Add support for volumeClaimTemplates

Author: barney-s

Makefile

@@ -12,7 +12,7 @@ build:
 KIND_CLUSTER=agent-sandbox
 
 .PHONY: deploy-kind
-deploy-kind:
+deploy-kind: all
 	kind get clusters | grep ${KIND_CLUSTER} || kind create cluster --name ${KIND_CLUSTER}
 	./dev/tools/push-images --image-prefix=kind.local/ --kind-cluster-name=${KIND_CLUSTER}
 	./dev/tools/deploy-to-kube --image-prefix=kind.local/

api/v1alpha1/sandbox_types.go

@@ -58,6 +58,17 @@ type PodTemplate struct {
 	ObjectMeta PodMetadata `json:"metadata" protobuf:"bytes,3,opt,name=metadata"`
 }
 
+type PersistentVolumeClaimTemplate struct {
+	// Metadata is the Pod's metadata. Only labels and annotations are used.
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +kubebuilder:validation:Optional
+	ObjectMeta metav1.ObjectMeta `json:"metadata" protobuf:"bytes,3,opt,name=metadata"`
+
+	// Spec is the Pod's spec
+	// +kubebuilder:validation:Required
+	Spec corev1.PersistentVolumeClaimSpec `json:"spec" protobuf:"bytes,3,opt,name=spec"`
+}
+
 // SandboxSpec defines the desired state of Sandbox
 type SandboxSpec struct {
 	// The following markers will use OpenAPI v3 schema to validate the value
@@ -66,6 +77,12 @@ type SandboxSpec struct {
 	// PodTemplate describes the pod spec that will be used to create an agent sandbox.
 	// +kubebuilder:validation:Required
 	PodTemplate PodTemplate `json:"podTemplate" protobuf:"bytes,3,opt,name=podTemplate"`
+
+	// VolumeClaimTemplates is a list of claims that the sandbox pod is allowed to reference.
+	// Every claim in this list must have at least one matching access mode with a provisioner volume.
+	// +optional
+	// +kubebuilder:validation:Optional
+	VolumeClaimTemplates []PersistentVolumeClaimTemplate `json:"volumeClaimTemplates,omitempty" protobuf:"bytes,4,rep,name=volumeClaimTemplates"`
 }
 
 // SandboxStatus defines the observed state of Sandbox.

api/v1alpha1/zz_generated.deepcopy.go

@@ -52,6 +52,7 @@ type SandboxReconciler struct {
 
 //+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -86,9 +87,13 @@ func (r *SandboxReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 
 	var allErrors error
 
+	// Reconcile PVCs
+	err := r.reconcilePVCs(ctx, sandbox)
+	allErrors = errors.Join(allErrors, err)
+
 	// Reconcile Pod
 	pod, err := r.reconcilePod(ctx, sandbox, nameHash)
-	allErrors = errors.Join(err)
+	allErrors = errors.Join(allErrors, err)
 
 	// Reconcile Service
 	svc, err := r.reconcileService(ctx, sandbox, nameHash)
@@ -259,14 +264,27 @@ func (r *SandboxReconciler) reconcilePod(ctx context.Context, sandbox *sandboxv1
 		annotations[k] = v
 	}
 
+	mutatedSpec := sandbox.Spec.PodTemplate.Spec.DeepCopy()
+
+	for _, pvcTemplate := range sandbox.Spec.VolumeClaimTemplates {
+		pvcName := pvcTemplate.ObjectMeta.Name + "-" + sandbox.Name
+		mutatedSpec.Volumes = append(mutatedSpec.Volumes, corev1.Volume{
+			Name: pvcTemplate.ObjectMeta.Name,
+			VolumeSource: corev1.VolumeSource{
+				PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+					ClaimName: pvcName,
+				},
+			},
+		})
+	}
 	pod = &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        sandbox.Name,
 			Namespace:   sandbox.Namespace,
 			Labels:      labels,
 			Annotations: annotations,
 		},
-		Spec: sandbox.Spec.PodTemplate.Spec,
+		Spec: *mutatedSpec,
 	}
 	pod.SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Pod"))
 	if err := ctrl.SetControllerReference(sandbox, pod, r.Scheme); err != nil {
@@ -280,6 +298,38 @@ func (r *SandboxReconciler) reconcilePod(ctx context.Context, sandbox *sandboxv1
 	return pod, nil
 }
 
