Sysched: add the implementation of SySched

[salmanyam]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Implementation of SySched, a system call-aware scheduler. The KEP of this PR is KEP #399.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Thank you very much for reviewing this PR.
Please let us know if there are questions or comments.
Your comments and feedback are appreciated.

Does this PR introduce a user-facing change?

Introduce new Scoring plugin called SySched that will rank feasible nodes based on the relative risks of pods' system call usage.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: salmanyam / name: Salman Ahmed (1295000, 4b6ea59, 588b8ec, 41473cb)

[k8s-ci-robot]

Hi @salmanyam. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[salmanyam]

@Huang-Wei This is the implementation of KEP #399, a system call-aware scheduler plugin called SySched. Could you please take a look to see if there are any concerns or comments? Thank you!

[Huang-Wei]

Thanks for the PR. I'm a bit swamped recently. So if any reviewers have free cycles, please assign to yourself.

/help

[PiotrProkop]

My first pass on this PR. Didn't dive deep into the logic.

[PiotrProkop]

remove

[PiotrProkop]

remove

[PiotrProkop]

remove

[PiotrProkop]

remove

[PiotrProkop]

remove

[PiotrProkop]

I think this function will always return same score. tot_crit is always 0

[salmanyam]

Currently, our plugin does not support syscall weights. We are working on it and update the weighting in our next version. We leave that portion of code intentionally. Also, we have put a note there regarding it.

[Huang-Wei]

please add a comment explaining that weight is hard-coded for now.

[PiotrProkop]

always check errors

[PiotrProkop]

always check errors

[PiotrProkop]

always check errors

[PiotrProkop]

always check errors

[Huang-Wei]

/ok-to-test

[salmanyam]

Thank you very much, @PiotrProkop! We have addressed all the comments. Please let us know if you have more comments or concerns.

[salmanyam]

Hi @Huang-Wei, we have rebased our code as the bot triggered need-rebase. Please let us know if there's anything needed from our end. Thanks!

[Huang-Wei]

You should be able to get cached NodeInfo from scheduler framework, which is the source of truth to do scheduling. (if reading from API server, the "cached" info would not be there)

nodeInfo, err := sc.handle.SnapshotSharedLister().NodeInfos().Get(nodeName)

[mvle]

We noticed the cached state is not always up-to-date, especially when there are activities on other schedulers in the system or when our scheduler comes up after a bunch of pods and nodes have already appeared, hence, we opted not to use the SnapshotSharedLister.

We tried inserting some comments in the code to explain our rationale. Please let us know if this makes sense.

[Huang-Wei]

Why using a node IP instead of node.Name as the canonical identifier to refer to a Node?

[Huang-Wei]

the frameworkHandle already holds this: sc.handle.SnapshotSharedLister().

[mvle]

As explained above, we keep a local map of HostToPods in our plugin rather than rely on the cached state to reliably keep track of all pods on the cluster, regardless of which scheduler it used.

[Huang-Wei]

could you add a comment explaining what's keyed, and what's valued?

Commented in another thread, in Golang we don't use map[string]bool to represent a set; instead, we use map[string]struct{}. And you even don't need to implement you self - reuse Set as well as its Untion/Intersect functions.

[Huang-Wei]

Also comment it.

[Huang-Wei]

You should be disabling it. Otherwise score of other plugins may impact the eventual result.

[Huang-Wei]

De-duple the code by using a for loop.

[Huang-Wei]

could you make the test more table-driven? you can refer to other unit tests like pkg/capacityscheduling/capacityscheduling_test.go

[Huang-Wei]

remove useless comments please (applies elsewhere).

[Huang-Wei]

Please sort the imports by groups: (applies elsewhere)

• native imports (followed an empty line)
• upstream imports (followed by an empty line)
• imports in this repo

[mvle]

Thanks @Huang-Wei for taking the time to review our patch. We should be able to address all of your concerns in the next PR.

[netlify]

✅ Deploy Preview for kubernetes-sigs-scheduler-plugins canceled.

Name	Link
🔨 Latest commit	4b6ea59
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-scheduler-plugins/deploys/65e78e81366eb800087eefb3

[mvle]

@Huang-Wei Thanks for all your comments so far. We've updated the code to cover most of the comments, with some exceptions as explained in the comments above. Main items we have not changed:

1. SnapshotSharedLister for getting nodeInfo and HostToPods (opted not to use for reasons stated above).
2. custom clientset (WIP. Might need a PR to update SPO's code).

Please let us know your thoughts on the changes.

[mvle]

@Huang-Wei Hi! Wondering if you'll have a chance to take a look at this PR in the coming days? Looking forward to see if we can get this closer to being merged.

[Huang-Wei]

@mvle could you rebase to resolve the CI failure? I will take a look afterwards.

[mvle]

@Huang-Wei we've rebased. when you get a chance, please provide feedback.

[Huang-Wei]

Could you eliminate the in-house clientset? We already have mature semantics to interact with any kind of CR objects.

Also, given this PR introduced a CRD, could you also update hack/verify-crdgen.sh to include the source types.go of security-profiles-operator.x-k8s.io_seccompprofiles.yaml?

scheduler-plugins/hack/verify-crdgen.sh

Lines 32 to 33 in c752c54

	# Generate CRD
	api_paths="./apis/scheduling/v1alpha1/...;./vendor/github.com/k8stopologyawareschedwg/noderesourcetopology-api/pkg/apis/...;./vendor/github.com/diktyo-io/appgroup-api/pkg/apis/...;./vendor/github.com/diktyo-io/networktopology-api/pkg/apis/..."

[Huang-Wei]

could you follow other crds to make it symbolic linked from ../seccompprofile/crd.yaml?:

pr/568 ⇒  ll manifests/crds
total 12K
lrwxr-xr-x 1 weih   20 Apr 14  2023 appgroup.diktyo.x-k8s.io_appgroups.yaml -> ../appgroup/crd.yaml
lrwxr-xr-x 1 weih   27 Apr 14  2023 networktopology.diktyo.x-k8s.io_networktopologies.yaml -> ../networktopology/crd.yaml
lrwxr-xr-x 1 weih   30 Apr 14  2023 scheduling.x-k8s.io_elasticquotas.yaml -> ../capacityscheduling/crd.yaml
lrwxr-xr-x 1 weih   24 Apr 14  2023 scheduling.x-k8s.io_podgroups.yaml -> ../coscheduling/crd.yaml
-rw-r--r-- 1 weih 9.6K Jan 27 09:51 seccompprofiles.security-profiles-operator.x-k8s.io_sysched.yaml
lrwxr-xr-x 1 weih   32 May 25  2022 topology.node.k8s.io_noderesourcetopologies.yaml -> ../noderesourcetopology/crd.yaml

[Huang-Wei]

2024

[Huang-Wei]

the comment was given on tot_crit := 0, not the function name.

[Huang-Wei]

We don't need this as this should have been abstracted via generic (dynamic) clientset. You can just use the generic clientset in pkg/sysched/sysched.go w/o composing pkg/sysched/clientset at all.

Example:

scheduler-plugins/pkg/coscheduling/coscheduling.go

Lines 69 to 73 in c752c54

	scheme := runtime.NewScheme()
	_ = clientscheme.AddToScheme(scheme)
	_ = v1.AddToScheme(scheme)
	_ = v1alpha1.AddToScheme(scheme)
	client, err := client.New(handle.KubeConfig(), client.Options{Scheme: scheme})

[Huang-Wei]

ditto. We don't directly manipulate the client in this manner.

[Huang-Wei]

Could you comment it out? for newly introduced plugin, we don't enable it until it's tested enough.

[Huang-Wei]

Ditto. Comment them out.

[Huang-Wei]

Ditto. Don't enable it by default.

[salmanyam]

Hi @Huang-Wei, we have addressed all the comments and removed the in-house clientset. Please take a look and let us know your feedback. Thanks!

[salmanyam]

Hi @Huang-Wei, when you get a chance, please provide us feedback.

[Huang-Wei]

Thanks for the work. It's very close to merge, just a new nits.

BTW: could you squash the commits into 3:

1. API files (apis/) - manually added by you
2. API codegen files (apis/../zz_*.go)
3. Other logic files - i.e., all files exclude 1,2 and 4
4. vendor/, go.mod, go.sum

[Huang-Wei]

Comment these out.

[Huang-Wei]

Comment these out (to be consistent with default values.yaml in Helm)

[Huang-Wei]

Comment these out (to be consistent with default values.yaml in Helm)

[Huang-Wei]

Let's remove this line.

[Huang-Wei]

Ditto. Remove this line.

[Huang-Wei]

Ditto. Let's remove this line.

[Huang-Wei]

Could you change it to totCrit? to be Go-idiomatic.

[Huang-Wei]

Remove this line please.

[salmanyam]

Hi @Huang-Wei, we made the changes accordingly. Please take a look when you a chance. Thanks a lot!

[Huang-Wei]

@salmanyam thanks!

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Huang-Wei, salmanyam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Huang-Wei]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[salmanyam]

Thanks a lot, @Huang-Wei! We greatly appreciate your time and effort on this PR.