fix the issue that the pod anti-filtering rules are not taking effect #1395
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @fanhaouu. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-ok-to-test
|
@fanhaouu would you please share an example of this case? With
Can you rephrase the description in terms of "a pod P1 on a node N1", "a pod P1 wrt. P2", etc.? The description is still ambiguous. It would help to start the description with "There are two nodes N1 and N2. Both pods P1 and P2 are scheduled. P1 to node N1, P2 to node N2. There's another pod P3 scheduled to node N? that violates anti-affinity of P?. |
Sure, let me give you an example. If according to the current logic of podMatchesInterPodAntiAffinity, to determine if pod1 can be scheduled to node2, this method returns match as false and error as nil, but in reality, the match value should be true, meaning that pod1 cannot be scheduled to node2 Pod1: Node1: Pod2: Node2: |
|
@ingvagabund I don't know if the example I provided is clear enough? |
pkg/utils/predicates.go
Outdated
| } | ||
|
|
||
| if nodeFit { | ||
| if _, ok := node.Labels[term.TopologyKey]; ok { |
There was a problem hiding this comment.
Here we still do not know whether pod and existingPod are violating the anti-affinity rule. Just that both pods are in anti-affinity relation. Checking whether pod is in a given topology domain is not sufficient here.
There was a problem hiding this comment.
hi, master, i think it is sufficient here. If the program reaches this point, it means the podMatchesTermsNamespaceAndSelector method returned true. If the topologyKey of the pod also exists on the node label of the existingPod, it indicates that the pod and the existingPod are violating the anti-affinity rule
There was a problem hiding this comment.
In that case nodeHavingExistingPod.Labels instead of node.Labels as nodeHavingExistingPod is the target node, not node.
So it's the nodefit part here that's in question? I.e. when
If the match is true, the strategy is expected to evict the pod. Independent of whether the pod can be scheduled to another node or not. If you want to implement the nodefit part for the strategy you can utilize |
|
Is this PR expected to resolve #1370? |
|
I see now what's going on:
You are addressing this part: "It does not make sense to do this when we’re evaluating if a Pod could fit on another Node as part of NodeFit." |
Let's have P1 scheduled to N1 and P2 scheduled to N2. Pods P1 and P2 have matching anti-affinities. The check here is So the goal here is to ignore node N1 in the check. N1 is retrieved due to accessing @fanhaouu is this the current issue in hand? Just rephrasing so it is clear what this issue and fix is all about. @nikimanoledaki for awareness. |
yes, master, you are right |
More on this. Again with let's have P1 scheduled to N1 and P2 scheduled to N2. Pods P1 and P2 have matching anti-affinities. The check here is NodeFit(P1,N2) and the claim here is the check "returns early". Given N1 != N2 then |
|
Wrt. "returns early": In case So the following case leads to
|
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/cc |
|
@likakuli: GitHub didn't allow me to request PR reviews from the following users: likakuli. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This is correct - I came to the same conclusion that when there are multiple pods and multiple nodes (rather than P1 and P2 both on N1), given that both pods have an anti-affinity, a valid check to validate this is if they have the same I wrote a draft PR a while ago that I didn't have time to finish, here, which has more logging that I was using to debug in our environment. It approached this logic in a slightly different way: https://github.com/kubernetes-sigs/descheduler/pull/1415/files |
It returned early here: As you can see in the PR I used to debug, here, I added the following log: |
Normally, the descheduler is expected to check only a pod that has been scheduled. Which implies |
Hm not sure we are seeing the same thing. Taking a step back, we know that Currently, the code will check whether P1 and P2 are on N2. Of course, we know that P1 is not yet on N2, so I think the issue is that this was a leftover/oversight from my part when I was refactoring this in #1356 where I tried to refactor this anti-affinity check from RemovePodsViolatingInterPodAntiAffinit. That plugin was comparing P1 and P2 when they are already both on the same Node. On the other hand, when coming from |
P1 is scheduled on N1 so I wonder why you get !ok when accessing nodeMap[P1.Spec.NodeName] |
Because the Node that we are checking for in It's checking if P1 is on N2 (which is not expected to be there yet, therefore it returns early) and then if P2 is on N2 (which we expect it to be). At least, this is my understanding - I could be wrong. |
|
This is my understanding, let me know if this is different from yours 
|
pkg/utils/predicates.go
Outdated
| continue | ||
| } | ||
|
|
||
| node, ok := nodeMap[pod.Spec.NodeName] |
There was a problem hiding this comment.
There is only one Node being passed when coming from NodeFit and that is the destination Node (N2). P1 is not on N2, so this will be !ok. We should only evaluate this if nodeFit == false.
There was a problem hiding this comment.
thank you, should using existingPod here, i have fixed it.
There was a problem hiding this comment.
Perhaps my pr misled ingvagabund,😂
There was a problem hiding this comment.
should using existingPod here
Yes! I agree about reversing to make sure that existingPod is on N2, even when assessing from NodeFit 👍
fanhaouu
force-pushed
the
fix-check-pod-anti-affinity
branch
2 times, most recently
from
65916fa
to
af9eab9
Compare
|
/retest |
pkg/utils/predicates_test.go
Outdated
| @@ -1067,6 +1067,7 @@ func TestCheckPodsWithAntiAffinityExist(t *testing.T) { | |||
| } | |||
| }), | |||
| }, | |||
| nodeFit: false, | |||
There was a problem hiding this comment.
You can omit nodeFit: false lines. false is the default value.
pkg/utils/predicates_test.go
Outdated
| { | ||
| name: "found pod matching pod anti-affinity when node fitting", | ||
| pod: test.PodWithPodAntiAffinity(test.BuildTestPod("p1", 1000, 1000, "node1", nil), "foo", "bar"), | ||
| podsInNamespace: map[string][]*v1.Pod{ |
There was a problem hiding this comment.
Let's construct a complete map here and other test cases. I.e.:
podsInNamespace: map[string][]*v1.Pod{
"default": {
test.PodWithPodAntiAffinity(test.BuildTestPod("p1", 1000, 1000, "node1", nil), "foo", "bar"),
test.PodWithPodAntiAffinity(test.BuildTestPod("p2", 1000, 1000, "node2", nil), "foo", "bar"),
},
},
Missing a pod in podsInNamespace makes the pod non-existent.
There was a problem hiding this comment.
podsInNamespace refers to pods on different nodes from pod1, so it is complete
pkg/utils/predicates_test.go
Outdated
| test.PodWithPodAntiAffinity(test.BuildTestPod("p2", 1000, 1000, "node2", nil), "foo", "bar"), | ||
| }, | ||
| }, | ||
| nodeMap: map[string]*v1.Node{ |
There was a problem hiding this comment.
The same here:
nodeMap: map[string]*v1.Node{
"node1": ...
"node2": test.BuildTestNode("node2", 64000, 128*1000*1000*1000, 2, func(node *v1.Node) {
node.ObjectMeta.Labels = map[string]string{
"region": "main-region",
}
}),
},
There was a problem hiding this comment.
this is also not necessary. pod1 is on node1, nodeMap contains the node where pod2 is located.Here we are writing test cases for when nodeFit is true
pkg/utils/predicates_test.go
Outdated
| expMatch: false, | ||
| }, | ||
| { | ||
| name: "found pod matching pod anti-affinity when node fitting", |
There was a problem hiding this comment.
Can you rephrase it in a more specific way? E.g. "Pod violates inter-pod anti-affinity, ignoring source pod domain" or similar.
The same for other test names. Better to be more expressive than generic.
pkg/utils/predicates.go
Outdated
| @@ -310,7 +310,7 @@ func CreateNodeMap(nodes []*v1.Node) map[string]*v1.Node { | |||
| } | |||
|
|
|||
| // CheckPodsWithAntiAffinityExist checks if there are other pods on the node that the current pod cannot tolerate. | |||
| func CheckPodsWithAntiAffinityExist(pod *v1.Pod, pods map[string][]*v1.Pod, nodeMap map[string]*v1.Node) bool { | |||
| func CheckPodsWithAntiAffinityExist(pod *v1.Pod, pods map[string][]*v1.Pod, nodeMap map[string]*v1.Node, nodeFit bool) bool { | |||
There was a problem hiding this comment.
s/pod/candidatePod (or similar) to stress pod variable is the pod getting tested for the inter-pod anti-affinity violation.
Worth renaming pods into e.g. placedPods, allocatedPods, assignedPods or similar to stress these pods are already assigned to nodes.
pkg/utils/predicates.go
Outdated
| continue | ||
| } | ||
|
|
||
| if nodeFit { |
There was a problem hiding this comment.
nodeFit name can be misleading here. NodeFit itself takes a pod and a node and the predicates checks whether the pod can be scheduled to the node. In here, there's no node passed through the function arguments. nodeHavingExistingPod nodes are nodes to which the already assigned pods are scheduled/assigned to.
In case of NodeFit(nodeIndexer podutil.GetPodsAssignedToNodeFunc, pod *v1.Pod, node *v1.Node) the underlying podMatchesInterPodAntiAffinity function selects only pods that are assigned to node. Nevertheless, given CheckPodsWithAntiAffinityExist is a public function setting nodeFit=true, it's not easy to guess the original intention. For that, I'd rather prefer to separate the former CheckPodsWithAntiAffinityExist implementation from it's invocation in NodeFit.
Given podMatchesInterPodAntiAffinity already checks for pod.Spec.Affinity == nil || pod.Spec.Affinity.PodAntiAffinity == nil you can replace return utils.CheckPodsWithAntiAffinityExist(pod, podsInANamespace, nodeMap), nil with what's left in CheckPodsWithAntiAffinityExist when nodeFit is true. I.e.:
func podMatchesInterPodAntiAffinity(nodeIndexer podutil.GetPodsAssignedToNodeFunc, pod *v1.Pod, node *v1.Node) (bool, error) {
if pod.Spec.Affinity == nil || pod.Spec.Affinity.PodAntiAffinity == nil {
return false, nil
}
podsOnNode, err := podutil.ListPodsOnANode(node.Name, nodeIndexer, nil)
if err != nil {
return false, fmt.Errorf("error listing all pods: %v", err)
}
podsInANamespace := podutil.GroupByNamespace(podsOnNode)
nodeMap := utils.CreateNodeMap([]*v1.Node{node})
/// This is new
for _, term := range getPodAntiAffinityTerms(pod.Spec.Affinity.PodAntiAffinity) {
namespaces := getNamespacesFromPodAffinityTerm(pod, &term)
selector, err := metav1.LabelSelectorAsSelector(term.LabelSelector)
if err != nil {
return false, fmt.Errorf("Unable to convert LabelSelector into Selector: %v", err)
}
for namespace := range namespaces {
for _, existingPod := range podsInANamespace[namespace] {
if existingPod.Name != pod.Name && podMatchesTermsNamespaceAndSelector(existingPod, namespaces, selector) {
nodeHavingExistingPod, ok := nodeMap[existingPod.Spec.NodeName]
if !ok {
continue
}
if _, ok = nodeHavingExistingPod.Labels[term.TopologyKey]; ok {
klog.V(1).InfoS("Found Pods matching PodAntiAffinity when node fitting", "pod with anti-affinity", klog.KObj(pod))
return true, nil
}
}
}
}
}
return false, nil
}You could turn
for _, term := range getPodAntiAffinityTerms(pod.Spec.Affinity.PodAntiAffinity) {
namespaces := getNamespacesFromPodAffinityTerm(pod, &term)
selector, err := metav1.LabelSelectorAsSelector(term.LabelSelector)
if err != nil {
return false, fmt.Errorf("Unable to convert LabelSelector into Selector: %v", err)
}
for namespace := range namespaces {
for _, existingPod := range podsInANamespace[namespace] {into a traversing function InterPodAntiAffinityTraverseFnc(pod, func(existingPod *v1.Pod, namespaces sets.Set[string], selector labels.Selector) bool) bool:
func InterPodAntiAffinityTraverseFnc(pod, func(existingPod *v1.Pod, namespaces sets.Set[string], selector labels.Selector) bool {
if existingPod.Name != pod.Name && podMatchesTermsNamespaceAndSelector(existingPod, namespaces, selector) {
nodeHavingExistingPod, ok := nodeMap[existingPod.Spec.NodeName]
if !ok {
return false
}
if _, ok = nodeHavingExistingPod.Labels[term.TopologyKey]; ok {
klog.V(1).InfoS("Found Pods matching PodAntiAffinity when node fitting", "pod with anti-affinity", klog.KObj(pod))
return true
}
}
return false
});Then
func podMatchesInterPodAntiAffinity(nodeIndexer podutil.GetPodsAssignedToNodeFunc, pod *v1.Pod, node *v1.Node) (bool, error) {
if pod.Spec.Affinity == nil || pod.Spec.Affinity.PodAntiAffinity == nil {
return false, nil
}
podsOnNode, err := podutil.ListPodsOnANode(node.Name, nodeIndexer, nil)
if err != nil {
return false, fmt.Errorf("error listing all pods: %v", err)
}
podsInANamespace := podutil.GroupByNamespace(podsOnNode)
nodeMap := utils.CreateNodeMap([]*v1.Node{node})
/// This is new
return InterPodAntiAffinityTraverseFnc(pod, func(existingPod *v1.Pod, namespaces sets.Set[string], selector labels.Selector) bool {
if existingPod.Name != pod.Name && podMatchesTermsNamespaceAndSelector(existingPod, namespaces, selector) {
nodeHavingExistingPod, ok := nodeMap[existingPod.Spec.NodeName]
if !ok {
return false
}
if _, ok = nodeHavingExistingPod.Labels[term.TopologyKey]; ok {
klog.V(1).InfoS("Found Pods matching PodAntiAffinity when node fitting", "pod with anti-affinity", klog.KObj(pod))
return true
}
}
return false
});
}and
// CheckPodsWithAntiAffinityExist checks if there are other pods on the node that the current pod cannot tolerate.
func CheckPodsWithAntiAffinityExist(pod *v1.Pod, pods map[string][]*v1.Pod, nodeMap map[string]*v1.Node) bool {
if pod.Spec.Affinity == nil || pod.Spec.Affinity.PodAntiAffinity == nil {
return false
}
match, err := InterPodAntiAffinityIterator(pod, func(existingPod *v1.Pod, namespaces sets.Set[string], selector labels.Selector) bool {
if existingPod.Name != pod.Name && podMatchesTermsNamespaceAndSelector(existingPod, namespaces, selector) {
node, ok := nodeMap[pod.Spec.NodeName]
if !ok {
return false
}
nodeHavingExistingPod, ok := nodeMap[existingPod.Spec.NodeName]
if !ok {
return false
}
if hasSameLabelValue(node, nodeHavingExistingPod, term.TopologyKey) {
klog.V(1).InfoS("Found Pods matching PodAntiAffinity", "pod with anti-affinity", klog.KObj(pod))
return true
}
}
return false
})
if err != nil {
klog.ErrorS(err, "Unable to convert LabelSelector into Selector")
return false
}
return false
}Or, even go further and make if existingPod.Name != pod.Name && podMatchesTermsNamespaceAndSelector(existingPod, namespaces, selector) { check part of the traversing function.
Note: I will need to double check this tomorrow with a fresh pair of eyes.
There was a problem hiding this comment.
If CheckPodsWithAntiAffinityExist is a common method, it will still be prone to misuse, thus triggering the same bug, without resolving any issues, it just glosses over the problem
|
@fanhaouu apologies for pushing the other commit. I mis-clicked. |
haha, let me resubmit it. |
fanhaouu
force-pushed
the
fix-check-pod-anti-affinity
branch
from
12ac004
to
c80556f
Compare
k8s-ci-robot
added
size/L
|
/retest |
|
I made adjustments, to no longer pursue reuse CheckPodsWithAntiAffinityExist method, but realized podMatchesInterPodAntiAffinity method alone, at the same time by adjusting part of the method of parameter names and internal logic. @ingvagabund @nikimanoledaki |
|
Very nice!!! @fanhaouu thank you for your patience and improvements. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ingvagabund The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
There was a problem hiding this comment.
LGTM too! Thank you @fanhaouu for implementing this change and @ingvagabund for your suggestions and review! 🚀
|
/lgtm |
k8s-ci-robot
added
the
lgtm
…#1412-#1413-#1416-#1395-upstream-release-1.30 Automated cherry pick of #1378: Fix the replicas type for the helm-chart #1390: allow 'falsey' value in cmdOption #1412: fix helm's default deschedulerPolicy #1413: fix TOC location in Readme #1416: use cmd context instead of using context.Background() #1395: fix the issue that the pod anti-filtering rules are not
Currently, the "podMatchesInterPodAntiAffinity" method has an issue. It is unable to check if the pod matches the anti-affinity rule of another pod that is already on the given node.
The root cause is that the "CheckPodsWithAntiAffinityExist" method in "predicate.go" can only check if pods with AntiAffinity issues exist on the same node
This pr can resolve that.