Add option to ignore namespaces #6788
Conversation
To both recommender and updater
k8s-ci-robot
added
the
kind/feature
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @adrianmoisey! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @adrianmoisey. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
In the unlikely case that a nil value is passed in, this code would have failed with an error
| @@ -96,6 +96,15 @@ func selfRegistration(clientset *kubernetes.Clientset, caCert []byte, namespace, | |||
| sideEffects := admissionregistration.SideEffectClassNone | |||
| failurePolicy := admissionregistration.Ignore | |||
| RegisterClientConfig.CABundle = caCert | |||
| namespaceSelector := metav1.LabelSelector{ | |||
There was a problem hiding this comment.
Is this changing any behavior if the list is empty? What about not setting any selector when no ignores are set?
There was a problem hiding this comment.
I wonder if just by having the all namespaces selector we impact cost or performance on the apiserver.
| ) | ||
|
|
||
| func main() { | ||
| klog.InitFlags(nil) | ||
| kube_flag.InitFlags() | ||
|
|
||
| if len(*vpaObjectNamespace) > 0 && len(*ignoredVpaObjectNamespaces) > 0 { |
There was a problem hiding this comment.
This should probably happen after the info log below to still give a log about the version used.
| @@ -332,6 +344,12 @@ func filterVPAs(feeder *clusterStateFeeder, allVpaCRDs []*vpa_types.VerticalPodA | |||
| continue | |||
| } | |||
| } | |||
|
|
|||
| if selectsNamespace(vpaCRD.ObjectMeta.Namespace, feeder.ignoredNamespaces) { | |||
There was a problem hiding this comment.
Can the sourcing of VPAs already do the filtering? So the API server doesn't send namespaces we don't want?
There was a problem hiding this comment.
I did have a look at this, but I didn't find an easy solution to it.
The updater and recommender both seems to use a ListWatch in client-go (https://github.com/kubernetes/autoscaler/blob/vertical-pod-autoscaler-1.1.1/vertical-pod-autoscaler/vendor/k8s.io/client-go/tools/cache/listwatch.go#L69-L100)
This seems to take either a single namespace or all namespaces. There doesn't seem to be a way to exclude any namespaces.
An alternative could be to setup a ListWatch per namespace, but then I imagine we'll need to do quite a big refactor and continuously watch for updates to namespaces, and add/remove the ListWatch as namespaces are added and removed. I also don't know if that sort of change would be better or worse, efficiency wise, compared to this current PR's approach.
My current experience with VPA/client-go is very minimal, so I didn't want to take such a large task that could potentially be the wrong direction.
There was a problem hiding this comment.
I poked through client-go and couldn't find anything either.
Seems OK since the list of ignored namespaces is likely going to be pretty small?
There was a problem hiding this comment.
I poked through client-go and couldn't find anything either.
Seems OK since the list of ignored namespaces is likely going to be pretty small?
I imagine that list will be small.
In my use-case it will be only kube-system (and possibly istio-system)
| @@ -108,6 +110,11 @@ const ( | |||
| func main() { | |||
| klog.InitFlags(nil) | |||
| kube_flag.InitFlags() | |||
|
|
|||
| if len(*vpaObjectNamespace) > 0 && len(*ignoredVpaObjectNamespaces) > 0 { | |||
There was a problem hiding this comment.
Same here, I think the version log should come first.
| @@ -137,6 +149,10 @@ func (u *updater) RunOnce(ctx context.Context) { | |||
| vpas := make([]*vpa_api_util.VpaWithSelector, 0) | |||
|
|
|||
| for _, vpa := range vpaList { | |||
| if selectsNamespace(vpa.Namespace, u.ignoredNamespaces) { | |||
There was a problem hiding this comment.
Same here, why are we even getting those VPAs here?
| vpaObjectNamespace = flag.String("vpa-object-namespace", apiv1.NamespaceAll, "Namespace to search for VPA objects. Empty means all namespaces will be used.") | ||
| namespace = os.Getenv("NAMESPACE") | ||
| vpaObjectNamespace = flag.String("vpa-object-namespace", apiv1.NamespaceAll, "Namespace to search for VPA objects. Empty means all namespaces will be used.") | ||
| ignoredVpaObjectNamespaces = flag.String("ignored-vpa-object-namespaces", "", "Comma separated list of namespaces to ignore.") |
There was a problem hiding this comment.
Is there a shared library of sorts where we could put all this instead? It seems like there is no difference in code between the components.
There was a problem hiding this comment.
There doesn't seem to be a shared library for these flags. The existing VPA components all declare their own flags.
| }, | ||
| }, | ||
| } | ||
| } |
There was a problem hiding this comment.
Shouldn't we also be setting a nameSpaceSelector for the case where vpa-object-namespace is used to cause the webhook to operate only for that namespace? This way the pods for all other namespaces do not have to wait for an answer from the admission controller before they start (it will also reduce the load on the admission controller)
There was a problem hiding this comment.
Good idea!
Fixed in 4073194
|
@kwiesmueller I've replied to your comments. I just want to check if this path is worth going down? And if I should spend the time to write tests for this PR. |
|
@kwiesmueller any chance you have some time to look at this again? |
|
/assign @raywainman |
|
Looking... Apologies for the delay :) |
|
Hey @raywainman cc @voelzmo |
|
Thanks Adrian! Will take a look today or tomorrow. Thanks for the fixes! |
| @@ -90,7 +90,7 @@ func configTLS(cfg certsConfig, minTlsVersion, ciphers string, stop <-chan struc | |||
|
|
|||
| // register this webhook admission controller with the kube-apiserver | |||
| // by creating MutatingWebhookConfiguration. | |||
| func selfRegistration(clientset kubernetes.Interface, caCert []byte, namespace, serviceName, url string, registerByURL bool, timeoutSeconds int32) { | |||
| func selfRegistration(clientset kubernetes.Interface, caCert []byte, namespace, serviceName, url string, registerByURL bool, timeoutSeconds int32, selectedNamespaces string, ignoredNamespaces string) { | |||
There was a problem hiding this comment.
I think we should do the split upstream, it will simplify testing and is a bit cleaner if we pass in the "final" data structure here.
Can we pass ignoredNamespaces []string here instead?
There was a problem hiding this comment.
I originally had it like that, but changed it due to your comment here: #6788 (comment)
You can see this commit where I moved the split into the functions called: 7a1aea1
Now I'm wondering if I originally misunderstood your original comment.
| @@ -103,6 +106,7 @@ func (m ClusterStateFeederFactory) Make() *clusterStateFeeder { | |||
| memorySaveMode: m.MemorySaveMode, | |||
| controllerFetcher: m.ControllerFetcher, | |||
| recommenderName: m.RecommenderName, | |||
| ignoredNamespaces: strings.Split(m.IgnoredNamespaces, ","), | |||
There was a problem hiding this comment.
Same comment as above, if we set the IgnoredNamespaces variable in ClusterStateFeederFactory to string[] then this becomes a bit cleaner and we don't need to split here.
| @@ -107,6 +111,7 @@ func NewUpdater( | |||
| status.AdmissionControllerStatusName, | |||
| statusNamespace, | |||
| ), | |||
| ignoredNamespaces: strings.Split(ignoredNamespaces, ","), | |||
There was a problem hiding this comment.
Same here, let's split upstream in main.go?
| }, | ||
| }, | ||
| } | ||
| } else if len(selectedNamespaces) > 0 { |
There was a problem hiding this comment.
Do we need this here? I thought this value was always going to contain a single namespace?
(I can see this is the assumption in the other places)
There was a problem hiding this comment.
Whoops, yes, you're right. Fixed in e14db24
This reverts commit 7a1aea1. As per kubernetes#6788 (comment) and discussion in DM. The preference is to split the string inside the main.go file.
|
Something worth noting about this change. There are tests in vertical-pod-autoscaler/pkg/admission-controller/config_test.go which call the This is something that I think needs fixing at some stage, but I'm not sure on the best way to address it. Should the sleep time be passed into the function, allowing overriding the sleep time in tests? Or is there another way to override that call? |
|
@raywainman I've made the latest set of suggestions. I think we're really close to getting this done. When you have a moment can you review? |
k8s-ci-robot
added
the
lgtm
Just chatted on Slack about this. Passing in a timeout via an argument is probably the easiest way to fix this. I wonder why we did this in the first place though - maybe API Server needs a bit of time to catch up or something. |
k8s-ci-robot
removed
the
lgtm
Since tests will take 10 seconds on each pass to run
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/assign voelzmo pinging @voelzmo for approval |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
lgtm
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adrianmoisey, voelzmo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind feature
What this PR does / why we need it:
This is a replacement PR for #6428
It allows a user to specify a list of namespaces for the various VPA components to ignore.
Which issue(s) this PR fixes:
Fixes #6232
Special notes for your reviewer:
There are no tests at the moment. I'm just making the PR to get some early review to ensure that this is on the right track.
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
N/A