Project request quota admission control

[csrwng]

Adds admission control plugin to control quota per plugin configuration.

[csrwng]

@deads2k @liggitt ptal

[smarterclayton]

Is this going to be shared?

[csrwng]

It is... same cache used in the other project admission control plugins

[csrwng]

updated package name

[csrwng]

[test]

[deads2k]

unit test failures

[liggitt]

@deads2k I thought we were wondering if we even needed this. Did you resolve that we did?

[liggitt]

Don't you need to find all the limits that apply and take the min (or the max, not sure which direction we'd go)

[csrwng]

Not sure that we have a use case for that or that selectors are going to be that complex. Right now it's relying on the order of selectors in the config and, for what we want this for, imho it's sufficient.

[liggitt]

If I apply a limit based on label selection, I'd be surprised if it didn't take effect. I think we should pick a direction (either max or min of matching limits), iterate to determine that limit, and document which direction we chose. I think I would tend toward taking the max (just like policy... you can do something if any of your roles allows it).

[deads2k]

If I apply a limit based on label selection, I'd be surprised if it didn't take effect. I think we should pick a direction (either max or min of matching limits), iterate to determine that limit, and document which direction we chose. I think I would tend toward taking the max (just like policy... you can do anything allowed by any policy grant).

I prefer first one wins. Otherwise we'll pick a direction and not like it. I think its more likely that I know which labels have priority over which other labels and build my config file that way.

[csrwng]

Not sure that picking the direction would alleviate the problem of having a limit not apply. Suppose we say max wins, and we have a very general rule that gives you a max of 100, and we add a more specific selector with a max of 5. Your more specific rule would never apply. Suppose we say min wins... then we can't easily configure something like the online use case where we want the default to be 1, but only for certain users increase that limit to 100. The more selective limit would never apply.

[liggitt]

I prefer first one wins. Otherwise we'll pick a direction and not like it. I think its more likely that I know which labels have priority over which other labels and build my config file that way.

I could buy that. It would also let you restrict specific users while letting everyone else have a higher limit.

[liggitt]

Also, this doesn't solve the issue with a lagging store allowing a few requests through until it catches up

[csrwng]

Also, this doesn't solve the issue with a lagging store allowing a few requests through until it catches up

Can you think of a way to mitigate this?

[liggitt]

isn't the yaml for this level: platinum?

[csrwng]

fixed. Oddly it worked with either form.

[liggitt]

Can you think of a way to mitigate this?

Not without recording the update somewhere that would generate a conflict (like an annotation on the user), and having a reconciling controller to sweep and fix the annotation if it got out of sync (like resource quota)... not sure I like something that complex for this

[csrwng]

Added requester index to project cache

[deads2k]

@deads2k I thought we were wondering if we even needed this. Did you resolve that we did?

We could work around it, but since this is has general utility (its commonly requested), useful for us, and relatively small it seemed better to bring it in.

[csrwng]

[test]

[smarterclayton]

You could require an atomic mutation on the user in order to allow it. You
could store the request into etcd, and then have a controller delete the
request when it satisfies it (doesn't limit the number of requests you can
create though). All the project requesters could mutate a single object
which limits to one inflight per user at a time. The last is probably
worth considering - it's effectively a lock on project creations, and then
we just have to decide whether we want to rate limit project creations on
the cluster in general.

On Fri, Jan 22, 2016 at 10:20 AM, Cesar Wong notifications@github.com
wrote:

[test]

—
Reply to this email directly or view it on GitHub
#6768 (comment).

[smarterclayton]

I'm tempted though to say that since we're paying the price of the project
cache already the squeaking through doesn't bother me - it just means that
you have to wait post creation and ensure that the resource version
returned by the write of the project matches the project cache, and check
your quota again. You can still burst across the cluster, but done right
you can parallelize to max number of masters.

On Fri, Jan 22, 2016 at 11:29 AM, Clayton Coleman ccoleman@redhat.com
wrote:

You could require an atomic mutation on the user in order to allow it.
You could store the request into etcd, and then have a controller delete
the request when it satisfies it (doesn't limit the number of requests you
can create though). All the project requesters could mutate a single
object which limits to one inflight per user at a time. The last is
probably worth considering - it's effectively a lock on project creations,
and then we just have to decide whether we want to rate limit project
creations on the cluster in general.

On Fri, Jan 22, 2016 at 10:20 AM, Cesar Wong notifications@github.com
wrote:

[test]

—
Reply to this email directly or view it on GitHub
#6768 (comment).

[csrwng]

it just means that
you have to wait post creation and ensure that the resource version
returned by the write of the project matches the project cache, and check
your quota again.

@smarterclayton how can I do this?

[smarterclayton]

Since we don't have post admission control yet (as @derekwaynecarr has floated) the current solution is fine, assuming a) the leak window is minimal even if an attacker is blowing up the server and b) you have a corresponding controller that goes and fixes up projects that are out of band (i.e. the oldest projects are set to zero quota). The controller can be post 3.2, but it's essentially quota reconciliation and needs to tie in with the proposed organizational quota constraint.

[csrwng]

Sounds good to me

[derekwaynecarr]

Do we ever plan on letting users organize their projects via labels? If so, would we basically have to no longer treat a Project as a virtual resource? Or would we store the project labels as annotations on the Namespace and then update the strategy code to pull a Project label from the annotation instead of the normal location? I guess the latter would make sense but it would be nice to have a plan...

[derekwaynecarr]

Glad we went with this approach. :-)

[csrwng]

I like it too :) Allowed us to remove the embarrassing hack that merged the openshift and kube clients. Thank you for suggesting it.

[csrwng]

@deads2k @liggitt @smarterclayton Is the way that this plugin is configured (via user labels) ok? Do you have any suggestions for changes? Writing doc for it :-)

[deads2k]

Add a TODO. This should go away once we have the yaml serializer in the rebase after this one.

[deads2k]

@deads2k @liggitt @smarterclayton Is the way that this plugin is configured (via user labels) ok?

I like using labels on users for it.

[csrwng]

Addressed comments so far

[csrwng]

@ironcladlou ptal

[deads2k]

json tags instead of yaml.

[csrwng]

struct tags fixed

[csrwng]

Test error seems like a new error from the vagrant plugin:

Running TEST_ASSETS=true TEST_ASSETS_HEADLESS=true make check -j --output-sync=recurse...
make: unrecognized option '--output-sync=recurse'

[deads2k]

Test error seems like a new error from the vagrant plugin:

@smarterclayton did you turn on parallel? the RHEL images don't have a recent level of make

[deads2k]

lgtm

[csrwng]

looks like an etcd flake:

2016-01-27 11:19:48.486493 E | etcdserver: publish error: etcdserver: request timed out

[merge]

[csrwng]

Needs rebase on top of Kube rebase

[openshift-bot]

Evaluated for origin test up to 4391347

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/513/)

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/4768/) (Image: devenv-rhel7_3269)

[csrwng]

[merge]

[openshift-bot]

Evaluated for origin merge up to 4391347