feat(ensure_pvc): accept ReadWriteOncePod on imported archive PVCs#214
Merged
feat(ensure_pvc): accept ReadWriteOncePod on imported archive PVCs#214
Conversation
…loses #213) Relaxes the PVC import validator at internal/task/ensure_pvc.go to accept either ReadWriteOnce OR ReadWriteOncePod. Both are single-writer access modes that satisfy the validator's intent. Why: archives on EKS 1.34 pay a ~20-minute recursive setxattr walk on pod start because the kubelet relabels every inode for SELinux at mount time. Setting accessModes: [ReadWriteOncePod] activates the GA-since-1.27 SELinuxMountReadWriteOncePod feature, which applies the label as a per-mount option in milliseconds. The cleaner alternative (seLinuxChangePolicy: MountOption) requires the SELinuxMount feature gate at the API server — default-off in K8s 1.33–1.36 and not exposed to customers on managed EKS (containers-roadmap#512). This change is the controller-side prerequisite. Platform-repo archive manifests (PV+PVC) flip independently to ship RWOP from creation (archive-1 / archive-2) or migrate at next natural pod restart (archive-0). - internal/task/ensure_pvc.go: validator accepts RWO or RWOP - internal/task/ensure_pvc_test.go: new test for RWOP-only PVC - .agent/runbooks/operating-archive-node-byov.md: new §6.4 SELinux mount labeling section + migration procedure for existing RWO archives, manifest examples updated, validation contract updated Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
bdchatham
added a commit
that referenced
this pull request
May 8, 2026
…#215) Pulls in #214 — internal/task/ensure_pvc.go now accepts either ReadWriteOnce or ReadWriteOncePod on imported archive PVCs. Required for the archive-0 PV/PVC RWOP migration (#213) to land cleanly without the validator rejecting the new accessModes. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #213.
Summary
Relaxes the imported-PVC validator to accept either
ReadWriteOnceorReadWriteOncePod. Both are single-writer access modes that satisfy the validator's intent. Previously the validator rejected RWOP-only PVCs with"accessModes does not include ReadWriteOnce".This is the controller-side prerequisite for landing the SELinux-mount-labeling optimization on EKS 1.34. Platform-repo archive manifests will then ship
accessModes: [ReadWriteOncePod], which activatesSELinuxMountReadWriteOncePod(GA since K8s 1.27, default-on) and skips the ~20-minute recursive setxattr walk on the archive PVC every pod start.Why RWOP and not
seLinuxChangePolicy: MountOptionThe cleaner standard fix (
seLinuxChangePolicy: MountOption) requires the upstreamSELinuxMountfeature gate at the API server — default-off in K8s 1.33–1.36 and not exposed to customers on managed EKS (containers-roadmap#512, still open). RWOP sidesteps that constraint entirely.Background and prior attempts: #202 (reverted by #206) and #207 (closed). #213 has the full analysis.
Files
internal/task/ensure_pvc.gointernal/task/ensure_pvc_test.go.agent/runbooks/operating-archive-node-byov.mdTest plan
make testgreen locally for./internal/task/...(theError 1frommake testis a go-toolchain-version mismatch in my local env; the tests themselves all pass —ok internal/task 1.680s coverage: 46.1%)TestEnsureDataPVC_Import_WrongAccessMode_Terminalstill passes (verified locally — it now triggers becauseReadOnlyManydoesn't include either RWO or RWOP)TestEnsureDataPVC_Import_ReadWriteOncePod_AccessMode_Completespasses (verified locally)Follow-ups (separate PRs, in
sei-protocol/platform)🤖 Generated with Claude Code
Note
Medium Risk
Touches controller-side validation for imported PVCs; a mistake could incorrectly accept/reject volumes and block node startup, though the change is small and covered by tests.
Overview
Allows imported data PVCs to satisfy the controller’s import validator with either
ReadWriteOnceorReadWriteOncePod(treated as acceptable single-writer modes), updating the terminal error message accordingly.Adds a regression test ensuring an RWOP-only PV/PVC pair validates successfully, and updates the BYOV archive runbook to recommend RWOP by default, document SELinux mount-labeling performance implications, and provide a delete/recreate migration procedure plus checklist updates.
Reviewed by Cursor Bugbot for commit b85f8f7. Bugbot is set up for automated code reviews on this repo. Configure here.