Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assign Priority Classes to tenants #257

Closed
bsctl opened this issue May 13, 2021 · 3 comments · Fixed by #352
Closed

Assign Priority Classes to tenants #257

bsctl opened this issue May 13, 2021 · 3 comments · Fixed by #352
Assignees
Labels
enhancement New feature or request
Milestone

Comments

@bsctl
Copy link
Member

bsctl commented May 13, 2021

Describe the feature

In kubernetes, pods can have priority. Priority indicates the importance of a Pod relative to other Pods. If a Pod cannot be scheduled, the scheduler tries to preempt (evict) lower priority Pods to make scheduling of the pending Pod possible.

In a multi-tenant cluster where not all users are trusted, a tenant owner could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled.

It would be nice the cluster admin to assign one or more Priority Classes to a tenant. The Capsule Operator (i.e. its policy engine component) can control the admitted Priority Classes as for Storage and Ingress Classes.

What would the new user story look like?

The cluster admin creates Priority Classes with a given priority number

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: oil
value: 1000000
globalDefault: false

and then assigns it to a tenant

kind: Tenant
apiVersion: capsule.clastix.io/v1alpha1
metadata:
  name: oil
spec:
  priorityClasses:
    allowed:
      - oil
      - default
    allowedRegex: ''

Expected behavior

The tenant admin can only deploy pods with the allowed Priority Classes

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  labels:
    env: test
spec:
  containers:
  - name: nginx
    image: nginx
    imagePullPolicy: IfNotPresent
  priorityClassName: oil
@bsctl bsctl added blocked-needs-validation Issue need triage and validation needs-discussion No outline on the feature, discussion is welcome labels May 13, 2021
@prometherion
Copy link
Member

prometherion commented May 14, 2021

To implement this, we need several changes.

Am I missing something else?

@bsctl
Copy link
Member Author

bsctl commented May 14, 2021

There are two Priority Classes already defined by default

$ kubectl get priorityclass
NAME                      VALUE        GLOBAL-DEFAULT   AGE
system-cluster-critical   2000000000   false            26d
system-node-critical      2000001000   false            26d

and other can be defined by cluster admin. The Priority Class is a cluster-wide resource.

The workflow is very similar to Ingress and Storage Classes we already impemented

@prometherion
Copy link
Member

The workflow is very similar to Ingress and Storage Classes we already implemented

And this means, on the capsule-proxy side, to implement the labeling with the resource name to allow listing of the resources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants