Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upAdd ExtendedResourceToleration admission controller. #55839
Conversation
This comment has been minimized.
This comment has been minimized.
k8s-ci-robot
assigned
bsalamat,
davidopp,
jiayingz and
vishh
Nov 16, 2017
This comment has been minimized.
This comment has been minimized.
|
/assign @derekwaynecarr @liggitt |
k8s-ci-robot
assigned
derekwaynecarr and
liggitt
Nov 16, 2017
This comment has been minimized.
This comment has been minimized.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
label
Nov 16, 2017
mindprince
force-pushed the
mindprince:extended-resource-toleration
branch
from
138e76c
to
6471801
Nov 17, 2017
k8s-merge-robot
removed
the
lgtm
label
Nov 17, 2017
This comment has been minimized.
This comment has been minimized.
jberkus
commented
Nov 17, 2017
|
Hey, release team reminder. If this PR is approved, please remember to add the 1.9 milestone and approve it for that milestone by Monday, Nov. 20th to make the Code Slush cutoff. Thanks! |
| } | ||
| for _, toleration := range pod.Spec.Tolerations { | ||
| if len(toleration.Key) == 0 && len(toleration.Value) == 0 && |
This comment has been minimized.
This comment has been minimized.
vishh
Nov 17, 2017
Member
nit: Can this be a function that is something like func podHasWildcardToleration(*api.pod) bool?
This comment has been minimized.
This comment has been minimized.
davidopp
Nov 18, 2017
Member
I suspect people don't use wildcard toleration much, and also it might be easier from an understandability perspective (both of the code and someone looking at the pod) if you always add the toleration. So I would suggest to just remove this special case where the wildcard toleration already exists.
This comment has been minimized.
This comment has been minimized.
vishh
added this to the v1.9 milestone
Nov 17, 2017
vishh
added
the
priority/important-soon
label
Nov 17, 2017
k8s-merge-robot
added
the
milestone/needs-approval
label
Nov 17, 2017
This comment has been minimized.
This comment has been minimized.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
label
Nov 17, 2017
davidopp
added
status/approved-for-milestone
and removed
milestone/needs-approval
labels
Nov 18, 2017
This comment has been minimized.
This comment has been minimized.
|
[MILESTONENOTIFIER] Milestone Pull Request Current @bsalamat @davidopp @derekwaynecarr @jiayingz @liggitt @mindprince @vishh Pull Request Labels
|
mindprince
force-pushed the
mindprince:extended-resource-toleration
branch
from
6471801
to
0b9f41f
Nov 19, 2017
k8s-merge-robot
removed
the
lgtm
label
Nov 19, 2017
mindprince
force-pushed the
mindprince:extended-resource-toleration
branch
from
0b9f41f
to
3c4c85f
Nov 19, 2017
This comment has been minimized.
This comment has been minimized.
|
/retest |
This comment has been minimized.
This comment has been minimized.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
label
Nov 19, 2017
This comment has been minimized.
This comment has been minimized.
|
/assign @liggitt |
| // Admit updates the toleration of a pod based on the resources requested by it. | ||
| // If an extended resource of name "example.com/device" is requested, it adds | ||
| // a toleration with key "example.com/device", operator "Exists" and effect "NoSchedule". |
This comment has been minimized.
This comment has been minimized.
caesarxuchao
Nov 20, 2017
Member
The result is that such pods can be scheduled to nodes with the "example.com/device" taint, right? Consider adding that in the comment and please also add this plugin to the doc.
This comment has been minimized.
This comment has been minimized.
mindprince
Nov 20, 2017
Member
Yes. I will send another PR with the comment fix. And another one to update the public documentation.
This comment has been minimized.
This comment has been minimized.
liggitt
Nov 20, 2017
Member
are arbitrary resources allowed? does this give pod authors a way to cause arbitrary taints to be added? I expected a specific prefix/namespace to ensure resource-specific taints were tolerated, not arbitrary taints
This comment has been minimized.
This comment has been minimized.
mindprince
Nov 20, 2017
Member
It only adds tolerations for the resource you requested and that resource cannot be in kubernetes.io namespace.
