Fix/applyset prune uid precondition

[WHOIM1205]

applyset: prevent stale deletes during prune using UID preconditions

Summary

This PR fixes a time-of-check to time-of-act (TOCTOU) race in the ApplySet prune logic.

Between the LIST and DELETE steps, a resource can be deleted and recreated with the same name but a different UID. Without a UID precondition on DELETE, the newly recreated object could be incorrectly deleted.

This change adds a UID precondition to prune DELETE calls and correctly handles 409 Conflict responses.

---

Problem

The prune flow:

1. LIST candidate resources.
2. DELETE each resource by name.

If a resource is recreated between these steps, the DELETE may remove the replacement object because it only matches by name.

When a UID precondition is used, the API server returns a 409 Conflict if the UID no longer matches. This is expected and safe behavior, but it must not cause prune to fail.

---

Changes

applyset.go

In the prune method DELETE section:

• Capture UID from the listed object.
• Pass it via DeleteOptions.Preconditions.UID.
• Treat both IsNotFound and IsConflict as safe-to-ignore.
• Only append to Pruned results when err == nil (actual delete occurred).

This ensures:

• Stale deletes are prevented.
• Recreated resources are not deleted.
• Prune does not fail on expected 409 Conflict.

---

applyset_test.go

Added TestPrune_UIDPrecondition with two subtests:

Subtest	Scenario	Expected Result
uid matches - resource pruned	Normal prune	1 pruned, no error
uid mismatch - resource not pruned	DELETE returns 409 Conflict	0 pruned, no error, resource still exists

The test verifies that:

• UID match behaves normally.
• UID mismatch safely skips delete.
• No error is returned on 409.
• The recreated resource remains intact.

---

Verification

Run:

go test ./pkg/controller/instance/applyset/... -v -count=1

[k8s-ci-robot]

Hi @WHOIM1205. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[WHOIM1205]

/assign @a-hilaly
Closed the previous PR after cleanup. This PR contains the corrected fix per review (409 handling + updated test).

[a-hilaly]

Two tiny suggestions, thanks @WHOIM1205 !

[a-hilaly]

looks like this resource isn't used

[a-hilaly]

/ok-to-test

[a-hilaly]

/retest

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: WHOIM1205
Once this PR has been reviewed and has the lgtm label, please ask for approval from a-hilaly. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[WHOIM1205]

@a-hilaly
addressed the review comments:

• Added a V(2) debug log for 409 Conflict (UID mismatch) cases.
• Fixed the test to properly use the recreated object when simulating UID mismatch.

Tests passing locally.

[a-hilaly]

nit:

Suggested change

	if err == nil {
	mu.Lock()
	results = append(results, PruneResultItem{Object: c.obj})
	mu.Unlock()
	a.log.V(2).Info("pruned resource",
	"name", c.obj.GetName(),
	"namespace", c.obj.GetNamespace(),
	"gvr", c.gvr.String(),
	)
	a.log.V(2).Info("pruned resource",
	"name", c.obj.GetName(),
	"namespace", c.obj.GetNamespace(),
	"gvr", c.gvr.String(),
	)
	}
	if apierrors.IsConflict(err) {
	a.log.V(2).Info("skipped prune due to UID mismatch (resource recreated)",
	"name", c.obj.GetName(),
	"namespace", c.obj.GetNamespace(),
	"gvr", c.gvr.String(),
	)
	}
	if apierrors.IsConflict(err) {
	a.log.V(2).Info("skipped prune due to UID mismatch (resource recreated)",
	"name", c.obj.GetName(),
	"namespace", c.obj.GetNamespace(),
	"gvr", c.gvr.String(),
	)
	}
	if err == nil {
	mu.Lock()
	results = append(results, PruneResultItem{Object: c.obj})
	mu.Unlock()
	a.log.V(2).Info("pruned resource",
	"name", c.obj.GetName(),
	"namespace", c.obj.GetNamespace(),
	"gvr", c.gvr.String(),
	)
	}

[a-hilaly]

@WHOIM1205 you haven't addressed all the provided feedback

[WHOIM1205]

@WHOIM1205 you haven't addressed all the provided feedback

Refactored the post-delete handling into a switch so the conflict, success, and error paths are clearly mutually exclusive. No behavior change just cleaner structure per feedback. All tests passing.

[WHOIM1205]

@a-hilaly , @jakobmoellerdev is there anything i can change in this pr

[jakobmoellerdev]

this switch case is a bit hard to understand. My understanding is that if the err != nil and it is not found or conflict, we are no longer appending the item to prune result. is that correct?

[jakobmoellerdev]

@WHOIM1205 friendly reminder

[a-hilaly]

friendly reminder @WHOIM1205