Add validation for kube-scheduler configuration options

[noqcks]

What this PR does / why we need it: This adds validation to the kube-scheduler so that we're not accepting bogus values to the kube-scheduler. As requested by @bsalamat in issue #66743

Which issue(s) this PR fixes:
Fixes #66743

Special notes for your reviewer:

• Not sure if this validation is too heavy handed. Would love some feedback.
• I started working on this before I realized @islinwb was also working on this same problem... [WIP]validate KubeSchedulerConfiguration and kube-scheduler flags #66787 I put this PR up anyways since I'm sure good code exists in both. I wasn't aware of the /assign command so didn't assign myself before starting work.
• I didn't have time to work on adding validation to deprecated cli options. If the rest of this looks ok, I can finish that up.
• I hope the location of IsValidSocketAddr is correct. Lmk if it isn't.

Release note:

Adding validation to kube-scheduler at the API level

[noqcks]

/assign @bsalamat

[bsalamat]

Thanks, @noqcks!
Some early comments.

[bsalamat]

We should support IPv6 as well. So, you may want to augment your example.

[bsalamat]

Please add IPv6 examples as well.

[noqcks]

Added.

[bsalamat]

Could you also add a test that the old style (deprecated) options still work?

[noqcks]

I added some validations for deprecated options @bsalamat, but for some reason the function ListAlgorithmProviders was not returning the proper values I would expect "ClusterAutoscalerProvider | DefaultProvider" and was instead returning an empty string 🤔 .

I'm not sure exactly how I could get this to work. I was planning on using factory.ListAlgorithmProviders() in the Validate function. If you have any idea of a way I could get the list of valid algorithm providers I would love to understand. Thanks.

[bsalamat]

The use of different algorithm providers are not very important in my opinion. Actually, I think it is not used anymore (I am not sure though).

[neolit123]

2018

[neolit123]

the empty lines bellow {s can be removed here in ValidateKubeSchedulerConfiguration().

[neolit123]

please, remove this empty line.

[neolit123]

must be -> must be a

[neolit123]

need to set atleast one of File or ConfigMap
->
needs to set either File or ConfigMap
?

[neolit123]

a positive

[neolit123]

a positive

[neolit123]

2018

[neolit123]

@noqcks thanks for the PR.
please make sure you run ./hack/update-bazel.sh and include any file changes in this PR.

[dims]

/ok-to-test

[neolit123]

@noqcks
hi, the bazel test is complaining about:

I0731 23:35:06.761] /bazel-scratch/.cache/bazel/_bazel_root/e9f728bbd90b3fba632eb31b20e1dacd/sandbox/linux-sandbox/4523/execroot/main/cmd/kube-scheduler/app/options/options.go:188:15: cannot use validation.ValidateKubeSchedulerConfiguration(&o.ComponentConfig) (type field.ErrorList) as type []error in append

edit: have a look at the failing tests logs by clicking their link links.

[neolit123]

@noqcks

the verify test indicates some small problems:
https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/66799/pull-kubernetes-verify/100514/:

pkg/apis/componentconfig/validation/validation.go:25:1: exported function ValidateKubeSchedulerConfiguration should have comment or be unexported
pkg/apis/componentconfig/validation/validation.go:48:1: exported function ValidateClientConnectionConfiguration should have comment or be unexported
pkg/apis/componentconfig/validation/validation.go:59:1: exported function 
....

[neolit123]

@noqcks the e2e tests flake from time to time.

[noqcks]

@neolit123 not sure how I can debug these failed e2e tests 🤔I can't find anything in the logs that shows an error on my side. lmk if you have any ideas.

[neolit123]

@noqcks

possibly flakes, still.
hint: call /test on the red [x] tests only.

/test pull-kubernetes-e2e-gce
/test pull-kubernetes-e2e-gce-device-plugin-gpu
/test pull-kubernetes-kubemark-e2e-gce-big

[neolit123]

@noqcks
just babysit the tests with the /test xxxxxx command until they become green.

[noqcks]

I may try again a little later tonight. I checked a couple other PRs and they also seem to be failing e2e tests in the same manner.

Thank you for the help

[cblecker]

/retest

[neolit123]

could be refactored as:

allErrs := field.ErrorList{}
if cc == nil {
	return append(allErrs, field.Invalid(fldPath.Child("policy"), nil, "need to set Policy"))
}
if cc.File == nil && cc.ConfigMap == nil {
	return append(allErrs, field.Invalid(fldPath.Child("file"), nil, "need to set either File or ConfigMap"))
}
return allErrs

to avoid indenting the } else part.

[noqcks]

@neolit123 pull-kubernetes-kubemark-e2e-gce-big seems to be running an older commit 🤔 Is there a way I can make it run on 31e73be

[bsalamat]

optional: s/isExpectedFailure/expectedToFail/

[bsalamat]

The use of different algorithm providers are not very important in my opinion. Actually, I think it is not used anymore (I am not sure though).

[bsalamat]

Scheduler policy is not mandatory. If no policy is provided, the scheduler uses its own default config.

[bsalamat]

I don't think KubeConfigFile is mandatory either.

[bsalamat]

We should validate leader election config only when leader election is enabled.

[bsalamat]

I am not sure if 0 is a valid Duration. If it is not, the error message at the next line should be changed.

[noqcks]

I think no as well: https://github.com/kubernetes/kubernetes/pull/64218/files

will change

[bsalamat]

similar to the previous comment.

[bsalamat]

Actually, the error condition should remain as cc.LeaseDuration.Duration <= 0 here and below.

[noqcks]

ready for another review on this I believe @bsalamat

[bsalamat]

Thanks, @noqcks! Mostly minor comments.

[bsalamat]

0 and 100 are valid. So, you should replace <= and >= with < and >.

[bsalamat]

the error message states that the value "must be non-negative". Non-negative includes zero, but zero causes an error. So, the error message should be changed to "must be positive" or "must be larger than zero". The same problem exists in the following checks as well.

[bsalamat]

When cc.LeaderElect is false, we should skip these two checks too.

[bsalamat]

LeaseDuration and RenewDeadline can be equal and that's not an error. Please replace <= by <.

[bsalamat]

Could you please add test cases for renewDeadline and LeaseDuration being zero as well?

[noqcks]

added

[bsalamat]

/lgtm

[wilberusa]

unsubsribe

…

On Wed, Aug 8, 2018 at 9:42 PM k8s-ci-robot ***@***.***> wrote: @noqcks <https://github.com/noqcks>: The following test *failed*, say /retest to rerun them all: Test name Commit Details Rerun command pull-kubernetes-e2e-gce-100-performance 743a77e <743a77e> link <https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/66799/pull-kubernetes-e2e-gce-100-performance/15524/> /test pull-kubernetes-e2e-gce-100-performance Full PR test history <https://k8s-gubernator.appspot.com/pr/66799>. Your PR dashboard <https://k8s-gubernator.appspot.com/pr/noqcks>. Please help us cut down on flakes by linking to <https://git.k8s.io/community/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests> an open issue <https://github.com/kubernetes/kubernetes/issues?q=is:issue+is:open> when you hit one in your PR. Instructions for interacting with me using PR comments are available here <https://git.k8s.io/community/contributors/guide/pull-requests.md>. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra <https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:> repository. I understand the commands that are listed here <https://go.k8s.io/bot-commands>. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#66799 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ALS8Mh0N3HngqJT23oWT35LIpEHT2Yhjks5uO72lgaJpZM4VnInb> .

[noqcks]

@luxas ready for review

[luxas]

/lgtm
Thanks!

[luxas]

ping @deads2k @liggitt for the final approval

[liggitt]

where is this range documented or enforced today? It is described in the API type field godoc, but not in the CLI flag help, which is where most users are currently setting it.

• what is the current behavior if a negative number is set via the CLI?
• what is the current behavior if a number over 100 is set via the CLI?

[noqcks]

documented here: https://github.com/kubernetes/kubernetes/blob/master/pkg/scheduler/api/v1/types.go#L42

[liggitt]

please also add that to the flag help. if setting this to a value less than 0 or greater than 100 does not prevent the scheduler from working today, then I wouldn't make this a fatal error.

[noqcks]

added in 3f7830f6826b0ac8b5170f00014d4aaee3fb621f

[liggitt]

if setting this to a value less than 0 or greater than 100 does not prevent the scheduler from working today, then I wouldn't make this a fatal error.

can you comment on this? @bsalamat, do you know what the effect of setting this to a value outside the 0-100 range is?

[bsalamat]

@liggitt Scheduler has a check to ensure that this value is between 1 and 100. This is done at the scheduler creation. So, it was not possible to provide a value out of this range before this PR.

[liggitt]

Ok, great

[liggitt]

Does that mean the allowed range is 1-100 or 0-100? Or is 0 a marker value that means to disable that weight?

[bsalamat]

0 is changed to the default weight in our defaulting logic.

[bsalamat]

I am referring to this piece of code:

kubernetes/pkg/scheduler/apis/config/v1alpha1/defaults.go

Line 43 in 2d7b92e

obj.HardPodAffinitySymmetricWeight = api.DefaultHardPodAffinitySymmetricWeight

[liggitt]

is ResourceLock not required?

[noqcks]

added in a5554d8dc7b46622ed8bb3c9fffe21a0ea247f94

[liggitt]

this is not accurate... a negative number disables QPS rate limiting today

[liggitt]

this is the only validation I see around the client config struct today:

kubernetes/pkg/proxy/apis/config/validation/validation.go

Lines 190 to 194 in 1138727

	func validateClientConnectionConfiguration(config apimachineryconfig.ClientConnectionConfiguration, fldPath *field.Path) field.ErrorList {
	allErrs := field.ErrorList{}
	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(config.Burst), fldPath.Child("Burst"))...)
	return allErrs
	}

that could be useful to promote to a reusable method

[noqcks]

Thanks, I'll fix.

For Burst, is there any range that's not accepted?

[liggitt]

negative numbers are accepted today and disable client-side rate limiting. please add a test ensuring this continues to be accepted.

[noqcks]

added in 125f64b

[noqcks]

@liggitt ready for another review

[liggitt]

One last question on the 0-100 range, might need a doc update depending on what is actually allowed. Lgtm otherwise after a squash

[liggitt]

/approve

will leave lgtm to @bsalamat after squash

[noqcks]

squashed

[bsalamat]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bsalamat, liggitt, luxas, noqcks

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kube-scheduler/OWNERS [bsalamat]
• pkg/scheduler/apis/config/OWNERS [bsalamat,liggitt,luxas]
• staging/src/k8s.io/apimachinery/pkg/OWNERS [liggitt]
• staging/src/k8s.io/apiserver/pkg/apis/config/OWNERS [liggitt,luxas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.