[KEP-2400]: Restrict access to swap for containers in high priority Pods

[iholder101]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Exclude critical pods from gaining swap access.

I believe this is valuable for two main reasons:

1. Critical pods are assumed to not tolerate performance derogations which could be impacted swap access.
2. This provides another way of opting-out burstable pods from swap access.

p.s. currently, it is possible to opt-out of swap for burstable pods by setting requests.memory == limits.memory. However, this approach forces the workload owner to set limits which is unacceptable for certain workloads. With this, an administrator can choose to classify such burstable pods as critical to opt-out of swap.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Changed Linux swap handling to restrict access to swap for containers in high priority Pods.
New Pods that have a node- or cluster-critical priority are prohibited from accessing swap on Linux,
even if your cluster and node configuration could otherwise allow this.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2400-node-swap

[iholder101]

/sig node
/cc @haircommander @fabiand @mrunalp @SergeyKanzhelev

[k8s-ci-robot]

@iholder101: GitHub didn't allow me to request PR reviews from the following users: fabiand.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/sig node
/cc @haircommander @fabiand @mrunalp @SergeyKanzhelev

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[iholder101]

@haircommander do we need a backing issue for this PR?

[sftim]

Changelog suggestion

-Exclude critical pods from having swap access
+Changed Linux swap handling to restrict access to swap for containers in high priority Pods.
+New Pods that have a node- or cluster-critical priority are prohibited from accessing swap on Linux,
+even if your cluster and node configuration could otherwise allow this.

[iholder101]

Changelog suggestion

-Exclude critical pods from having swap access
+Changed Linux swap handling to restrict access to swap for containers in high priority Pods.
+New Pods that have a node- or cluster-critical priority are prohibited from accessing swap on Linux,
+even if your cluster and node configuration could otherwise allow this.

Thanks, done!

[iholder101]

/retest

[haircommander]

@haircommander do we need a backing issue for this PR?

I think we can discuss pros and cons here

[yujuhong]

@haircommander do we need a backing issue for this PR?

I think we can discuss pros and cons here

I think the use case is reasonable. Many critical components don't have the memory limit set today.
That said, I wonder if we make too many indirect/internal decisions for swap instead of allowing it to surface on the API for the users to configure.

[aojea]

Is this in line with the KEP https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2400-node-swap#set-aside-swap-for-system-critical-daemons

Set Aside Swap for System Critical Daemons
Note In Beta2, we found that having system critical daemons swapping memory could cause degration of services.

System critical daemons (such as Kubelet) are essential for node health. Usually, an appropriate portion of system resources (e.g., memory, CPU) is reserved as system reserved. However, swap doesn't inherently support reserving a portion out of the total available. For instance, in the case of memory, we set memory.min on the node-level cgroup to ensure an adequate amount of memory is set aside, away from the pods, and for system critical daemons. But there is no equivalent for swap; i.e., no memory.swap.min is supported in the kernel.

Since this proposal advocates enabling swap only for the Burstable QoS pods, this can be done by setting memory.swap.max on the cgroups used by the Burstable QoS pods. The value of this memory.swap.max can be calculated by:

memory.swap.max = total swap memory available on the system - system reserve (memory)

This is the total amount of swap available for all the Burstable QoS pods; let's call it TotalPodsSwapAvailable. This will ensure that the system critical daemons will have access to the swap at least equal to the system reserved memory. This will indirectly act as having support for swap in system reserved.

[bart0sh]

/triage accepted

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[pacoxu]

/hold
for ci failure

[pacoxu]

Suggested change

	assert.Equal(t, true, types.IsCriticalPod(pod), "pod is expected to be critical")
	assert.True(t, types.IsCriticalPod(pod), "pod is expected to be critical")

[kannon92]

/lgtm cancel

[kannon92]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Details

Git tree hash: 8bd81f644c8d8f2768129031f7e36f1877bf2dc4

[kannon92]

/hold cancel

[iholder101]

Thank you @pacoxu and @kannon92 for the notice!
Sorry for not noticing this myself, I'm out of work for an extended period.