fix: continue to propagate PVC when workload is not enabled (#368)

ryanzhang-oss · web-flow · commit 6862d17d0874 · 2025-12-08T12:58:32.000-08:00
diff --git a/cmd/hubagent/workload/setup.go b/cmd/hubagent/workload/setup.go
@@ -168,6 +168,7 @@ func SetupControllers(ctx context.Context, wg *sync.WaitGroup, mgr ctrl.Manager,
 		UncachedReader:                          mgr.GetAPIReader(),
 		ResourceSnapshotCreationMinimumInterval: opts.ResourceSnapshotCreationMinimumInterval,
 		ResourceChangesCollectionDuration:       opts.ResourceChangesCollectionDuration,
+		EnableWorkload:                          opts.EnableWorkload,
 	}
 
 	rateLimiter := options.DefaultControllerRateLimiter(opts.RateLimiterOpts)
@@ -507,6 +508,7 @@ func SetupControllers(ctx context.Context, wg *sync.WaitGroup, mgr ctrl.Manager,
 		SkippedNamespaces:                         skippedNamespaces,
 		ConcurrentPlacementWorker:                 int(math.Ceil(float64(opts.MaxConcurrentClusterPlacement) / 10)),
 		ConcurrentResourceChangeWorker:            opts.ConcurrentResourceChangeSyncs,
+		EnableWorkload:                            opts.EnableWorkload,
 	}
 
 	if err := mgr.Add(resourceChangeDetector); err != nil {
diff --git a/pkg/controllers/placement/controller.go b/pkg/controllers/placement/controller.go
@@ -94,6 +94,9 @@ type Reconciler struct {
 
 	// ResourceChangesCollectionDuration is the duration for collecting resource changes into one snapshot.
 	ResourceChangesCollectionDuration time.Duration
+
+	// EnableWorkload indicates whether workloads are allowed to run on the hub cluster.
+	EnableWorkload bool
 }
 
 func (r *Reconciler) Reconcile(ctx context.Context, key controller.QueueKey) (ctrl.Result, error) {
diff --git a/pkg/controllers/placement/resource_selector.go b/pkg/controllers/placement/resource_selector.go
@@ -294,7 +294,7 @@ func (r *Reconciler) shouldPropagateObj(namespace, placementName string, obj run
 		return false, nil
 	}
 
-	shouldInclude, err := utils.ShouldPropagateObj(r.InformerManager, uObj)
+	shouldInclude, err := utils.ShouldPropagateObj(r.InformerManager, uObj, r.EnableWorkload)
 	if err != nil {
 		klog.ErrorS(err, "Cannot determine if we should propagate an object", "namespace", namespace, "placement", placementName, "object", uObjKObj)
 		return false, err
diff --git a/pkg/resourcewatcher/change_dector.go b/pkg/resourcewatcher/change_dector.go
@@ -84,6 +84,9 @@ type ChangeDetector struct {
 	// ConcurrentResourceChangeWorker is the number of resource change work that are
 	// allowed to sync concurrently.
 	ConcurrentResourceChangeWorker int
+
+	// EnableWorkload indicates whether workloads are allowed to run on the hub cluster.
+	EnableWorkload bool
 }
 
 // Start runs the detector, never stop until stopCh closed. This is called by the controller manager.
@@ -189,7 +192,7 @@ func (d *ChangeDetector) dynamicResourceFilter(obj interface{}) bool {
 	}
 
 	if unstructuredObj, ok := obj.(*unstructured.Unstructured); ok {
-		shouldPropagate, err := utils.ShouldPropagateObj(d.InformerManager, unstructuredObj.DeepCopy())
+		shouldPropagate, err := utils.ShouldPropagateObj(d.InformerManager, unstructuredObj.DeepCopy(), d.EnableWorkload)
 		if err != nil || !shouldPropagate {
 			klog.V(5).InfoS("Skip watching resource in namespace", "namespace", cwKey.Namespace,
 				"group", cwKey.Group, "version", cwKey.Version, "kind", cwKey.Kind, "object", cwKey.Name)
diff --git a/pkg/utils/common.go b/pkg/utils/common.go
@@ -505,29 +505,30 @@ func CheckCRDInstalled(discoveryClient discovery.DiscoveryInterface, gvk schema.
 	return err
 }
 
-// ShouldPropagateObj decides if one should propagate the object
-func ShouldPropagateObj(informerManager informer.Manager, uObj *unstructured.Unstructured) (bool, error) {
+// ShouldPropagateObj decides if one should propagate the object.
+// PVCs are only propagated when enableWorkload is false (workloads not allowed on hub).
+func ShouldPropagateObj(informerManager informer.Manager, uObj *unstructured.Unstructured, enableWorkload bool) (bool, error) {
 	// TODO:  add more special handling for different resource kind
 	switch uObj.GroupVersionKind() {
 	case appv1.SchemeGroupVersion.WithKind(ReplicaSetKind):
-		// Skip ReplicaSets if they are managed by Deployments (have owner references)
-		// Standalone ReplicaSets (without owners) can be propagated
+		// Skip ReplicaSets if they are managed by Deployments (have owner references).
+		// Standalone ReplicaSets (without owners) can be propagated.
 		if len(uObj.GetOwnerReferences()) > 0 {
 			return false, nil
 		}
 	case appv1.SchemeGroupVersion.WithKind("ControllerRevision"):
-		// Skip ControllerRevisions if they are managed by DaemonSets/StatefulSets (have owner references)
-		// These are automatically created by controllers and will be recreated on member clusters
+		// Skip ControllerRevisions if they are managed by DaemonSets/StatefulSets (have owner references).
+		// Standalone ControllerRevisions (without owners) can be propagated.
 		if len(uObj.GetOwnerReferences()) > 0 {
 			return false, nil
 		}
 	case corev1.SchemeGroupVersion.WithKind(ConfigMapKind):
-		// Skip the built-in custom CA certificate created in the namespace
+		// Skip the built-in custom CA certificate created in the namespace.
 		if uObj.GetName() == "kube-root-ca.crt" {
 			return false, nil
 		}
 	case corev1.SchemeGroupVersion.WithKind("ServiceAccount"):
-		// Skip the default service account created in the namespace
+		// Skip the default service account created in the namespace.
 		if uObj.GetName() == "default" {
 			return false, nil
 		}
@@ -542,8 +543,11 @@ func ShouldPropagateObj(informerManager informer.Manager, uObj *unstructured.Uns
 			return false, nil
 		}
 	case corev1.SchemeGroupVersion.WithKind("PersistentVolumeClaim"):
-		// Skip PersistentVolumeClaims to avoid conflicts with the PVCs created by statefulset controller
-		return false, nil
+		// Skip PersistentVolumeClaims by default to avoid conflicts with the PVCs created by statefulset controller.
+		// This only happens if the workloads are allowed to run on the hub cluster.
+		if enableWorkload {
+			return false, nil
+		}
 	case corev1.SchemeGroupVersion.WithKind("Endpoints"):
 		// we assume that all endpoints with the same name of a service is created by the service controller
 		if _, err := informerManager.Lister(ServiceGVR).ByNamespace(uObj.GetNamespace()).Get(uObj.GetName()); err != nil {
diff --git a/pkg/utils/common_test.go b/pkg/utils/common_test.go
@@ -1191,11 +1191,12 @@ func TestIsDiffedResourcePlacementEqual(t *testing.T) {
 	}
 }
 
-func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
+func TestShouldPropagateObj(t *testing.T) {
 	tests := []struct {
 		name            string
 		obj             map[string]interface{}
 		ownerReferences []metav1.OwnerReference
+		enableWorkload  bool
 		want            bool
 	}{
 		{
@@ -1209,6 +1210,21 @@ func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
 				},
 			},
 			ownerReferences: nil,
+			enableWorkload:  true,
+			want:            true,
+		},
+		{
+			name: "standalone replicaset without ownerReferences should propagate if workload is disabled",
+			obj: map[string]interface{}{
+				"apiVersion": "apps/v1",
+				"kind":       "ReplicaSet",
+				"metadata": map[string]interface{}{
+					"name":      "standalone-rs",
+					"namespace": "default",
+				},
+			},
+			ownerReferences: nil,
+			enableWorkload:  false,
 			want:            true,
 		},
 		{
@@ -1222,6 +1238,7 @@ func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
 				},
 			},
 			ownerReferences: nil,
+			enableWorkload:  true,
 			want:            true,
 		},
 		{
@@ -1242,7 +1259,8 @@ func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
 					UID:        "12345",
 				},
 			},
-			want: false,
+			enableWorkload: true,
+			want:           false,
 		},
 		{
 			name: "pod owned by replicaset - passes ShouldPropagateObj but filtered by resource config",
@@ -1262,7 +1280,8 @@ func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
 					UID:        "67890",
 				},
 			},
-			want: true, // ShouldPropagateObj doesn't filter Pods - they're filtered by NewResourceConfig
+			enableWorkload: false,
+			want:           true, // ShouldPropagateObj doesn't filter Pods - they're filtered by NewResourceConfig
 		},
 		{
 			name: "controllerrevision owned by daemonset should NOT propagate",
@@ -1282,7 +1301,8 @@ func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
 					UID:        "abcdef",
 				},
 			},
-			want: false,
+			enableWorkload: false,
+			want:           false,
 		},
 		{
 			name: "controllerrevision owned by statefulset should NOT propagate",
@@ -1302,7 +1322,8 @@ func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
 					UID:        "fedcba",
 				},
 			},
-			want: false,
+			enableWorkload: false,
+			want:           false,
 		},
 		{
 			name: "standalone controllerrevision without owner should propagate",
@@ -1315,10 +1336,25 @@ func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
 				},
 			},
 			ownerReferences: nil,
+			enableWorkload:  false,
+			want:            true,
+		},
+		{
+			name: "PVC should propagate when workload is disabled",
+			obj: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "PersistentVolumeClaim",
+				"metadata": map[string]interface{}{
+					"name":      "test-pvc",
+					"namespace": "default",
+				},
+			},
+			ownerReferences: nil,
+			enableWorkload:  false,
 			want:            true,
 		},
 		{
-			name: "PersistentVolumeClaim should NOT propagate",
+			name: "PVC should NOT propagate when workload is enabled",
 			obj: map[string]interface{}{
 				"apiVersion": "v1",
 				"kind":       "PersistentVolumeClaim",
@@ -1328,8 +1364,30 @@ func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
 				},
 			},
 			ownerReferences: nil,
+			enableWorkload:  true,
 			want:            false,
 		},
+		{
+			name: "PVC with ownerReferences should NOT propagate when workload is enabled",
+			obj: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       "PersistentVolumeClaim",
+				"metadata": map[string]interface{}{
+					"name":      "data-statefulset-0",
+					"namespace": "default",
+				},
+			},
+			ownerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: "apps/v1",
+					Kind:       "StatefulSet",
+					Name:       "statefulset",
+					UID:        "sts-uid",
+				},
+			},
+			enableWorkload: true,
+			want:           false,
+		},
 	}
 
