Set pids limit at pod level #57973
Set pids limit at pod level #57973
Conversation
k8s-ci-robot
added
release-note
|
/assign @tallclair cc @BenTheElder |
|
/test pull-kubernetes-unit |
|
/test pull-kubernetes-cross |
pkg/features/kube_features.go
Outdated
| @@ -214,6 +214,12 @@ const ( | |||
| // | |||
| // Implement IPVS-based in-cluster service load balancing | |||
| SupportIPVSProxyMode utilfeature.Feature = "SupportIPVSProxyMode" | |||
|
|
|||
| // owner: @dims | |||
| // beta: v1.10 | |||
There was a problem hiding this comment.
Duh, cut-n-paste error :) fixing
| @@ -197,6 +197,8 @@ type KubeletConfiguration struct { | |||
| // The CIDR to use for pod IP addresses, only used in standalone mode. | |||
| // In cluster mode, this is obtained from the master. | |||
| PodCIDR string `json:"podCIDR"` | |||
| // PodPidsLimit is the maximum number of pids in any pod. | |||
| PodPidsLimit int64 | |||
There was a problem hiding this comment.
I think this should be a pointer, and also it needs a json tag.
| @@ -463,6 +470,10 @@ func (m *cgroupManagerImpl) Create(cgroupConfig *CgroupConfig) error { | |||
| Resources: resources, | |||
| } | |||
|
|
|||
| if cgroupConfig.ResourceParameters.PodPidsLimit != nil { | |||
There was a problem hiding this comment.
I think you should check the featuregate here?
| @@ -430,6 +433,10 @@ func (m *cgroupManagerImpl) Update(cgroupConfig *CgroupConfig) error { | |||
| Paths: cgroupPaths, | |||
| } | |||
|
|
|||
| if cgroupConfig.ResourceParameters.PodPidsLimit != nil { | |||
dims
force-pushed
the
set-pids-limit-at-pod-level
branch
4 times, most recently
from
7655504 to
b266fdc
Compare
|
/assign @brendandburns |
|
@dims: GitHub didn't allow me to assign the following users: brendanburns. Note that only kubernetes members can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cc @sjenning I did a quick pass and this looks generally good. Will take a deeper look shortly. |
|
Looks good to me, thanks. cc/ @mtaufen |
|
Would like to take a look of this later. |
k8s-ci-robot
added
the
sig/node
cmd/kubelet/app/options/options.go
Outdated
| @@ -453,6 +453,8 @@ func AddKubeletConfigFlags(fs *pflag.FlagSet, c *kubeletconfig.KubeletConfigurat | |||
| fs.Int32Var(&c.MaxPods, "max-pods", c.MaxPods, "Number of Pods that can run on this Kubelet.") | |||
|
|
|||
| fs.StringVar(&c.PodCIDR, "pod-cidr", c.PodCIDR, "The CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master.") | |||
| fs.Int64Var(c.PodPidsLimit, "pod-max-pids", *c.PodPidsLimit, "<Warning: Alpha feature> Tune a pod's pids limit. Set -1 for unlimited.") | |||
There was a problem hiding this comment.
nit reword: "Set the maximum number of processes per pod"
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-ci-robot
added
the
lgtm
|
@derekwaynecarr - yep will file one today (at least a WIP). Thanks! |
|
@derekwaynecarr please see kubernetes/enhancements#546 @brendandburns @dchen1107 @lavalamp @smarterclayton @thockin - Need your approval per list in pkg/OWNERS. PTAL |
|
/test all |
|
/retest
Looks like AWS quota
…On Tue, Jan 23, 2018, 15:21 k8s-ci-robot ***@***.***> wrote:
@dims <https://github.com/dims>: The following tests *failed*, say /retest
to rerun them all:
Test name Commit Details Rerun command
pull-kubernetes-e2e-kubeadm-gce-canary 3df1ce5
<3df1ce5>
link
<https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/57973/pull-kubernetes-e2e-kubeadm-gce-canary/31/> /test
pull-kubernetes-e2e-kubeadm-gce-canary
pull-kubernetes-e2e-kops-aws 3df1ce5
<3df1ce5>
link
<https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/57973/pull-kubernetes-e2e-kops-aws/70690/> /test
pull-kubernetes-e2e-kops-aws
Full PR test history <https://k8s-gubernator.appspot.com/pr/57973>. Your
PR dashboard <https://k8s-gubernator.appspot.com/pr/dims>. Please help us
cut down on flakes by linking to
<https://git.k8s.io/community/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests>
an open issue
<https://github.com/kubernetes/kubernetes/issues?q=is:issue+is:open> when
you hit one in your PR.
Instructions for interacting with me using PR comments are available here
<https://git.k8s.io/community/contributors/devel/pull-requests.md>. If
you have questions or suggestions related to my behavior, please file an
issue against the kubernetes/test-infra
<https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:>
repository. I understand the commands that are listed here
<https://go.k8s.io/bot-commands>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#57973 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA4Bq1SmvOrHQ1a1UOWph5G1dej0qTztks5tNmd2gaJpZM4RWvsF>
.
|
|
/test pull-kubernetes-e2e-kubeadm-gce-canary |
|
Please ignore "pull-kubernetes-e2e-kubeadm-gce-canary" failure. It's not a required job and there's a race between the build artifacts and when the job starts actually. So totally unrelated. /test all |
|
@dims: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@brendandburns @dchen1107 @lavalamp @smarterclayton @thockin - can one of you please approve for "pkg/" thanks! Please ignore the |
|
/approve Given other feedback and sig consensus, no voiced concerns, benefit for real users with the possibility of a more comprehensive user facing solution later on. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: derekwaynecarr, dims, sjenning, smarterclayton Associated issue: #43783 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-ci-robot
added
the
approved
|
thanks @smarterclayton |
|
Automatic merge from submit-queue (batch tested with PRs 57973, 57990). If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
Add a new Alpha Feature to set a maximum number of pids per Pod.
This is to allow the use case where cluster administrators wish
to limit the pids consumed per pod (example when running a CI system).
By default, we do not set any maximum limit, If an administrator wants
to enable this, they should enable
SupportPodPidsLimit=truein the--feature-gates=parameter to kubelet and specify the limit using the--pod-max-pidsparameter.The limit set is the total count of all processes running in all
containers in the pod.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #43783
Special notes for your reviewer:
Release note: