Add DeletionProtection mechanism reject Namespace deletion when PVCs are included under NS

[kevin1689-cloud]

Ⅰ. Describe what this PR does

This PR complete a feature: The DeletionProtection mechanism reject Namespace deletion when PVCs are included under NameSpace

Ⅱ. Does this pull request fix one issue?

fixes #1223

Ⅲ. Describe how to verify it

1.Create a namespace and label it with "policy.kruise.io/delete-protection=Cascading"
2.Create a pvc in that namespace
3.Try to delete the namespce, the namespace can't be deleted and show an error which tell user the reason is there are existing pvc in the namespce

Ⅳ. Special notes for reviews

None

[kruise-bot]

Welcome @kevin1689-cloud! It looks like this is your first PR to openkruise/kruise 🎉

[codecov-commenter]

Codecov Report

Merging #1228 (5e1004d) into master (8d59840) will decrease coverage by 0.04%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##           master    #1228      +/-   ##
==========================================
- Coverage   48.50%   48.46%   -0.04%     
==========================================
  Files         149      149              
  Lines       20606    20606              
==========================================
- Hits         9995     9987       -8     
- Misses       9517     9524       +7     
- Partials     1094     1095       +1     

Flag	Coverage Δ
unittests	48.46% <ø> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1 file with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[zmberg]

@kevin1689-cloud good, can you can some E2E in code?

[kevin1689-cloud]

@kevin1689-cloud good, can you can some E2E in code?

Sure, l will working on that.

[zmberg]

@furykerry Is only PVC bound to PV worth protecting?

[zmberg]

@kevin1689-cloud I think PVC which unbound to pv or deleting are not worth protecting.

[kevin1689-cloud]

@kevin1689-cloud I think PVC which unbound to pv or deleting are not worth protecting.

@zmberg Got it, as the Deletion Protection mechanism is aim to enhance applications' availability, I agree with the PVC which not bound to PV is not worth protecting. I will modify my code and E2E to achieve that.

I checked kubernetes code, PVC have 3 status: Pending, Bound, Lost. So the logic is when PVC's status is in "Bound", protect the NameSpace to be delete, and when PVC is in other status, the NameSpace can be delete, is that correct?

[zmberg]

@kevin1689-cloud I think PVC which unbound to pv or deleting are not worth protecting.

@zmberg Got it, as the Deletion Protection mechanism is aim to enhance applications' availability, I agree with the PVC which not bound to PV is not worth protecting. I will modify my code and E2E to achieve that.

I checked kubernetes code, PVC have 3 status: Pending, Bound, Lost. So the logic is when PVC's status is in "Bound", protect the NameSpace to be delete, and when PVC is in other status, the NameSpace can be delete, is that correct?

Yes.

[kevin1689-cloud]

@kevin1689-cloud I think PVC which unbound to pv or deleting are not worth protecting.

@zmberg Got it, as the Deletion Protection mechanism is aim to enhance applications' availability, I agree with the PVC which not bound to PV is not worth protecting. I will modify my code and E2E to achieve that.
I checked kubernetes code, PVC have 3 status: Pending, Bound, Lost. So the logic is when PVC's status is in "Bound", protect the NameSpace to be delete, and when PVC is in other status, the NameSpace can be delete, is that correct?

Yes.

Ok.

[sonatype-lift]

SA4006: this value of pvc is never used

---

ℹ️ Expand to see all @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command	Usage
@sonatype-lift ignore	Leave out the above finding from this PR
@sonatype-lift ignoreall	Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool>	Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
_{Click here to add LiftBot to another repo.}

---

Help us improve LIFT! (Sonatype LiftBot external survey)

Was this a good recommendation for you? _{Answering this survey will not impact your Lift settings.}

[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

[sonatype-lift]

SA4006: this value of pv is never used

---

ℹ️ Expand to see all @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command	Usage
@sonatype-lift ignore	Leave out the above finding from this PR
@sonatype-lift ignoreall	Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool>	Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
_{Click here to add LiftBot to another repo.}

---

Help us improve LIFT! (Sonatype LiftBot external survey)

Was this a good recommendation for you? _{Answering this survey will not impact your Lift settings.}

[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

[sonatype-lift]

S1039: unnecessary use of fmt.Sprintf

---

ℹ️ Expand to see all @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command	Usage
@sonatype-lift ignore	Leave out the above finding from this PR
@sonatype-lift ignoreall	Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool>	Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
_{Click here to add LiftBot to another repo.}

---

Help us improve LIFT! (Sonatype LiftBot external survey)

Was this a good recommendation for you? _{Answering this survey will not impact your Lift settings.}

[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

[kevin1689-cloud]

@zmberg Done. Now namespace will be protected only when PVCs in "Bound" status are included under the namespce. The relevant E2E tests have been added. Please take a look.

[zmberg]

if pvc.deletionTimestamp == nil && pvc.Status.Phase == v1.ClaimBound {

}

[zmberg]

go imports the 'import' section.

[kevin1689-cloud]

@zmberg Done. I have made a misoperation when push the code and submitted serveral recently merged issue's code. Now I have fixed this misoperation. Please check and if there are any problem, please tell me. Thanks!

[zmberg]

/lgtm

[furykerry]

plz add DisableDeepCopy option here

[zmberg]

and add DisableDeepCopy option in list pods function again.

[kevin1689-cloud]

@furykerry @zmberg Done. Now the list pvc and list pods function is as shown below:

pvcs := v1.PersistentVolumeClaimList{}
if err := c.List(context.TODO(), &pvcs, client.InNamespace(namespace.Name), utilclient.DisableDeepCopy);

pods := v1.PodList{}
if err := c.List(context.TODO(), &pods, client.InNamespace(namespace.Name), utilclient.DisableDeepCopy);

Please take a look.

[furykerry]

/lgtm

[zmberg]

/approve

[kruise-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: zmberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [zmberg]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment