protect admission against empty keys #5900
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The provisioning state reflects the status of the last provisioning action, which means the instance can enter a failed state after it's running. Protect against unnecessary scaledowns by checking the power state to avoid scaling down running VMs
- this taint leads to unexpected behavior - users expect CA to consider the taint when autoscaling Signed-off-by: vadasambar <[email protected]>
- happens when CA tries to check if the unmanaged fargate node is a part of ASG (it isn't) - and keeps on logging error Signed-off-by: vadasambar <[email protected]>
Signed-off-by: vadasambar <[email protected]>
…are more appropriate
k8s-ci-robot
added
size/M
Previous "CropNodes" function of ScaleDownBudgetProcessor had an assumption that atomically-scaled node groups should be classified as "empty" or "drain" as a whole, however Cluster Autoscaler may classify some of the nodes from a single group as "empty" and other as "drain".
update agnhost image to pull from registry.k8s.io
jbartosik
requested changes
Jun 28, 2023
...oscaler/pkg/admission-controller/resource/pod/recommendation/recommendation_provider_test.go
Outdated
Show resolved
Hide resolved
| @@ -89,6 +90,16 @@ func Resources(cpu, mem string) apiv1.ResourceList { | |||
| return result | |||
| } | |||
|
|
|||
| // AddResource add a resource to the given resource list | |||
| func AddResource(rl apiv1.ResourceList, resourceName apiv1.ResourceName, value string) apiv1.ResourceList { | |||
There was a problem hiding this comment.
There's only one place we're using this function. Please move it to vertical-pod-autoscaler/pkg/utils/test/test_recommendation.go and unexport it (rename to addResource)
| @@ -55,6 +57,15 @@ func (b *recommendationBuilder) WithTarget(cpu, memory string) RecommendationBui | |||
| return &c | |||
| } | |||
|
|
|||
| func (b *recommendationBuilder) WithResource(resource apiv1.ResourceName, value string) RecommendationBuilder { | |||
There was a problem hiding this comment.
Suggested change
| func (b *recommendationBuilder) WithResource(resource apiv1.ResourceName, value string) RecommendationBuilder { | |
| func (b *recommendationBuilder) WithTargetResource(resource apiv1.ResourceName, value string) RecommendationBuilder { |
| @@ -131,6 +133,12 @@ func (b *verticalPodAutoscalerBuilder) WithTarget(cpu, memory string) VerticalPo | |||
| return &c | |||
| } | |||
|
|
|||
| func (b *verticalPodAutoscalerBuilder) WithResourceInTarget(resource core.ResourceName, value string) VerticalPodAutoscalerBuilder { | |||
There was a problem hiding this comment.
Let's call it the same as the function in vertical-pod-autoscaler/pkg/utils/test/test_recommendation.go
Also please add a TODO, it looks like verticalPodAutoscalerBuilder (here) and recommendationBuilder (in test_recommendation.go) could use some deduplication
Generated by runing: ``` go mod tidy go mod vendor ```
Update VPA vendor
…r-cleanup Replace `BuildTestContainer` with use of builder
k8s-ci-robot
added
the
needs-rebase
Allow using an externally created secret instead of using the one the Helm chart creates
fix: Broken links to testgrid dashboard
…ial-backoff feat(hetzner): use less requests while waiting for server create
Signed-off-by: AhmedGrati <[email protected]>
…proposal-5700 [addon-resizer] docs: add KEP to add nanny configuration automatic reload.
update RBAC to only use verbs that exist for the resources
…re-s390x-arch CA - Git ignore s390x arch binaries
…mp-pod-scaleup Add support to filter out pods being deleted.
…recommendation/recommendation_provider_test.go Co-authored-by: Joachim <[email protected]>
k8s-ci-robot
added
size/XXL
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dbenque The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
area/provider/aws
|
Closing this PR due to a bad rebase that makes the history not clear. Taking all the relevant changes to a new clean branch: |
jbartosik
reviewed
Sep 4, 2023
| @@ -311,8 +311,7 @@ func TestUpdateResourceRequests(t *testing.T) { | |||
| return | |||
| } | |||
|
|
|||
| _, foundEmpty := resources[0].Requests[""] | |||
| assert.Equal(t, foundEmpty, false, "empty resourceKey have not been purged") | |||
| assert.Contains(t, resources, "", "expected empty resource to be removed") | |||
There was a problem hiding this comment.
I know this is closed but isn't this check kind of opposite of the old one?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which component this PR applies to?
vertical-pod-autoscaler/admission-controller
What type of PR is this?
/kind bug
What this PR does / why we need it:
Using external recommender that was coming with a bug, we ended up with a VPA object that was presenting a recommendation for a resource that has an empty name:
In this PR we are proposing to sanitise the recommendation by removing any resource key that would be empty so that the admission is not pushing "garbage" to the pods.
Possible extension: instead of purging empty key, we could have a list of allowed resourceName given as input parameter of the admission. This would also allow us to purge unknown resource or the one coming with typo.
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?
If a recommendation comes with a resource key that is empty, this resource will be ignored in the admission-controller.
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: