New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ExtendedResourceToleration admission controller. #55839

Merged
merged 1 commit into from Nov 20, 2017

Conversation

@mindprince
Member

mindprince commented Nov 16, 2017

/kind feature
/sig scheduling
/area hw-accelerators

There's elaborate discussion on this in #55080. In short, we would like to enable cluster operators and/or cloud providers to create dedicated nodes with extended resources (like GPUs, FPGAs etc.) that are reserved for pods requesting such resources. Taints is the kubernetes concept to create dedicated nodes. If the cluster operator or cloud provider wants to create dedicated node pools, they are expected to taint the nodes containing extended resources with the key equal to the name of the resource and effect equal to NoSchedule. If they do that, only pods that have a toleration for such a taint can be scheduled there. To make it easy for the user, this admission controller when enabled, automatically adds a toleration with key example.com/device, operator Exists and effect NoSchedule if an extended resource of name example.com/device is requested.

Release note:

Add ExtendedResourceToleration admission controller. This facilitates creation of dedicated nodes with extended resources. If operators want to create dedicated nodes with extended resources (like GPUs, FPGAs etc.), they are expected to taint the node with extended resource name as the key. This admission controller, if enabled, automatically adds tolerations for such taints to pods requesting extended resources, so users don't have to manually add these tolerations. 
@mindprince

This comment has been minimized.

Member

mindprince commented Nov 16, 2017

@mindprince

This comment has been minimized.

Member

mindprince commented Nov 16, 2017

@jiayingz

This comment has been minimized.

Member

jiayingz commented Nov 16, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Nov 16, 2017

@mindprince mindprince force-pushed the mindprince:extended-resource-toleration branch from 138e76c to 6471801 Nov 17, 2017

@k8s-merge-robot k8s-merge-robot removed the lgtm label Nov 17, 2017

@jberkus

This comment has been minimized.

jberkus commented Nov 17, 2017

Hey, release team reminder. If this PR is approved, please remember to add the 1.9 milestone and approve it for that milestone by Monday, Nov. 20th to make the Code Slush cutoff. Thanks!

}
for _, toleration := range pod.Spec.Tolerations {
if len(toleration.Key) == 0 && len(toleration.Value) == 0 &&

This comment has been minimized.

@vishh

vishh Nov 17, 2017

Member

nit: Can this be a function that is something like func podHasWildcardToleration(*api.pod) bool?

This comment has been minimized.

@davidopp

davidopp Nov 18, 2017

Member

I suspect people don't use wildcard toleration much, and also it might be easier from an understandability perspective (both of the code and someone looking at the pod) if you always add the toleration. So I would suggest to just remove this special case where the wildcard toleration already exists.

This comment has been minimized.

@mindprince
@vishh

This comment has been minimized.

Member

vishh commented Nov 17, 2017

/lgtm

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Nov 18, 2017

[MILESTONENOTIFIER] Milestone Pull Request Current

@bsalamat @davidopp @derekwaynecarr @jiayingz @liggitt @mindprince @vishh

Pull Request Labels
  • sig/scheduling: Pull Request will be escalated to these SIGs if needed.
  • priority/important-soon: Escalate to the pull request owners and SIG owner; move out of milestone after several unsuccessful escalation attempts.
  • kind/feature: New functionality.
Help

@mindprince mindprince force-pushed the mindprince:extended-resource-toleration branch from 6471801 to 0b9f41f Nov 19, 2017

@k8s-merge-robot k8s-merge-robot removed the lgtm label Nov 19, 2017

@mindprince mindprince force-pushed the mindprince:extended-resource-toleration branch from 0b9f41f to 3c4c85f Nov 19, 2017

@mindprince

This comment has been minimized.

Member

mindprince commented Nov 19, 2017

/retest

@davidopp

This comment has been minimized.

Member

davidopp commented Nov 19, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Nov 19, 2017

@dims

This comment has been minimized.

Member

dims commented Nov 19, 2017

/assign @liggitt

@caesarxuchao

A nit. Fix in follow-up PR is fine.

// Admit updates the toleration of a pod based on the resources requested by it.
// If an extended resource of name "example.com/device" is requested, it adds
// a toleration with key "example.com/device", operator "Exists" and effect "NoSchedule".

This comment has been minimized.

@caesarxuchao

caesarxuchao Nov 20, 2017

Member

The result is that such pods can be scheduled to nodes with the "example.com/device" taint, right? Consider adding that in the comment and please also add this plugin to the doc.

This comment has been minimized.

@mindprince

mindprince Nov 20, 2017

Member

Yes. I will send another PR with the comment fix. And another one to update the public documentation.

This comment has been minimized.

@liggitt

liggitt Nov 20, 2017

Member

are arbitrary resources allowed? does this give pod authors a way to cause arbitrary taints to be added? I expected a specific prefix/namespace to ensure resource-specific taints were tolerated, not arbitrary taints

This comment has been minimized.

@mindprince

mindprince Nov 20, 2017

Member

It only adds tolerations for the resource you requested and that resource cannot be in kubernetes.io namespace.

Now you can request an arbitrary string as the resource (and then this will add that arbitrary string as the toleration) but then your pod will not get scheduled because that arbitrary string doesn't exist as a resource. And if the arbitrary string exists as a resource, we do want this admission controller to add that as a toleration.

This comment has been minimized.

@liggitt

liggitt Nov 20, 2017

Member

Now you can request an arbitrary string as the resource (and then this will add that arbitrary string as the toleration) but then your pod will not get scheduled because that arbitrary string doesn't exist as a resource.

Thinking through this some more:

  1. by default, users can already add arbitrary tolerations to their pod specs
  2. any cluster using taints/tolerations as a security measure to keep user pods off specific nodes already has to use something like PodTolerationRestriction to whitelist the tolerations a pod is allowed to have
  3. that whitelist would give control over allowing custom-resource tolerations while disallowing arbitrary security-related tolerations

So I think this still works as is

@caesarxuchao

This comment has been minimized.

Member

caesarxuchao commented Nov 20, 2017

/approve no-issue

@caesarxuchao

This comment has been minimized.

Member

caesarxuchao commented Nov 20, 2017

Release note is user facing. Please add a brief description of what the plugin does and who needs it.

@mindprince

This comment has been minimized.

Member

mindprince commented Nov 20, 2017

Updated the release note with more details. When the final release notes doc will get generated, I would link this release note to the documentation in kubernetes.io

resources := sets.String{}
for _, container := range pod.Spec.Containers {
for resourceName := range container.Resources.Requests {
if helper.IsExtendedResourceName(resourceName) {

This comment has been minimized.

@caesarxuchao

caesarxuchao Nov 20, 2017

Member

@mindprince, regarding @liggitt's question, this line ensures that the resourceName (and the toleration key) has a "kubernetes.io/" or a "pod.alpha.kubernetes.io/opaque-int-resource-" prefix. The "pod.alpha.kubernetes.io/opaque-int-resource-" prefix seems strong enough. But the "kubernetes.io/" seems very generic, will it collide with other taint key name?

This comment has been minimized.

@mindprince

mindprince Nov 20, 2017

Member

It ensures the opposite. It ensures that the resource name doesn't have kubernetes.io as the prefix.

This comment has been minimized.

@caesarxuchao

caesarxuchao Nov 20, 2017

Member

Right. I missed the !.

@caesarxuchao

This comment has been minimized.

Member

caesarxuchao commented Nov 20, 2017

/hold for @liggitt's question

@caesarxuchao

This comment has been minimized.

Member

caesarxuchao commented Nov 20, 2017

/hold

@liggitt

This comment has been minimized.

Member

liggitt commented Nov 20, 2017

/hold cancel

@bsalamat

This comment has been minimized.

Contributor

bsalamat commented Nov 20, 2017

/lgtm

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Nov 20, 2017

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bsalamat, caesarxuchao, davidopp, jiayingz, mindprince, vishh

Associated issue: 55080

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Nov 20, 2017

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Nov 20, 2017

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-merge-robot k8s-merge-robot merged commit b3f7ad7 into kubernetes:master Nov 20, 2017

12 of 13 checks passed

Submit Queue Required Github CI test is not green: pull-kubernetes-e2e-kops-aws
Details
cla/linuxfoundation mindprince authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke-gci Skipped
pull-kubernetes-e2e-kops-aws Jenkins job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce Jenkins job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-unit Jenkins job succeeded.
Details
pull-kubernetes-verify Jenkins job succeeded.
Details
@dixudx

This comment has been minimized.

Member

dixudx commented Dec 8, 2017

Update this admission controller in doc kubernetes/website#6618.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment