Kubernetes CI Policy: release-blocking jobs must run in dedicated cluster

[spiffxp]

Part of #18551

Why it's necessary:

• we believe declaring Guaranteed Pod QOS jobs may not be defended against Best Effort or Burstable Pods hogging all resources on the same node
• a cluster that only has Guaranteed pods is far more likely to respect resource requirements

What decisions do we need to make:

• For all of the jobs being migrated to k8s-infra-prow-build, we're going to use the same node pool as everything else. To pin to a dedicated node pool will require much more boilerplate (or possibly augmenting prow's preset feature). If after migrating everything we find we do need a dedicated nodepool, then we'll pay the added cost.
• Jobs that can't be migrated quickly will remain in google.com-owned k8s-prow-builds until we can overcome whatever obstacles are keeping them there. This means no community visibility into resource consumption, and test-infra-oncall will have to be relied upon.

Boskos projects to be added:

• Identify quota changes needed for gpu jobs, create pool of gpu projects k8s.io#1095 - gpu-project

Jobs to be migrated

• release-blocking jobs must run in dedicated cluster: ci-kubernetes-build #19483 - ci-kubernetes-build (more involved due to Migrate jobs away from gs://kubernetes-release-dev k8s.io#846; do this after ci-kubernetes-build-fast)
• release-blocking jobs must run in dedicated cluster: ci-kubernetes-build-fast #19484 - ci-kubernetes-build-fast (more involved due to Migrate jobs away from gs://kubernetes-release-dev k8s.io#846)
• Migrate kind release-blocking ga-only job to k8s-infra-prow-build #17674 - ci-kubernetes-conformance-kind-ga-only
• release-blocking jobs must run in dedicated cluster: ci-kubernetes-e2e-gce-device-plugin-gpu #18650 - ci-kubernetes-e2e-gce-device-plugin-gpu
• Move some release-blocking/informing jobs to k8s-infra-prow-builds #17488 - ci-kubernetes-e2e-gce-master-new-gci-kubectl-skew
• Stop publishing latest-green.txt and migrate to k8s-infra-prow-build #17672 - ci-kubernetes-e2e-gci-gce
• Move some release-blocking/informing jobs to k8s-infra-prow-builds #17488 - ci-kubernetes-e2e-gci-gce-alpha-features
• release-blocking jobs must run in dedicated cluster: ci-kubernetes-e2e-gci-gce-ingress #18651 - ci-kubernetes-e2e-gci-gce-ingress
• Move some release-blocking/informing jobs to k8s-infra-prow-builds #17488 - ci-kubernetes-e2e-gci-gce-reboot
• Migrate 100 node scalability release-blocking job to k8s-infra-prow-build #17725 - ci-kubernetes-e2e-gci-gce-scalability
• Migrate ci-kubernetes-e2e-ubuntu-gce jobs to k8s-infra-prow-build #17887 - ci-kubernetes-e2e-ubuntu-gce-containerd
• Move some release-blocking/informing jobs to k8s-infra-prow-builds #17488 - ci-kubernetes-gce-conformance-latest
• Move some release-blocking/informing jobs to k8s-infra-prow-builds #17488 - ci-kubernetes-integration-master
• Move kind release-blocking jobs to k8s-infra-prow-build #17664 - ci-kubernetes-kind-e2e-parallel
• Move kind release-blocking jobs to k8s-infra-prow-build #17664 - ci-kubernetes-kind-ipv6-e2e-parallel
• Move some release-blocking/informing jobs to k8s-infra-prow-builds #17488 - ci-kubernetes-node-kubelet
• Move some release-blocking/informing jobs to k8s-infra-prow-builds #17488 - ci-kubernetes-verify-master
• Deprecate google-hosted kubernetes-build jobs #20964 - periodic-kubernetes-bazel-build-master (was moved to release-infoming)
• release-blocking jobs must run in dedicated cluster: periodic-kubernetes-bazel-test #18652 - periodic-kubernetes-bazel-test-master

TODO:

• Add test to enforce critical jobs run on k8s-infra-prow-build #18576 - write a test that enforces this policy, but logs instead of errors
• determine which jobs may not be able to be migrated quickly, decide if / how to mitigate
• migrate all jobs that can be migrated quickly
• migrate jobs blocked on Migrate jobs away from gs://kubernetes-release-dev k8s.io#846
• migrate jobs that need to be migrated away from RBE
• jobs: enforce kubernetes CI policy for blocking jobs #20989 - make policy enforcement test blocking (fails instead of logs)
• declare we are finished (or done enough to move on)

[BenTheElder]

NodePool is probably fine, though it has the downside that you have to explicitly set a matching node selector and taint toleration in every prowjob podspec if you want to actually make it dedicated. there's no abstraction for this, and they're a little verbose.

we've done this before when experimenting with ubuntu nodes for kind IPv6 before we'd standardized on that.

[spiffxp]

/sig testing
/sig release
/wg k8s-infra
/area release-eng
/area jobs

[spiffxp]

Current status (not counting issues that are held open to monitor jobs)

spiffxp@spiffxp-macbookpro:test-infra (master %)$ go test -v -count=1 ./config/tests/jobs
# ...
=== RUN   TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: ci-kubernetes-build: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: ci-kubernetes-build-1-19: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: ci-kubernetes-build-fast: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: ci-kubernetes-build-stable1: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: ci-kubernetes-build-stable2: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: ci-kubernetes-build-stable3: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: periodic-kubernetes-bazel-build-1-16: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: periodic-kubernetes-bazel-build-1-17: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: periodic-kubernetes-bazel-build-1-18: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: periodic-kubernetes-bazel-build-1-19: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: periodic-kubernetes-bazel-build-master: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: periodic-kubernetes-bazel-test-1-16: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: periodic-kubernetes-bazel-test-1-17: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: periodic-kubernetes-bazel-test-1-18: should run on cluster: k8s-infra-prow-build, found: default
    TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild: jobs_test.go:1084: periodic-kubernetes-bazel-test-1-19: should run on cluster: k8s-infra-prow-build, found: default
--- PASS: TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild (0.02s)

Will need to decide how we'd like to define exceptions for the build jobs, and/or dedicate resources to them.

[justaugustus]

Assigning Dan to TL completion of this.
/assign @hasheddan

[spiffxp]

Updated description to enumerate all release-blocking jobs and the umbrella issues tracking their progress or the PRs that migrated them

[spiffxp]

Current status...

spiffxp@spiffxp-macbookpro:test-infra (master %)$ go test -v -count=1 ./config/tests/jobs/...
# ...
=== RUN   TestKubernetesReleaseBlockingJobsShouldRunOnK8sInfraProwBuild
    jobs_test.go:1049: ci-kubernetes-build: should run on cluster: k8s-infra-prow-build, found: default
    jobs_test.go:1049: ci-kubernetes-build-1-19: should run on cluster: k8s-infra-prow-build, found: default
    jobs_test.go:1049: ci-kubernetes-build-1-20: should run on cluster: k8s-infra-prow-build, found: default
    jobs_test.go:1049: ci-kubernetes-build-stable2: should run on cluster: k8s-infra-prow-build, found: default
    jobs_test.go:1049: ci-kubernetes-build-stable3: should run on cluster: k8s-infra-prow-build, found: default
    jobs_test.go:1049: periodic-kubernetes-bazel-build-1-17: should run on cluster: k8s-infra-prow-build, found: default
    jobs_test.go:1049: periodic-kubernetes-bazel-build-1-18: should run on cluster: k8s-infra-prow-build, found: default
    jobs_test.go:1049: periodic-kubernetes-bazel-build-1-19: should run on cluster: k8s-infra-prow-build, found: default
    jobs_test.go:1049: periodic-kubernetes-bazel-build-1-20: should run on cluster: k8s-infra-prow-build, found: default
    jobs_test.go:1049: periodic-kubernetes-bazel-build-master: should run on cluster: k8s-infra-prow-build, found: default

We have "canary" versions of these jobs that run on k8s-infra-prow-build, and write to gs://k8s-release-dev.

However, there is much out there that depends on the existing jobs that write to gs://kubernetes-release-dev and gcr.io/kubernetes-ci-images (ref: #19483 (comment)). I'm considering a KEP for deprecation/migration/removal.

I think full completion of the deprecation process is out of scope for this issue. So I would like us to identify what the minimum set of jobs/scripts/etc should be pulling from gs://k8s-release-dev to call this done.

[spiffxp]

/milestone v1.21

[spiffxp]

/priority important-soon

[spiffxp]

I think the following PRs can close this out:

• Log or enforce kubernetes jobs pull from k8s-infra buckets #20885 - enforced that all release-blocking jobs pull from gs://k8s-release-dev
• Move periodic-kubernetes-bazel-build jobs to release-informing #20963 - proposes moving bazel-build jobs to release-informing
• Deprecate google-hosted kubernetes-build jobs #20964 - proposes renaming build jobs to build-deprecated and moving to release-informing, renaming build-canary jobs to build and moving to release-blocking
• jobs: enforce kubernetes CI policy for blocking jobs #20989 - TestKubernetesReleaseBlockingJobsCIPolicy passes for all release-blocking jobs and will enforce any new additions

[spiffxp]

/assign
/assign @justaugustus
Can you think of anything else that needs to happen to call this done?

[spiffxp]

Tangentially related: followup work to deprecate google-hosted artifacts related to release-blocking builds will be tracked under kubernetes/k8s.io#1571

[spiffxp]

/close
Calling this done!

[k8s-ci-robot]

@spiffxp: Closing this issue.

In response to this:

/close
Calling this done!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.