-
Notifications
You must be signed in to change notification settings - Fork 40.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
assign -998 as the oom_score_adj for critical pods (e.g. kube-proxy) #39114
Conversation
Jenkins Bazel Build failed for commit 33e8dc1ee7b346ead1970cf8e48224833cad77ff. Full PR test history. The magic incantation to run this job again is |
import cycle not allowed in test package k8s.io/kubernetes/pkg/client/restclient (test) imports k8s.io/kubernetes/pkg/api/testapi imports k8s.io/kubernetes/pkg/apis/componentconfig/install imports k8s.io/kubernetes/pkg/apis/componentconfig/v1alpha1 imports k8s.io/kubernetes/pkg/kubelet/qos imports k8s.io/kubernetes/pkg/kubelet/pod imports k8s.io/kubernetes/pkg/client/clientset_generated/clientset imports k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/apps/v1beta1 imports k8s.io/kubernetes/pkg/client/restclient
33e8dc1
to
b03fca9
Compare
Jenkins verification failed for commit 33e8dc1ee7b346ead1970cf8e48224833cad77ff. Full PR test history. The magic incantation to run this job again is |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue (batch tested with PRs 39114, 36004) |
This seems aggressive as it can elevate any pod with the annotation to almost guaranteed qos behavior. When we enforce memory limits at qos tier, it does give this pod even more precedent within a tier even if other pods have not used up to their scheduling request. This just gives way too much power imho. How are we restricting the abuse of this annotation? Can we at minimum restrict this annotations enforcement to pods in a particular namespace? And pods potentially whose namespace has been annotated as enabling this function by an operator? This has bad downstream security impacts for us in OpenShift and would ask we revisit this to reduce scope. |
I also validated this with a testing cluster: Fresh built cluster, and kill kube-proxy pod, etc.
In this pr, I also include a small fix for import cycle issue. The right fix should remove the dependency on qos package from pkg/apis/componentconfig/v1alpha1. But since we plan to cherrypick this pr to both 1.5 and 1.4 (possible), I want touch the source as little as possible.
Partial fix: #38322