ResourceQuota ability to support default limited resources #36765
Conversation
|
@eparis @erinboyd @deads2k -- this is WIP and is not yet functional, opening here to track its completion for kube 1.6. @bgrant0607 -- this was the general idea we discussed at kubecon for allowing quota to identify resources that are limited by default instead of unlimited. |
k8s-github-robot
added
needs-rebase
derekwaynecarr
force-pushed
the
quota-precious-resources
branch
from
d7453f2 to
c00857d
Compare
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
removed
the
needs-rebase
derekwaynecarr
force-pushed
the
quota-precious-resources
branch
from
c00857d to
80f8d3f
Compare
|
In putting this together, it's come to my attention that we do not pass versioned configuration to admission controllers in Kubernetes today. As a result, I think I need to fix-up existing admission plug-ins first, and codify the model for how versioned config is handled before finishing this out. |
k8s-github-robot
added
the
needs-rebase
derekwaynecarr
force-pushed
the
quota-precious-resources
branch
from
80f8d3f to
8036a20
Compare
k8s-github-robot
added
kind/api-change
derekwaynecarr
force-pushed
the
quota-precious-resources
branch
2 times, most recently
from
9f336e0 to
f2f952a
Compare
k8s-github-robot
added
the
needs-rebase
derekwaynecarr
force-pushed
the
quota-precious-resources
branch
from
f2f952a to
0f3252b
Compare
derekwaynecarr
changed the title
derekwaynecarr
changed the title
derekwaynecarr
changed the title
|
This change is |
derekwaynecarr
force-pushed
the
quota-precious-resources
branch
from
0f3252b to
810ca05
Compare
derekwaynecarr
removed
the
needs-rebase
|
its a belated xmas miracle, the bots are all happy. @smarterclayton @deads2k - ptal. |
| // the value would be "persistentvolumeclaims". | ||
| // If the resource exists in a named API group, the name must be | ||
| // fully qualified, i.e. "deployments.extensions" | ||
| APIGroupResource string `json:"apiGroupResource"` |
There was a problem hiding this comment.
This is consistent with RBAC, correct?
There was a problem hiding this comment.
RBAC has the following:
type PolicyRule struct {
// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.
Verbs []string
// APIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
APIGroups []string
// Resources is a list of resources this rule applies to. ResourceAll represents all resources.
Resources []string
// ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
ResourceNames []string
// NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
// If an action is not a resource API request, then the URL is split on '/' and is checked against the NonResourceURLs to look for a match.
// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
NonResourceURLs []string
}
It splits APIGroup from Resource. Unlike Policy, I don't think there is meaning if both are not supplied on this item. For example, I don't think we would want to support that a particular constraint applies to all resources in an APIGroup for ResourceQuota.
There was a problem hiding this comment.
I guess I'm okay with it.
|
For alpha is sufficiently compact. API looks ok to me. |
| } | ||
| if len(quotas) == 0 { | ||
| // if limited resources are disabled, we can just return safely when there are no quotas. | ||
| limitedResourcesDisabled := len(e.config.LimitedResources) == 0 |
There was a problem hiding this comment.
if e.config must be non-nil, why do you allow a nil to be passed through the New function?
There was a problem hiding this comment.
i modified new to allow nil, but default to empty config.
| // track the cumulative set of resources that were required across all quotas | ||
| // this is needed to know if we have satisfied any constraints where consumption | ||
| // was limited by default. | ||
| requiredResourcesSet := sets.String{} |
There was a problem hiding this comment.
It took me a long time to puzzle out what this was. This is the list of resources that are restricted by quota applied to this object, right? Maybe restrictedResources?
| internalClientset := internalclientset.NewForConfigOrDie(&restclient.Config{QPS: -1, Host: s.URL, ContentConfig: restclient.ContentConfig{GroupVersion: &api.Registry.GroupOrDie(v1.GroupName).GroupVersion}}) | ||
| admission, err := resourcequota.NewResourceQuota(quotainstall.NewRegistry(nil, nil), 5, admissionCh) | ||
| config := &resourcequotaapi.Configuration{} | ||
| admission, err := resourcequota.NewResourceQuota(quotainstall.NewRegistry(nil, nil), config, 5, admissionCh) |
There was a problem hiding this comment.
Seems like this feature is worth an integration test.
| // the value would be "persistentvolumeclaims". | ||
| // If the resource exists in a named API group, the name must be | ||
| // fully qualified, i.e. "deployments.extensions" | ||
| APIGroupResource string |
There was a problem hiding this comment.
Why not a separate Group and Resource field?
There was a problem hiding this comment.
i am perfectly happy to separate. it appears we lack a consensus decision on how to handle this.
to follow the policy convention, is that APIGroup and Resource?
There was a problem hiding this comment.
to follow the policy convention, is that APIGroup and Resource?
I'd like that.
|
minor comments |
|
@deads2k -- thanks for the review pass, i will look to update. |
derekwaynecarr
force-pushed
the
quota-precious-resources
branch
from
552e8e5 to
3fad0cb
Compare
|
@k8s-bot cvm gke e2e test this |
|
@deads2k updates addressed, ptal |
|
/lgtm |
|
@deads2k: you can't LGTM a PR unless you are an assignee. DetailsIn response to this comment:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED The following people have approved this PR: deads2k, derekwaynecarr Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
derekwaynecarr
assigned
deads2k and unassigned
smarterclayton,
derekwaynecarr and
eparis
|
@deads2k -- added you as an assignee, care to tag again so bot is happy? |
deads2k
added
the
lgtm
Tagged, though I don't think anyone would have dinged you for fixing it up yourself. |
|
Automatic merge from submit-queue (batch tested with PRs 41421, 41440, 36765, 41722) |
10 participants
Add support for the ability to configure the quota system to identify specific resources that are limited by default. A limited resource means its consumption is denied absent a covering quota. This is in contrast to the current behavior where consumption is unlimited absent a covering quota. Intended use case is to allow operators to restrict consumption of high-cost resources by default.
Example configuration:
admission-control-config-file.yaml
In the above configuration, if a namespace lacked a quota for any of the following:
The attempt to consume the resource is denied with a message stating the user has insufficient quota for the matching resources.