Disallow PriorityClass names with 'system-' prefix for user defined priority classes #59382
Conversation
k8s-ci-robot
added
release-note
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@kubernetes/sig-scheduling-api-reviews |
k8s-ci-robot
added
the
kind/api-change
| @@ -203,6 +207,9 @@ func (p *PriorityPlugin) validatePriorityClass(a admission.Attributes) error { | |||
| if pc.Value > HighestUserDefinablePriority { | |||
| return admission.NewForbidden(a, fmt.Errorf("maximum allowed value of a user defined priority is %v", HighestUserDefinablePriority)) | |||
| } | |||
| if strings.HasPrefix(pc.Name, SystemPriorityClassPrefix) { | |||
There was a problem hiding this comment.
If a priority class starting with "system-" is created while this plugin is not enabled, does this prevent update/deleting it?
There was a problem hiding this comment.
If a priority class starting with "system-" is created while this plugin is not enabled, does this prevent update/deleting it?
It does not prevent deletion, but it does prevent updates. I think this should be fine. We don't allow updating names of priority classes anyway.
I move the new logic to the API side.
| @@ -203,6 +207,9 @@ func (p *PriorityPlugin) validatePriorityClass(a admission.Attributes) error { | |||
| if pc.Value > HighestUserDefinablePriority { | |||
| return admission.NewForbidden(a, fmt.Errorf("maximum allowed value of a user defined priority is %v", HighestUserDefinablePriority)) | |||
| } | |||
| if strings.HasPrefix(pc.Name, SystemPriorityClassPrefix) { | |||
| return admission.NewForbidden(a, fmt.Errorf("priority class names with '%v' prefix are reserved for system use only: %v", SystemPriorityClassPrefix, pc.Name)) | |||
| } | |||
| if _, ok := SystemPriorityClasses[pc.Name]; ok { | |||
| return admission.NewForbidden(a, fmt.Errorf("the name of the priority class is a reserved name for system use only: %v", pc.Name)) | |||
| } | |||
There was a problem hiding this comment.
Also, this is my first time in here. Below, this is attempting to prevent multiple priority class objects that say they are the default, but that's racy/best effort. What happens if multiple defaults end up in the system? Does this prevent those from being updated or deleted?
There was a problem hiding this comment.
Also, the invalidateCachedDefaultPriority call wouldn't handle HA apiserver scenarios
There was a problem hiding this comment.
What happens if multiple defaults end up in the system? Does this prevent those from being updated or deleted?
It does not prevent deletion, but it does not allow updates, which is fine in my opinion.
There was a problem hiding this comment.
Also, the invalidateCachedDefaultPriority call wouldn't handle HA apiserver scenarios
Is this the scenario that is not handled correctly:
- Server 1 is the leader. Admission controller populates its cache with default priority.
- Server 1 loses its leadership and server 2 becomes leader. Server 2 populates its admission controller cache.
- Global defalt priority class is deleted/updated.
- Server 2 loses its leadership and server 1 becomes leader again.
- Server 1's cache is stale!
This is certainly an issue we need to address. A possible solution is to not cache default priority, but it could cause performance regression. Is there a better solution?
bsalamat
force-pushed
the
no_system_priority
branch
from
37762f7 to
d1872a6
Compare
k8s-ci-robot
added
size/M
| @@ -203,6 +207,9 @@ func (p *PriorityPlugin) validatePriorityClass(a admission.Attributes) error { | |||
| if pc.Value > HighestUserDefinablePriority { | |||
| return admission.NewForbidden(a, fmt.Errorf("maximum allowed value of a user defined priority is %v", HighestUserDefinablePriority)) | |||
| } | |||
| if strings.HasPrefix(pc.Name, SystemPriorityClassPrefix) { | |||
| return admission.NewForbidden(a, fmt.Errorf("priority class names with '%v' prefix are reserved for system use only: %v", SystemPriorityClassPrefix, pc.Name)) | |||
| } | |||
| if _, ok := SystemPriorityClasses[pc.Name]; ok { | |||
| return admission.NewForbidden(a, fmt.Errorf("the name of the priority class is a reserved name for system use only: %v", pc.Name)) | |||
| } | |||
There was a problem hiding this comment.
What happens if multiple defaults end up in the system? Does this prevent those from being updated or deleted?
It does not prevent deletion, but it does not allow updates, which is fine in my opinion.
| @@ -203,6 +207,9 @@ func (p *PriorityPlugin) validatePriorityClass(a admission.Attributes) error { | |||
| if pc.Value > HighestUserDefinablePriority { | |||
| return admission.NewForbidden(a, fmt.Errorf("maximum allowed value of a user defined priority is %v", HighestUserDefinablePriority)) | |||
| } | |||
| if strings.HasPrefix(pc.Name, SystemPriorityClassPrefix) { | |||
| return admission.NewForbidden(a, fmt.Errorf("priority class names with '%v' prefix are reserved for system use only: %v", SystemPriorityClassPrefix, pc.Name)) | |||
| } | |||
| if _, ok := SystemPriorityClasses[pc.Name]; ok { | |||
| return admission.NewForbidden(a, fmt.Errorf("the name of the priority class is a reserved name for system use only: %v", pc.Name)) | |||
| } | |||
There was a problem hiding this comment.
Also, the invalidateCachedDefaultPriority call wouldn't handle HA apiserver scenarios
Is this the scenario that is not handled correctly:
- Server 1 is the leader. Admission controller populates its cache with default priority.
- Server 1 loses its leadership and server 2 becomes leader. Server 2 populates its admission controller cache.
- Global defalt priority class is deleted/updated.
- Server 2 loses its leadership and server 1 becomes leader again.
- Server 1's cache is stale!
This is certainly an issue we need to address. A possible solution is to not cache default priority, but it could cause performance regression. Is there a better solution?
| @@ -203,6 +207,9 @@ func (p *PriorityPlugin) validatePriorityClass(a admission.Attributes) error { | |||
| if pc.Value > HighestUserDefinablePriority { | |||
| return admission.NewForbidden(a, fmt.Errorf("maximum allowed value of a user defined priority is %v", HighestUserDefinablePriority)) | |||
| } | |||
| if strings.HasPrefix(pc.Name, SystemPriorityClassPrefix) { | |||
There was a problem hiding this comment.
If a priority class starting with "system-" is created while this plugin is not enabled, does this prevent update/deleting it?
It does not prevent deletion, but it does prevent updates. I think this should be fine. We don't allow updating names of priority classes anyway.
I move the new logic to the API side.
k8s-github-robot
removed
the
lgtm
bsalamat
force-pushed
the
no_system_priority
branch
from
d1872a6 to
6bad08a
Compare
k8s-ci-robot
added
size/S
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
validation change looks reasonable (and is acceptable imo because priority feature was alpha in 1.9)... the error message from the admission plugin when an unknown /approve |
| @@ -44,6 +44,8 @@ const ( | |||
| ) | |||
|
|
|||
| // SystemPriorityClasses defines special priority classes which are used by system critical pods that should not be preempted by workload pods. | |||
| // NOTE: In order to avoid conflict of names with user-defined priority classes, all the names must | |||
| // start with scheduling.SystemPriorityClassPrefix which is by default "system-". | |||
| var SystemPriorityClasses = map[string]int32{ | |||
| "system-cluster-critical": SystemCriticalPriority, | |||
| "system-node-critical": SystemCriticalPriority + 1000, | |||
There was a problem hiding this comment.
Should we manage the magic numbers like 1000? At least we should indicate why it is 1000.
WDYT, Bobby?
There was a problem hiding this comment.
@wgliang, the exact value of priority does not have any significance, only the relative value of priority compared to other priorites matters. So, if system-node-critical value was SystemCriticalPriority + 1, it would have had the same effect as SystemCriticalPriority + 1000, but we choose to use a larger number so that we can add more priority classes between the two existing ones if there is a need in the future.
|
@deads2k Could you please approve the change under /admission? It is only a change in the comment. |
|
Tightening validation sets of my spidey-sense, but it looks like api-approvers were already here. /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bsalamat, deads2k, dixudx, k82cn, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these OWNERS Files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
This PR changes our Priority admission controller to disallow PriorityClass names with 'system-' prefix for user defined priority classes. Please refer to #59381 for reasons why we need this.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #59381
Release note:
ref #57471
/sig scheduling
/assign @liggitt