Fix StatefulSet set-based selector bug

[ayushpateria]

What this PR does / why we need it:
ControllerRevisions were using selectors as the labels, in case of set-based selectors, the helper function to convert selectors to labels would break. This PR uses pod labels for ControllerRevision labels instead of selectors.
Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #59266

Special notes for your reviewer:
I'm trying to learn Kubernetes codebase and would be happy to make changes if anything is off.
Release note:

Fix StatefulSet to work with set-based selectors.

[lavalamp]

Please add a test :)

[lavalamp]

/assign @cheftako

[cheftako]

How do we know that the raw extension will always be json and not say protobuf?

[ayushpateria]

@cheftako Please have a look at my recent commit :)

[cheftako]

If the raw data does not parse we should not be silently swallowing that error. Additionally we clearly are missing tests for cases where either the key or value are invalid.

[ayushpateria]

Will a log warning work? I didn't want it to break like previously if the problem is only with parsing of labels, as they aren't being used anywhere anyway.

[cheftako]

We should make sure to validate both the key and value to make sure they are valid label key and label values.

[ayushpateria]

Are we required to validate key and values again? Because they must have already been validated when creating the StatefulSet (or pods).

[0xmichalis]

@kubernetes/sig-apps-pr-reviews

[enisoc]

I think we should require the caller of NewControllerRevision to provide the labels, rather than making assumptions about the contents of data.

cc @kow3ns @janetkuo

[ayushpateria]

@enisoc please check :)

[0xmichalis]

Remove this diff

[0xmichalis]

podLabels should never be nil

• The statefulset selector is required to be non-empty
• The podtemplate labels are required to match the selector.

[ayushpateria]

I had this doubt, did the check anyway to be on safer side. Removed the check now. Please see the recent commit.

[0xmichalis]

lgtm

also needs a unit test that uses a set-based selector

[ayushpateria]

@Kargakis I've modified newStatefulSet() to include a set based selector, this should ensure controller revisions don't fail when stateful sets are having set-based selectors.

[ayushpateria]

TestSortControllerRevisions was failing because of the incorrect version number (2 was being used for ss1Rev3).

[enisoc]

/ok-to-test

[ayushpateria]

/retest

[ayushpateria]

Why is pull-kubernetes-bazel-test failing? Is it a flake?

[janetkuo]

The failure looks relevant to the change made in this PR.

//pkg/controller/statefulset:go_default_test 0.00s
bazel test //pkg/controller/statefulset:go_default_test
E0219 23:03:17.207307      14 stateful_pod_control.go:125] error getting updated Pod default/foo-0 from lister: pod "foo-0" not found
Terminated

[janetkuo]

Need to make a copy here; otherwise, podLabels gets mutated when cr.Labels is mutated in L91.

[janetkuo]

And this means template labels (of the given StatefulSet) gets mutated.

[janetkuo]

CR's labels is a copy of template labels; "matching" is between selector and labels.

[janetkuo]

Name it templateLabels

[janetkuo]

templateLabels

[enisoc]

I think sel1 should remain what it was (pulling the actual selector from the StatefulSet). This selector ends up being used to list ControllerRevisions. If the selector has MatchExpressions, it's important that sel1 includes those as well.

[ayushpateria]

The selector selects ControllerRevisions on the basis of labels, earlier because the labels of controller revisions and selectors of StatefulSet were same, we could use StatefulSet selector. But now the labels of CRs are the template labels, so I changed the CR's selector to that.
Every StatefulSet selector should have a matching pod label (which is also CR's label), so I think the previous version would work as well, but it's not consistent with labels logic.

[enisoc]

It's always safe to use the StatefulSet's selector, because we ensure through validation that it selects the pod template labels. Since we now apply the pod template labels to revisions too, we can also expect that the StatefulSet's selector will match those revisions.

On the other hand, generating a selector purely from the template labels will not always give the right result. Here is a contrived example of that:

...
metadata:
  name: ss1
spec:
  selector:
    matchLabels:
      component: mything
    matchExpressions:
    - {key: role, operator: DoesNotExist}
  template:
    metadata:
      labels:
        component: mything
...
---
...
metadata:
  name: ss2
spec:
  selector:
    matchLabels:
      component: mything
      role: test
  template:
    metadata:
      labels:
        component: mything
        role: test

If you generate a selector directly from the pod template labels, ss1 would end up also selecting ss2's revisions, whereas ss1's actual selector means that it will avoid selecting ss2's pods. We want the behavior for selecting pods and revisions to be consistent with each other, so we respect the user's intention.

I called this example contrived because it's probably a bad idea for the user to do this. However, the API allows it, so we need to make sure we do the right thing.

[enisoc]

This variable isn't needed anymore since there's no conversion happening. We can just directly use the input parameter as Labels: podLabels.

Nevermind, see comment above by @janetkuo.

[ayushpateria]

podLabels is not being used anywhere later, I agree with what you struck out. Am I missing something?

[enisoc]

@janetkuo pointed out in the other thread that we mutate this map below on this line:

cr.Labels[ControllerRevisionHashLabel] = strconv.FormatInt(int64(hash), 10)

Since map types are references, this means we're mutating the map that the caller passed in to us. So it turns out we do need to make our own labelMap var after all, to hold a deep copy of podLabels. Unless you can find a utility helper for this, you'll need to just allocate a new map and then range loop over the input map to copy each entry.

[ayushpateria]

Okay, I was thinking that even if it gets mutated it's not affecting anything. But yeah, we should not mutate anything that caller passes.

[janetkuo]

it's not affecting anything

It actually mutates template labels (set.Spec.Template.Labels) the caller passes.

[ayushpateria]

Got it. Thanks.

[enisoc]

Same here.

[enisoc]

I agree that this change to the test would have prevented the exact manifestation of the bug we hit (converting a new-style, set-based selector into a string and then trying to parse it as an old-style, map-only selector). However, there are other possible manifestations of the general problem (forgetting about set-based selectors) that this test won't prevent in the future. For example, if we regress to pulling the labels from MatchLabels without converting via string format/parse, this test won't catch that.

I think we'll catch more potential regressions if we include test cases with no MatchLabels at all, so we're sure it will break if any link in the chain ignores the set-based MatchExpressions. We could do that by converting all entries in labels into MatchExpressions (instead of just the first pair), and leaving MatchLabels empty.

Also, we should leave a comment here saying that we are intentionally using a selector with empty MatchLabels to make sure MatchExpressions works as expected, to reduce the chance that someone will weaken our test in the future.

[ayushpateria]

@enisoc Updated! :)

[enisoc]

You can directly put set.Spec.Template.Labels here.

[kow3ns]

/approve

[janetkuo]

/lgtm

[enisoc]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ayushpateria, enisoc, janetkuo, kow3ns

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/controller/history/OWNERS [enisoc,janetkuo,kow3ns]
• pkg/controller/statefulset/OWNERS [enisoc,janetkuo,kow3ns]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[enisoc]

The verify failure looks like #60447. Looks like e2e-gce didn't even run.

/test pull-kubernetes-e2e-gce

[BenTheElder]

fix PR for verify merged
/test pull-kubernetes-verify

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

[lavalamp]

What happens if the selector doesn't match these labels?

[janetkuo]

Validation prevents a StatefulSet with a selector that doesn't match its own template labels from being created. apps/v1 StatefulSet's selector cannot be changed after creation.

[lavalamp]

Thanks!