Now you can request an arbitrary string as the resource (and then this will add that arbitrary string as the toleration) but then your pod will not get scheduled because that arbitrary string doesn't exist as a resource. And if the arbitrary string exists as a resource, we do want this admission controller to add that as a toleration.
This comment has been minimized.
This comment has been minimized.
liggitt
Nov 20, 2017
Member
Now you can request an arbitrary string as the resource (and then this will add that arbitrary string as the toleration) but then your pod will not get scheduled because that arbitrary string doesn't exist as a resource.
Thinking through this some more:
- by default, users can already add arbitrary tolerations to their pod specs
- any cluster using taints/tolerations as a security measure to keep user pods off specific nodes already has to use something like PodTolerationRestriction to whitelist the tolerations a pod is allowed to have
- that whitelist would give control over allowing custom-resource tolerations while disallowing arbitrary security-related tolerations
So I think this still works as is
This comment has been minimized.
This comment has been minimized.
|
/approve no-issue |
k8s-merge-robot
added
the
approved
label
Nov 20, 2017
This comment has been minimized.
This comment has been minimized.
|
Release note is user facing. Please add a brief description of what the plugin does and who needs it. |
This comment has been minimized.
This comment has been minimized.
|
Updated the release note with more details. When the final release notes doc will get generated, I would link this release note to the documentation in kubernetes.io |
| resources := sets.String{} | ||
| for _, container := range pod.Spec.Containers { | ||
| for resourceName := range container.Resources.Requests { | ||
| if helper.IsExtendedResourceName(resourceName) { |
This comment has been minimized.
This comment has been minimized.
caesarxuchao
Nov 20, 2017
Member
@mindprince, regarding @liggitt's question, this line ensures that the resourceName (and the toleration key) has a "kubernetes.io/" or a "pod.alpha.kubernetes.io/opaque-int-resource-" prefix. The "pod.alpha.kubernetes.io/opaque-int-resource-" prefix seems strong enough. But the "kubernetes.io/" seems very generic, will it collide with other taint key name?
This comment has been minimized.
This comment has been minimized.
mindprince
Nov 20, 2017
Member
It ensures the opposite. It ensures that the resource name doesn't have kubernetes.io as the prefix.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
/hold for @liggitt's question |
This comment has been minimized.
This comment has been minimized.
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
label
Nov 20, 2017
This comment has been minimized.
This comment has been minimized.
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
label
Nov 20, 2017
This comment has been minimized.
This comment has been minimized.
|
/lgtm |
This comment has been minimized.
This comment has been minimized.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bsalamat, caesarxuchao, davidopp, jiayingz, mindprince, vishh Associated issue: 55080 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
This comment has been minimized.
This comment has been minimized.
|
/test all [submit-queue is verifying that this PR is safe to merge] |
This comment has been minimized.
This comment has been minimized.
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
k8s-merge-robot
merged commit b3f7ad7
into
kubernetes:master
Nov 20, 2017
12 of 13 checks passed
mindprince
referenced this pull request
Nov 21, 2017
Closed
Built in support for dedicated nodes with extended compute resources (auto toleration) #55080
mindprince
referenced this pull request
Nov 30, 2017
Merged
Add wildcard tolerations to kube-proxy #56589
dixudx
referenced this pull request
Dec 8, 2017
Merged
add ExtendedResourceToleration admission controller #6618
This comment has been minimized.
This comment has been minimized.
|
Update this admission controller in doc kubernetes/website#6618. |
mindprince commentedNov 16, 2017
•
edited
/kind feature
/sig scheduling
/area hw-accelerators
There's elaborate discussion on this in #55080. In short, we would like to enable cluster operators and/or cloud providers to create dedicated nodes with extended resources (like GPUs, FPGAs etc.) that are reserved for pods requesting such resources. Taints is the kubernetes concept to create dedicated nodes. If the cluster operator or cloud provider wants to create dedicated node pools, they are expected to taint the nodes containing extended resources with the key equal to the name of the resource and effect equal to NoSchedule. If they do that, only pods that have a toleration for such a taint can be scheduled there. To make it easy for the user, this admission controller when enabled, automatically adds a toleration with key
example.com/device, operatorExistsand effectNoScheduleif an extended resource of nameexample.com/deviceis requested.Release note: