Add Node Affinity for TaskRuns that share PVC workspace #2630
Conversation
tekton-robot
added
the
kind/feature
tekton-robot
added
size/XL
|
Hi @jlpettersson. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
This PR cannot be merged: expecting exactly one kind/ label Available
|
|
A follow up task is to implement an option to provide a custom PodTemplate for the "Affinity Assistant". /cc @vdemeester @sbwsg |
tekton-robot
added
the
do-not-merge/hold
jlpettersson
force-pushed
the
add_node-affinity_for_pods_that_share_pvc
branch
from
dbd333f
to
0104371
Compare
jlpettersson
force-pushed
the
add_node-affinity_for_pods_that_share_pvc
branch
from
0104371
to
27c3e84
Compare
|
Really nice, thank you! I'm not sure this is a real use case, but I'm just wondering if it would be possible to detect and prevent scenario like this:
I think it would be nice in this case to either emit a warning and run task1 and 2 serially, or perhaps stop the pipelinerun from running, and communicate that differences in task pod affinity will require different PVCs. |
@afrittoli Good suggestion to generate a warning event. Currently, the Can we do the warning-event in it's own PR? |
|
This PR was discussed in the API WG today, and can probably be "unhold" now. |
|
/ok-to-test |
tekton-robot
added
ok-to-test
|
The following is the coverage report on the affected files.
|
jlpettersson
force-pushed
the
add_node-affinity_for_pods_that_share_pvc
branch
from
27c3e84
to
b010df4
Compare
|
The following is the coverage report on the affected files.
|
Yes, sounds good |
|
/test pull-tekton-pipeline-integration-tests |
|
This one is interesting:
volume node affinity conflict is related. But this in combination with |
|
The following is the coverage report on the affected files.
|
tekton-robot
added
the
approved
jlpettersson
force-pushed
the
add_node-affinity_for_pods_that_share_pvc
branch
from
0ecca10
to
b1348bc
Compare
|
The following is the coverage report on the affected files.
|
TaskRuns within a PipelineRun may share files using a workspace volume. The typical case is files from a git-clone operation. Tasks in a CI-pipeline often perform operations on the filesystem, e.g. generate files or analyze files, so the workspace abstraction is very useful. The Kubernetes way of using file volumes is by using [PersistentVolumeClaims](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims). PersistentVolumeClaims use PersistentVolumes with different [access modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes). The most commonly available PV access mode is ReadWriteOnce, volumes with this access mode can only be mounted on one Node at a time. When using parallel Tasks in a Pipeline, the pods for the TaskRuns is scheduled to any Node, most likely not to the same Node in a cluster. Since volumes with the commonly available ReadWriteOnce access mode cannot be use by multiple nodes at a time, these "parallel" pods is forced to execute sequentially, since the volume only is available on one node at a time. This may make that your TaskRuns time out. Clusters are often _regional_, e.g. they are deployed across 3 Availability Zones, but Persistent Volumes are often _zonal_, e.g. they are only available for the Nodes within a single zone. Some cloud providers offer regional PVs, but sometimes regional PVs is only replicated to one additional zone, e.g. not all 3 zones within a region. This works fine for most typical stateful application, but Tekton uses storage in a different way - it is designed so that multiple pods access the same volume, in a sequece or parallel. This makes it difficult to design a Pipeline that starts with parallel tasks using its own PVC and then have a common tasks that mount the volume from the earlier tasks - since - what happens if those tasks were scheduled to different zones - the common task can not mount the PVCs that now is located in different zones, so the PipelineRun is deadlocked. There are a few technical solutions that offer parallel executions of Tasks even when sharing PVC workspace: - Using PVC access mode ReadWriteMany. But this access mode is not widely available, and is typically a NFS server or another not so "cloud native" solution. - An alternative is to use a storage that is tied to a specific node, e.g. local volume and then configure so pods are scheduled to this node, but this is not commonly available and it has drawbacks, e.g. the pod may need to consume and mount a whole disk e.g. several hundreds GB. Consequently, it would be good to find a way so that TaskRun pods that share workspace are scheduled to the same Node - and thereby make it easy to use parallel tasks with workspace - while executing concurrently - on widely available Kubernetes cluster and storage configurations. A few alternative solutions have been considered, as documented in tektoncd#2586. However, they all have major drawbacks, e.g. major API and contract changes. This commit introduces an "Affinity Assistant" - a minimal placeholder-pod, so that it is possible to use [Kubernetes inter-pod affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity) for TaskRun pods that need to be scheduled to the same Node. This solution has several benefits: it does not introduce any API changes, it does not break or change any existing Tekton concepts and it is implemented with very few changes. Additionally it can be disabled with a feature-flag. **How it works:** When a PipelineRun is initiated, an "Affinity Assistant" is created for each PVC workspace volume. TaskRun pods that share workspace volume is configured with podAffinity to the "Affinity Assisant" pod that was created for the volume. The "Affinity Assistant" lives until the PipelineRun is completed, or deleted. "Affinity Assistant" pods are configured with podAntiAffinity to repel other "Affinity Assistants" - in a Best Effort fashion. The Affinity Assistant is _singleton_ workload, since it acts as a placeholder pod and TaskRun pods with affinity must be scheduled to the same Node. It is implemented with [QoS class Guaranteed](https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed) but with minimal resource requests - since it does not provide any work other than beeing a placeholder. Singleton workloads can be implemented in multiple ways, and they differ in behavior when the Node becomes unreachable: - as a Pod - the Pod is not managed, so it will not be recreated. - as a Deployment - the Pod will be recreated and puts Availability before the singleton property - as a StatefulSet - the Pod will be recreated but puds the singleton property before Availability Therefor the Affinity Assistant is implemented as a StatefulSet. Essentialy this commit provides an effortless way to use a functional task parallelism with any Kubernetes cluster that has any PVC based storage. Solves tektoncd#2586 /kind feature
jlpettersson
force-pushed
the
add_node-affinity_for_pods_that_share_pvc
branch
from
b1348bc
to
77db014
Compare
|
The following is the coverage report on the affected files.
|
Thanks a lot @afrittoli for a thorough review! I have updated with many of your suggestions and improved test coverage as you suggested. I also responded to your feedback. Thanks! |
afrittoli
added
kind/feature
|
This PR cannot be merged: expecting exactly one kind/ label Available
|
1 similar comment
|
This PR cannot be merged: expecting exactly one kind/ label Available
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: afrittoli, ImJasonH The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Changes
TaskRuns within a PipelineRun may share files using a workspace volume.
The typical case is files from a git-clone operation. Tasks in a CI-pipeline often
perform operations on the filesystem, e.g. generate files or analyze files,
so the workspace abstraction is very useful.
The Kubernetes way of using file volumes is by using PersistentVolumeClaims.
PersistentVolumeClaims use PersistentVolumes with different access modes.
The most commonly available PV access mode is ReadWriteOnce, volumes with this
access mode can only be mounted on one Node at a time.
When using parallel Tasks in a Pipeline, the pods for the TaskRuns is
scheduled to any Node, most likely not to the same Node in a cluster.
Since volumes with the commonly available ReadWriteOnce access mode cannot
be use by multiple nodes at a time, these "parallel" pods is forced to
execute sequentially, since the volume only is available on one node at a time.
This may make that your TaskRuns time out.
Clusters are often regional, e.g. they are deployed across 3 Availability
Zones, but Persistent Volumes are often zonal, e.g. they are only available
for the Nodes within a single zone. Some cloud providers offer regional PVs,
but sometimes regional PVs is only replicated to one additional zone, e.g. not
all 3 zones within a region. This works fine for most typical stateful application,
but Tekton uses storage in a different way - it is designed so that multiple pods
access the same volume, in a sequece or parallel.
This makes it difficult to design a Pipeline that starts with parallel tasks using
its own PVC and then have a common tasks that mount the volume from the earlier
tasks - since - what happens if those tasks were scheduled to different zones -
the common task can not mount the PVCs that now is located in different zones, so
the PipelineRun is deadlocked.
There are a few technical solutions that offer parallel executions of Tasks
even when sharing PVC workspace:
Using PVC access mode ReadWriteMany. But this access mode is not widely available,
and is typically a NFS server or another not so "cloud native" solution.
An alternative is to use a storage that is tied to a specific node, e.g. local volume
and then configure so pods are scheduled to this node, but this is not commonly
available and it has drawbacks, e.g. the pod may need to consume and mount a whole
disk e.g. several hundreds GB.
Consequently, it would be good to find a way so that TaskRun pods that share
workspace are scheduled to the same Node - and thereby make it easy to use parallel
tasks with workspace - while executing concurrently - on widely available Kubernetes
cluster and storage configurations.
A few alternative solutions have been considered, as documented in #2586.
However, they all have major drawbacks, e.g. major API and contract changes.
This commit introduces an "Affinity Assistant" - a minimal placeholder-pod,
so that it is possible to use Kubernetes inter-pod affinity for TaskRun pods that need to be scheduled to the same Node.
This solution has several benefits: it does not introduce any API changes,
it does not break or change any existing Tekton concepts and it is
implemented with very few changes. Additionally it can be disabled with a feature-flag.
How it works: When a PipelineRun is initiated, an "Affinity Assistant" is
created for each PVC workspace volume. TaskRun pods that share workspace
volume is configured with podAffinity to the "Affinity Assisant" pod that
was created for the volume. The "Affinity Assistant" lives until the
PipelineRun is completed, or deleted. "Affinity Assistant" pods are
configured with podAntiAffinity to repel other "Affinity Assistants" -
in a Best Effort fashion.
The Affinity Assistant is singleton workload, since it acts as a
placeholder pod and TaskRun pods with affinity must be scheduled to the
same Node. It is implemented with QoS class Guaranteed but with minimal resource requests -
since it does not provide any work other than beeing a placeholder.
Singleton workloads can be implemented in multiple ways, and they differ
in behavior when the Node becomes unreachable:
the singleton property
property before Availability
Therefor the Affinity Assistant is implemented as a StatefulSet.
Essentialy this commit provides an effortless way to use a functional
task parallelism with any Kubernetes cluster that has any PVC based
storage.
Example output from example:
First a Task graph:
Logs:
A listing of the pods, shows that all pods that share PVC workspace, is scheduled to the same Node. The "reporter" task does not use a workspace and hence can be scheduled to any Node (this was a 4 Node cluster).
Fixes #2586
/kind feature
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Double check this list of stuff that's easy to miss:
cmddir, please updatethe release Task to build and release this image.
Reviewer Notes
If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS, and they must first be added in a backwards compatible way.
Release Notes