Add option to ignore namespaces #6788
Conversation
To both recommender and updater
k8s-ci-robot
added
the
kind/feature
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: adrianmoisey The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @adrianmoisey! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @adrianmoisey. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
In the unlikely case that a nil value is passed in, this code would have failed with an error
| @@ -96,6 +96,15 @@ func selfRegistration(clientset *kubernetes.Clientset, caCert []byte, namespace, | |||
| sideEffects := admissionregistration.SideEffectClassNone | |||
| failurePolicy := admissionregistration.Ignore | |||
| RegisterClientConfig.CABundle = caCert | |||
| namespaceSelector := metav1.LabelSelector{ | |||
There was a problem hiding this comment.
Is this changing any behavior if the list is empty? What about not setting any selector when no ignores are set?
There was a problem hiding this comment.
I wonder if just by having the all namespaces selector we impact cost or performance on the apiserver.
| ) | ||
|
|
||
| func main() { | ||
| klog.InitFlags(nil) | ||
| kube_flag.InitFlags() | ||
|
|
||
| if len(*vpaObjectNamespace) > 0 && len(*ignoredVpaObjectNamespaces) > 0 { |
There was a problem hiding this comment.
This should probably happen after the info log below to still give a log about the version used.
| @@ -332,6 +344,12 @@ func filterVPAs(feeder *clusterStateFeeder, allVpaCRDs []*vpa_types.VerticalPodA | |||
| continue | |||
| } | |||
| } | |||
|
|
|||
| if selectsNamespace(vpaCRD.ObjectMeta.Namespace, feeder.ignoredNamespaces) { | |||
There was a problem hiding this comment.
Can the sourcing of VPAs already do the filtering? So the API server doesn't send namespaces we don't want?
There was a problem hiding this comment.
I did have a look at this, but I didn't find an easy solution to it.
The updater and recommender both seems to use a ListWatch in client-go (https://github.com/kubernetes/autoscaler/blob/vertical-pod-autoscaler-1.1.1/vertical-pod-autoscaler/vendor/k8s.io/client-go/tools/cache/listwatch.go#L69-L100)
This seems to take either a single namespace or all namespaces. There doesn't seem to be a way to exclude any namespaces.
An alternative could be to setup a ListWatch per namespace, but then I imagine we'll need to do quite a big refactor and continuously watch for updates to namespaces, and add/remove the ListWatch as namespaces are added and removed. I also don't know if that sort of change would be better or worse, efficiency wise, compared to this current PR's approach.
My current experience with VPA/client-go is very minimal, so I didn't want to take such a large task that could potentially be the wrong direction.
| @@ -108,6 +110,11 @@ const ( | |||
| func main() { | |||
| klog.InitFlags(nil) | |||
| kube_flag.InitFlags() | |||
|
|
|||
| if len(*vpaObjectNamespace) > 0 && len(*ignoredVpaObjectNamespaces) > 0 { | |||
There was a problem hiding this comment.
Same here, I think the version log should come first.
| @@ -137,6 +149,10 @@ func (u *updater) RunOnce(ctx context.Context) { | |||
| vpas := make([]*vpa_api_util.VpaWithSelector, 0) | |||
|
|
|||
| for _, vpa := range vpaList { | |||
| if selectsNamespace(vpa.Namespace, u.ignoredNamespaces) { | |||
There was a problem hiding this comment.
Same here, why are we even getting those VPAs here?
| vpaObjectNamespace = flag.String("vpa-object-namespace", apiv1.NamespaceAll, "Namespace to search for VPA objects. Empty means all namespaces will be used.") | ||
| namespace = os.Getenv("NAMESPACE") | ||
| vpaObjectNamespace = flag.String("vpa-object-namespace", apiv1.NamespaceAll, "Namespace to search for VPA objects. Empty means all namespaces will be used.") | ||
| ignoredVpaObjectNamespaces = flag.String("ignored-vpa-object-namespaces", "", "Comma separated list of namespaces to ignore.") |
There was a problem hiding this comment.
Is there a shared library of sorts where we could put all this instead? It seems like there is no difference in code between the components.
There was a problem hiding this comment.
There doesn't seem to be a shared library for these flags. The existing VPA components all declare their own flags.
| }, | ||
| }, | ||
| } | ||
| } |
There was a problem hiding this comment.
Shouldn't we also be setting a nameSpaceSelector for the case where vpa-object-namespace is used to cause the webhook to operate only for that namespace? This way the pods for all other namespaces do not have to wait for an answer from the admission controller before they start (it will also reduce the load on the admission controller)
There was a problem hiding this comment.
Good idea!
Fixed in 4073194
|
@kwiesmueller I've replied to your comments. I just want to check if this path is worth going down? And if I should spend the time to write tests for this PR. |
|
@kwiesmueller any chance you have some time to look at this again? |
|
/assign @raywainman |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This is a replacement PR for #6428
It allows a user to specify a list of namespaces for the various VPA components to ignore.
Which issue(s) this PR fixes:
Fixes #6232
Special notes for your reviewer:
There are no tests at the moment. I'm just making the PR to get some early review to ensure that this is on the right track.
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
N/A