From 488436a18f4cf27e7986829a790816a397913509 Mon Sep 17 00:00:00 2001
From: Leon <leon@apecloud.com>
Date: Thu, 13 Jul 2023 17:47:34 +0800
Subject: [PATCH] feat: volume protection from space exhaustion (#3988)

---
 ...apps.kubeblocks.io_clusterdefinitions.yaml | 33 +++++++++++++++++++
 .../rbac/cluster_pod_required_role.yaml       |  8 +++++
 2 files changed, 41 insertions(+)

diff --git a/helm/crds/apps.kubeblocks.io_clusterdefinitions.yaml b/helm/crds/apps.kubeblocks.io_clusterdefinitions.yaml
index 15b790337cc1..a26c5ac78d32 100644
--- a/helm/crds/apps.kubeblocks.io_clusterdefinitions.yaml
+++ b/helm/crds/apps.kubeblocks.io_clusterdefinitions.yaml
@@ -9176,6 +9176,39 @@ spec:
                       - cmdExecutorConfig
                       - passwordConfig
                       type: object
+                    volumeProtectionSpec:
+                      properties:
+                        highWatermark:
+                          default: 90
+                          description: The high watermark threshold for volume space
+                            usage. If there is any specified volumes who's space usage
+                            is over the threshold, the pre-defined "LOCK" action will
+                            be triggered to degrade the service to protect volume
+                            from space exhaustion, such as to set the instance as
+                            read-only. And after that, if all volumes' space usage
+                            drops under the threshold later, the pre-defined "UNLOCK"
+                            action will be performed to recover the service normally.
+                          maximum: 100
+                          minimum: 0
+                          type: integer
+                        volumes:
+                          description: Volumes to protect.
+                          items:
+                            properties:
+                              highWatermark:
+                                description: Volume specified high watermark threshold,
+                                  it will override the component level threshold.
+                                  If the value is invalid, it will be ignored and
+                                  the component level threshold will be used.
+                                maximum: 100
+                                minimum: 0
+                                type: integer
+                              name:
+                                description: Name of volume to protect.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
                     volumeTypes:
                       description: "volumeTypes is used to describe the purpose of
                         the volumes mapping the name of the VolumeMounts in the PodSpec.Container
diff --git a/helm/templates/rbac/cluster_pod_required_role.yaml b/helm/templates/rbac/cluster_pod_required_role.yaml
index 99b320e5277e..98d8f372c7f5 100644
--- a/helm/templates/rbac/cluster_pod_required_role.yaml
+++ b/helm/templates/rbac/cluster_pod_required_role.yaml
@@ -36,6 +36,14 @@ rules:
   - patch
   - update
   - delete
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - nodes/stats
+  verbs:
+  - get
+  - list
 - apiGroups:
   - apps.kubeblocks.io
   resources: