[KEP-5254] DRA: Constraints with CEL

[aws-ruhip]

• One-line PR description: Add support for new CEL expression constraint in DRA

• Issue link: DRA: Constraints with CEL #5254

• Other comments:

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: aws-ruhip / name: Ruhi Prasad (e5a7fb4)

[k8s-ci-robot]

Welcome @aws-ruhip!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @aws-ruhip. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[geetasg]

cc @pohly @johnbelamaric @klueska @dims @mengqiy

[dims]

/ok-to-test

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: aws-ruhip
Once this PR has been reviewed and has the lgtm label, please assign johnbelamaric, macsko for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS
• keps/sig-scheduling/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pohly]

/wg device-management

[pohly]

I haven't looked at the current KEP yet, I only checked whether we have the right reviewers assigned.

[pohly]

@dom4ha, @macsko: who of you can take point on this one?

[dom4ha]

I will be OOO starting from tomorrow, so I cannot promise the review. @macsko will be OOO from Thursday and @sanposhiho may have limited bandwidth as well.

[pohly]

You can remove SIG node entirely. This does not affect the kubelet at all.

[pohly]

You can remove SIG node entirely. This does not affect the kubelet at all.

[pohly]

I'm not sure whether @johnbelamaric has time - I doubt it.

Let's see who from the PRR reviewers takes this, if it's not too late.

[kannon92]

Suggested change

	approver: "@johnbelamaric"
	approver: "@deads2k"

I'm not sure the context but david is assigned already in the PRR board.

[deads2k]

Some general comments and some PRR comments.

[deads2k]

Does this mean that we have to evaluate the CEL against every possible set of devices to determine if they match?

[aws-ruhip]

Yes, the CEL cannot be evaluated until the required number of devices are present in the device set. If they do not match, a new device set will be evaluated. This process will be repeated until a valid device set is found, according to the CEL expression.

[deads2k]

kubelet admission or kube-apiserver admission? kube-apiserver admission plugins are optional. Additionally, I don't see any description of admission in the KEP above, so I'm not clear on how this would happen.

[aws-ruhip]

Since we are modifying the resource claim template API spec to add this new cel constraint, any workloads trying to use this cel constraint while the feature gate is disabled will see an error like "cel.expression is not a field"

[deads2k]

Since we are modifying the resource claim template API spec to add this new cel constraint, any workloads trying to use this cel constraint while the feature gate is disabled will see an error like "cel.expression is not a field"

That's not a common approach and extremely uncommon in the admission stage of the apiserver flow. Can you link to where you're familiar with an existing feature that behaves this way?

[geetasg]

@deads2k We will not be relying on admission plugins. We will update the KEP to clarify the feature gate behavior. Thanks for the feedback!

[deads2k]

scheduler throughput and the scheduler latency both seem like valuable metrics here.

[deads2k]

Suggested change

	Merely enabling the feature has no resource impact. When in use, resource consumption will scale with the number of device combinations being evaluated, varying based on specific allocation patterns.
	Resource consumption will scale with the number of device combinations being evaluated, varying based on specific allocation patterns.

assume the feature is going to be used when writing PRR answers. How will we check the actual cost in a running cluster?

[aws-ruhip]

For CEL selectors, we use cost estimation from the cel k8s library: https://github.com/kubernetes/kubernetes/blob/2cc3dbf2250177c60b2967e3e8481ac3f7e33829/staging/src/k8s.io/dynamic-resource-allocation/cel/compile.go#L191

We will leverage the same for CEL constraints

[deads2k]

Are you going to expose that as a metric? Also, I remember this as an estimate, not the actual. This new API is going to result in repeated evaluations and seems pertinent to track its (potentially significant) expense.

cc @wojtek-t

[wojtek-t]

Are you going to expose that as a metric? Also, I remember this as an estimate, not the actual. This new API is going to result in repeated evaluations and seems pertinent to track its (potentially significant) expense.

Did we have any metric once we introduced CEL for validation in apiserver?

I don't have any reasonable suggestion from the top of my head:

• what we really care is cpu itself, but getting data about how much is used here in particular I think can only be read from profiles
• the only thing that comes to my mind is trying to report how many combinations are evaluated (and then use some average cel-evaluation cost to just estimated the cost of it); but that's super hand-wavy

[deads2k]

Summarizing a slack thread in here. Permutations take smaller numbers and make really big ones. On a cluster with 10^3 nodes and 10^3 pods using it, an expression that is P(16,8) becomes a potential worst case of 10^14 checks (compared with 10^6 without this change).

On the surface this appears to be a big change. Agreeing to what sort of parameters are good for a benchmark prior and thinking through acceptable thresholds for changes to that benchmark with sig-scalability need to happen. I haven't yet thought of a different way to be comfortable with the PRR scaling questions here.

[aws-ruhip]

Also, I remember this as an estimate, not the actual.

CEL can also track actual cost during execution, which is indicative of cpu usage: https://pkg.go.dev/github.com/google/cel-go/cel#EvalDetails.ActualCost

This is used in CEL selector evaluation here: https://github.com/kubernetes/kubernetes/blob/b0b52f4fb29223f829b50ae58323c20a7764dfc9/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator.go#L970

We can surface a metric that tracks cost evaluation for cel constraint workloads

[BenTheElder]

cc @pohly @johnbelamaric do we have rough scaling targets for DRA devices currently?

[macsko]

I strongly feel that just adding a CEL expression is a simple solution, but it significantly (even exponentially) increases the complexity of the filtering phase in all scenarios not supported by MatchAttribute. If we could group use cases and implement faster algorithms or, at least, reduce the problem space for them, that would be beneficial.
Also, remember about workload-aware scheduling, which will be introduced in upcoming releases. In some scenarios, it might need to run the filtering multiple times, and relying on really heavy algorithms could completely slow down scheduling.

But, we could leave this to the beta stage or next revision of alpha, so please document it accordingly in the KEP (and say that this has to be revisited before beta).

[geetasg]

@macsko Thank you for the review. We will update the KEP as per the feedback. Can you please link issue/info on workload aware scheduling ? cc @aws-ruhip

[macsko]

The issue: kubernetes/kubernetes#132192

[macsko]

Or when no new pods are created in the cluster, but metric is constant, indicating that no pods have been scheduled.