add NoExecute taint manager

[Garrybest]

Signed-off-by: Garrybest garrybest@foxmail.com

What type of PR is this?
/kind feature

What this PR does / why we need it:
Add taint manager for NoExecute manager.

Which issue(s) this PR fixes:
Fixes part of #1762

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

`karmada-controller-manager`: Introduced `taint manager` to cluster controller to evict workloads from clusters with `no-execute` taint. 

[RainbowMango]

/assign
But I'm afraid don't have enough time to look at it.

[Garrybest]

Thanks @RainbowMango. The taint manager in k/k is really complicated. I have tried my best to keep our taint manager concise. Let me invite more reviewers to check.

/cc @lynnsong @XiShanYongYe-Chang @huone1

[dddddai]

Cool!

[RainbowMango]

It's really enjoyable to look at code like this.

Thanks @Garrybest and sorry for let this sit.

[Garrybest]

The e2e error does not make any sense. Maybe we need a retest.

[RainbowMango]

Right.

Echo here for @XiShanYongYe-Chang to check.
https://github.com/karmada-io/karmada/runs/6858581736?check_suite_focus=true

[namespace auto-provision] namespace auto-provision testing joining new cluster
namespace should be propagated to new created clusters[needCreateCluster]
/home/runner/work/karmada/karmada/test/e2e/namespace_test.go:131
------------------------------
• [FAILED] [105.817 seconds]
[namespace auto-provision] namespace auto-provision testing
/home/runner/work/karmada/karmada/test/e2e/namespace_test.go:24
joining new cluster [BeforeEach][needCreateCluster]
/home/runner/work/karmada/karmada/test/e2e/namespace_test.go:84
    namespace should be propagated to new created clusters
/home/runner/work/karmada/karmada/test/e2e/namespace_test.go:131
Begin Captured StdOut/StdErr Output >>
    E0613 09:56:15.873001   42505 unjoin.go:277] Failed to delete cluster object. cluster name: member-e2e-blx, error: Delete "https://172.18.0.5:5443/apis/cluster.karmada.io/v1alpha1/clusters/member-e2e-blx": dial tcp 172.18.0.5:5443: connect: connection refused
    E0613 09:56:15.873109   42505 unjoin.go:166] Failed to delete cluster object. cluster name: member-e2e-blx, error: Delete "https://172.18.0.5:5443/apis/cluster.karmada.io/v1alpha1/clusters/member-e2e-blx": dial tcp 172.18.0.5:5443: connect: connection refused

[XiShanYongYe-Chang]

Logs are lost. Access to karmada-apiserver is refused based on existing error information:

Delete "https://172.18.0.5:5443/apis/cluster.karmada.io/v1alpha1/clusters/member-e2e-blx": dial tcp 172.18.0.5:5443: connect: connection refused
Get \"[https://172.18.0.5:5443/api/v1/namespaces/karmada-cluster\](https://172.18.0.5:5443/api/v1/namespaces/karmada-cluster/)": dial tcp 172.18.0.5:5443: connect: connection refused
Delete "https://172.18.0.5:5443/api/v1/namespaces/karmadatest-zzk": dial tcp 172.18.0.5:5443: connect: connection refused

[Garrybest]

No big deal, maybe just some occasional errors.

[dddddai]

Looks pretty good!

[Garrybest]

Could we move forward?

[RainbowMango]

I just talked to @XiShanYongYe-Chang about this, he will work on the issue I mentioned above(#1945 (comment)).

I don't want the replica/cluster to be removed directly from binding.spec.clusters that will lead to the replicas being removed immediately.

So, can we just hold for a while? I guess we can include this in the next release(v1.3).

[Garrybest]

OK.

[RainbowMango]

The NoExecuteTaintManager is essentially a controller, do you think we should reserve the capacity of disabling it?

[Garrybest]

I think NoExecuteTaintManager is a part of cluster controller.

Kubernetes takes TaintManager as a part of NodeLifecycleController. It provides an option --enable-taint-manager in NodeLifecycleController to enable taint manager.

So what about adding an option --enable-taint-manager as well?

[RainbowMango]

I agree. the --enable-taint-manager defaults to true. But, I think the feature is part of Failover, I suggest checking both the feature gate and the flags.
By the way, the feature gate will be removed eventually.

[Garrybest]

But, I think the feature is part of Failover.

Actually, I think this feature is independent. We implement NoExecute taint manager, so another effect of taint is introduced into karmada. Users may taint the cluster by themselves manually. Meanwhile, Failover does depend on this feature, right?

[Garrybest]

Oh, the feature gate should be added in #1781. Let me make a change here.

[RainbowMango]

Actually, I think this feature is independent. We implement NoExecute taint manager, so another effect of taint is introduced into karmada. Users may taint the cluster by themselves manually. Meanwhile, Failover does depend on this feature, right?

After the eviction, the scheduler would select another cluster to fill the slot(if possible), which is exactly the scenario of Failover. For the case users taint the cluster, I think it's a special scenario that users initiate the failover by themselves.

By the way, how do think about the failover feature? What are the use cases?

[RainbowMango]

Oh, the feature gate should be added in #1781. Let me make a change here.

I'm ok with it. The feature gate means the feature is just introduced, maybe not mature enough to default enable, right?

[Garrybest]

By the way, how do think about the failover feature? What are the use cases?

1. Cluster has something wrong, ready condition becomes not ready or unknown.
2. Cluster controller tries to add NoExecute taint after 5 minutes, enhance cluster lifecycle management: add taints for the clusters which are unhealthy for a period of time #1781.
3. Taint manager removes scheduling result of failed cluster in rb.spec.clsuters, add NoExecute taint manager #1945. It's a little bit like what descheduler does.
4. Scheduler tries to scale up these evicted replicas.

I'm ok with it. The feature gate means the feature is just introduced, maybe not mature enough to default enable, right?

Not exactly, we just try to move Failover from scheduler to controller-manager.

[RainbowMango]

Not exactly, we just try to move Failover from scheduler to controller-manager.

I see the plan at #1762. I think removing failover from the scheduler means relieving some responsibilities from the scheduler and letting the scheduler focus on select cluster for workload according to PropgationPolicy. Are we on the same page?

Anyway, let's have a talk at next week's meeting, are you available?

[Garrybest]

Cool. No problem.

[RainbowMango]

Generally looks good to me.

Even though I hope this issue could be solved before this PR, but at the meantime, I don't want this to be delied so much, so I suggest moving this forward now since we have a lot of things that addressed by #1945 to do.

Does that makes sense to you? @Garrybest

[RainbowMango]

I agree. the --enable-taint-manager defaults to true. But, I think the feature is part of Failover, I suggest checking both the feature gate and the flags.
By the way, the feature gate will be removed eventually.

[Garrybest]

Thanks, I will add a new option and let us move forward.

[RainbowMango]

Please rebase your branch as we are fixing the fake testing recently.

[XiShanYongYe-Chang]

Looks good to me.

[RainbowMango]

/lgtm
/approve

/hold
for
no release notes?

[karmada-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [RainbowMango]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[RainbowMango]

/hold cancel
PS: I updated the release notes to the PR description.

[Garrybest]

OK.