb := &policyv1.PodDisruptionBudget{}
+			err = r.Get(context.Background(), sandboxKey, pdb)
+			if tc.expectPDB {
+				require.NoError(t, err, "Expected PDB to be created")
+			} else {
+				require.True(t, k8serrors.IsNotFound(err), "Expected PDB to not exist")
+			}
+
+			// Check Pod annotation state
+			pod := &corev1.Pod{}
+			err = r.Get(context.Background(), sandboxKey, pod)
+			require.NoError(t, err)
+
+			_, hasAnnotation := pod.Annotations[safeToEvictAnnotation]
+			require.Equal(t, tc.expectAnnotation, hasAnnotation)
+		})
+	}
+}
+
+// TestSandboxPolicyReconciler_Cleanup tests the update/cleanup scenario.
+func TestSandboxPolicyReconciler_Cleanup(t *testing.T) {
+	sandboxName := "cleanup-sandbox"
+	sandboxNs := "default"
+	sandboxKey := types.NamespacedName{Name: sandboxName, Namespace: sandboxNs}
+
+	initialSandbox := &sandboxv1alpha1.Sandbox{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      sandboxName,
+			Namespace: sandboxNs,
+			Annotations: map[string]string{
+				sandboxv1alpha1.PDBRequiredAnnotation: "true",
+			},
+		},
+	}
+	initialPod := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      sandboxName,
+			Namespace: sandboxNs,
+			Labels:    map[string]string{sandboxLabel: NameHash(sandboxName)},
+		},
+	}
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(Scheme).
+		WithRuntimeObjects(initialSandbox, initialPod).
+		Build()
+
+	r := &SandboxPolicyReconciler{Client: fakeClient}
+	req := ctrl.Request{NamespacedName: sandboxKey}
+
+	// First reconcile: Create the PDB and add annotation
+	_, err := r.Reconcile(context.Background(), req)
+	require.NoError(t, err)
+
+	// Verify PDB was created
+	pdb := &policyv1.PodDisruptionBudget{}
+	require.NoError(t, r.Get(context.Background(), sandboxKey, pdb), "PDB should exist after first reconcile")
+
+	// Verify Pod has annotation
+	pod := &corev1.Pod{}
+	require.NoError(t, r.Get(context.Background(), sandboxKey, pod))
+	require.Equal(t, "false", pod.Annotations[safeToEvictAnnotation])
+
+	// Update the Sandbox to remove the annotation
+	updatedSandbox := &sandboxv1alpha1.Sandbox{}
+	require.NoError(t, r.Get(context.Background(), sandboxKey, updatedSandbox))
+	delete(updatedSandbox.Annotations, sandboxv1alpha1.PDBRequiredAnnotation)
+	require.NoError(t, r.Update(context.Background(), updatedSandbox))
+
+	// Second reconcile: Should clean up the PDB and annotation
+	_, err = r.Reconcile(context.Background(), req)
+	require.NoError(t, err)
+
+	// Verify PDB was deleted
+	err = r.Get(context.Background(), sandboxKey, pdb)
+	require.True(t, k8serrors.IsNotFound(err), "PDB should be deleted after annotation is removed")
+
+	// Verify Pod annotation was removed
+	require.NoError(t, r.Get(context.Background(), sandboxKey, pod))
+	_, hasAnnotation := pod.Annotations[safeToEvictAnnotation]
+	require.False(t, hasAnnotation, "Pod annotation should be removed")
+}
diff --git a/examples/sandbox.yaml b/examples/sandbox.yaml
@@ -3,6 +3,9 @@ kind: Sandbox
 metadata:
   name: sandbox-example
   namespace: sandbox-ns
+  # To request a PDB
+  annotations:
+    policy.agents.x-k8s.io/pdb: "true"
 spec:
   podTemplate:
     metadata:
diff --git a/k8s/rbac.generated.yaml b/k8s/rbac.generated.yaml
@@ -38,3 +38,15 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
