-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to ignore namespaces #6788
base: master
Are you sure you want to change the base?
Add option to ignore namespaces #6788
Conversation
To both recommender and updater
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: adrianmoisey The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Welcome @adrianmoisey! |
Hi @adrianmoisey. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
In the unlikely case that a nil value is passed in, this code would have failed with an error
@@ -96,6 +96,15 @@ func selfRegistration(clientset *kubernetes.Clientset, caCert []byte, namespace, | |||
sideEffects := admissionregistration.SideEffectClassNone | |||
failurePolicy := admissionregistration.Ignore | |||
RegisterClientConfig.CABundle = caCert | |||
namespaceSelector := metav1.LabelSelector{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this changing any behavior if the list is empty? What about not setting any selector when no ignores are set?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if just by having the all namespaces selector we impact cost or performance on the apiserver.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in cef6dcb
) | ||
|
||
func main() { | ||
klog.InitFlags(nil) | ||
kube_flag.InitFlags() | ||
|
||
if len(*vpaObjectNamespace) > 0 && len(*ignoredVpaObjectNamespaces) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably happen after the info log below to still give a log about the version used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 590b4fc
@@ -332,6 +344,12 @@ func filterVPAs(feeder *clusterStateFeeder, allVpaCRDs []*vpa_types.VerticalPodA | |||
continue | |||
} | |||
} | |||
|
|||
if selectsNamespace(vpaCRD.ObjectMeta.Namespace, feeder.ignoredNamespaces) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can the sourcing of VPAs already do the filtering? So the API server doesn't send namespaces we don't want?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did have a look at this, but I didn't find an easy solution to it.
The updater and recommender both seems to use a ListWatch in client-go (https://github.com/kubernetes/autoscaler/blob/vertical-pod-autoscaler-1.1.1/vertical-pod-autoscaler/vendor/k8s.io/client-go/tools/cache/listwatch.go#L69-L100)
This seems to take either a single namespace or all namespaces. There doesn't seem to be a way to exclude any namespaces.
An alternative could be to setup a ListWatch per namespace, but then I imagine we'll need to do quite a big refactor and continuously watch for updates to namespaces, and add/remove the ListWatch as namespaces are added and removed. I also don't know if that sort of change would be better or worse, efficiency wise, compared to this current PR's approach.
My current experience with VPA/client-go is very minimal, so I didn't want to take such a large task that could potentially be the wrong direction.
@@ -108,6 +110,11 @@ const ( | |||
func main() { | |||
klog.InitFlags(nil) | |||
kube_flag.InitFlags() | |||
|
|||
if len(*vpaObjectNamespace) > 0 && len(*ignoredVpaObjectNamespaces) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, I think the version log should come first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 590b4fc
@@ -137,6 +149,10 @@ func (u *updater) RunOnce(ctx context.Context) { | |||
vpas := make([]*vpa_api_util.VpaWithSelector, 0) | |||
|
|||
for _, vpa := range vpaList { | |||
if selectsNamespace(vpa.Namespace, u.ignoredNamespaces) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, why are we even getting those VPAs here?
vpaObjectNamespace = flag.String("vpa-object-namespace", apiv1.NamespaceAll, "Namespace to search for VPA objects. Empty means all namespaces will be used.") | ||
namespace = os.Getenv("NAMESPACE") | ||
vpaObjectNamespace = flag.String("vpa-object-namespace", apiv1.NamespaceAll, "Namespace to search for VPA objects. Empty means all namespaces will be used.") | ||
ignoredVpaObjectNamespaces = flag.String("ignored-vpa-object-namespaces", "", "Comma separated list of namespaces to ignore.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a shared library of sorts where we could put all this instead? It seems like there is no difference in code between the components.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There doesn't seem to be a shared library for these flags. The existing VPA components all declare their own flags.
}, | ||
}, | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we also be setting a nameSpaceSelector for the case where vpa-object-namespace is used to cause the webhook to operate only for that namespace? This way the pods for all other namespaces do not have to wait for an answer from the admission controller before they start (it will also reduce the load on the admission controller)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea!
Fixed in 4073194
@kwiesmueller I've replied to your comments. I just want to check if this path is worth going down? And if I should spend the time to write tests for this PR. |
@kwiesmueller any chance you have some time to look at this again? |
/assign @raywainman |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This is a replacement PR for #6428
It allows a user to specify a list of namespaces for the various VPA components to ignore.
Which issue(s) this PR fixes:
Fixes #6232
Special notes for your reviewer:
There are no tests at the moment. I'm just making the PR to get some early review to ensure that this is on the right track.
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
N/A