 	for _, tt := range tests {
@@ -1339,7 +1397,7 @@ func TestShouldPropagateObj_PodAndReplicaSet(t *testing.T) {
 				uObj.SetOwnerReferences(tt.ownerReferences)
 			}
 
-			got, err := ShouldPropagateObj(nil, uObj)
+			got, err := ShouldPropagateObj(nil, uObj, tt.enableWorkload)
 			if err != nil {
 				t.Errorf("ShouldPropagateObj() error = %v", err)
 				return

Original file line number	Diff line number	Diff line change
`@@ -168,6 +168,7 @@ func SetupControllers(ctx context.Context, wg *sync.WaitGroup, mgr ctrl.Manager,`
`168`	`168`	`UncachedReader: mgr.GetAPIReader(),`
`169`	`169`	`ResourceSnapshotCreationMinimumInterval: opts.ResourceSnapshotCreationMinimumInterval,`
`170`	`170`	`ResourceChangesCollectionDuration: opts.ResourceChangesCollectionDuration,`
	`171`	`+ EnableWorkload: opts.EnableWorkload,`
`171`	`172`	`}`
`172`	`173`
`173`	`174`	`rateLimiter := options.DefaultControllerRateLimiter(opts.RateLimiterOpts)`
`@@ -507,6 +508,7 @@ func SetupControllers(ctx context.Context, wg *sync.WaitGroup, mgr ctrl.Manager,`
`507`	`508`	`SkippedNamespaces: skippedNamespaces,`
`508`	`509`	`ConcurrentPlacementWorker: int(math.Ceil(float64(opts.MaxConcurrentClusterPlacement) / 10)),`
`509`	`510`	`ConcurrentResourceChangeWorker: opts.ConcurrentResourceChangeSyncs,`
	`511`	`+ EnableWorkload: opts.EnableWorkload,`
`510`	`512`	`}`
`511`	`513`
`512`	`514`	`if err := mgr.Add(resourceChangeDetector); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,9 @@ type Reconciler struct {`
`94`	`94`
`95`	`95`	`// ResourceChangesCollectionDuration is the duration for collecting resource changes into one snapshot.`
`96`	`96`	`ResourceChangesCollectionDuration time.Duration`
	`97`	`+`
	`98`	`+ // EnableWorkload indicates whether workloads are allowed to run on the hub cluster.`
	`99`	`+ EnableWorkload bool`
`97`	`100`	`}`
`98`	`101`
`99`	`102`	`func (r *Reconciler) Reconcile(ctx context.Context, key controller.QueueKey) (ctrl.Result, error) {`
Original file line number	Diff line number	Diff line change
`@@ -294,7 +294,7 @@ func (r *Reconciler) shouldPropagateObj(namespace, placementName string, obj run`
`294`	`294`	`return false, nil`
`295`	`295`	`}`
`296`	`296`
`297`		`- shouldInclude, err := utils.ShouldPropagateObj(r.InformerManager, uObj)`
	`297`	`+ shouldInclude, err := utils.ShouldPropagateObj(r.InformerManager, uObj, r.EnableWorkload)`
`298`	`298`	`if err != nil {`
`299`	`299`	`klog.ErrorS(err, "Cannot determine if we should propagate an object", "namespace", namespace, "placement", placementName, "object", uObjKObj)`
`300`	`300`	`return false, err`