+func (r *SandboxReconciler) reconcilePVCs(ctx context.Context, sandbox *sandboxv1alpha1.Sandbox) error {
+	log := log.FromContext(ctx)
+	for _, pvcTemplate := range sandbox.Spec.VolumeClaimTemplates {
+		pvc := &corev1.PersistentVolumeClaim{}
+		pvcName := pvcTemplate.ObjectMeta.Name + "-" + sandbox.Name
+		err := r.Get(ctx, types.NamespacedName{Name: pvcName, Namespace: sandbox.Namespace}, pvc)
+		if err != nil {
+			if k8serrors.IsNotFound(err) {
+				log.Info("Creating a new PVC", "PVC.Namespace", sandbox.Namespace, "PVC.Name", pvcName)
+				pvc = &corev1.PersistentVolumeClaim{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      pvcName,
+						Namespace: sandbox.Namespace,
+					},
+					Spec: pvcTemplate.Spec,
+				}
+				if err := ctrl.SetControllerReference(sandbox, pvc, r.Scheme); err != nil {
+					return fmt.Errorf("SetControllerReference for PVC failed: %w", err)
+				}
+				if err := r.Create(ctx, pvc, client.FieldOwner("sandbox-controller")); err != nil {
+					log.Error(err, "Failed to create PVC", "PVC.Namespace", sandbox.Namespace, "PVC.Name", pvcName)
+					return err
+				}
+			} else {
+				log.Error(err, "Failed to get PVC")
+				return fmt.Errorf("PVC Get Failed: %w", err)
+			}
+		}
+	}
+	return nil
+}
+
 // SetupWithManager sets up the controller with the Manager.
 func (r *SandboxReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	labelSelectorPredicate, err := predicate.LabelSelectorPredicate(metav1.LabelSelector{

controllers/sandbox_controller.go

@@ -14,3 +14,14 @@ spec:
       - name: my-container
         image: busybox
         command: ["/bin/sh", "-c", "sleep 3600"]
+        volumeMounts:
+        - name: my-pvc
+          mountPath: /my-data
+  volumeClaimTemplates:
+  - metadata:
+      name: my-pvc
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 1Gi

examples/sandbox.yaml

@@ -3814,6 +3814,104 @@ spec:
                 required:
                 - spec
                 type: object
+              volumeClaimTemplates:
+                items:
+                  properties:
+                    metadata:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    spec:
+                      properties:
+                        accessModes:
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        dataSource:
+                          properties:
+                            apiGroup:
+                              type: string
+                            kind:
+                              type: string
+                            name:
+                              type: string
+                          required:
+                          - kind
+                          - name
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        dataSourceRef:
+                          properties:
+                            apiGroup:
+                              type: string
+                            kind:
+                              type: string
+                            name:
+                              type: string
+                            namespace:
+                              type: string
+                          required:
+                          - kind
+                          - name
+                          type: object
+                        resources:
+                          properties:
+                            limits:
+                              additionalProperties:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                x-kubernetes-int-or-string: true
+                              type: object
+                            requests:
+                              additionalProperties:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                x-kubernetes-int-or-string: true
+                              type: object
+                          type: object
+                        selector:
+                          properties:
+                            matchExpressions:
+                              items:
+                                properties:
+                                  key:
+                                    type: string
+                                  operator:
+                                    type: string
+                                  values:
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        storageClassName:
+                          type: string
+                        volumeAttributesClassName:
+                          type: string
+                        volumeMode:
+                          type: string
+                        volumeName:
+                          type: string
+                      type: object
+                  required:
+                  - spec
+                  type: object
+                type: array
             required:
             - podTemplate
             type: object

k8s/crds/agents.x-k8s.io_sandboxes.yaml

@@ -7,6 +7,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - persistentvolumeclaims
   - pods
   - services
   verbs: