Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(ScaledObject): Check default limits from LimitRange for ScaledObject validations #5377

Conversation

Bhargav-InfraCloud
Copy link
Contributor

@Bhargav-InfraCloud Bhargav-InfraCloud commented Jan 15, 2024

KEDA admission webhook rejects ScaledObject requests with CPU or memory triggers when the resource limits (CPU/memory based on triggers) are not set in the pod spec. This is expected behavior.

But if default limits are set in the LimitRange object in the same namespace, the admission webhook should allow the ScaledObject request, which currently doesn’t.

This change will check if there is a LimitRange with default limits (CPU/memory based on triggers) in the namespace that ScaledObject is in, and allows the request to proceed.

Also, added RBAC permissions for list & watch LimitRange.

Checklist

Fixes #5348

Copy link

Thank you for your contribution! 🙏 Let us know when you are ready for a review by publishing the PR.

@Bhargav-InfraCloud Bhargav-InfraCloud force-pushed the br_allow_scaledobject_when_resource_limits_in_limitrange branch 3 times, most recently from 2ba60f5 to 46e9c19 Compare January 15, 2024 11:53
@zroubalik zroubalik mentioned this pull request Jan 15, 2024
25 tasks
@Bhargav-InfraCloud Bhargav-InfraCloud force-pushed the br_allow_scaledobject_when_resource_limits_in_limitrange branch from 46e9c19 to e71f15f Compare January 16, 2024 09:12
@Bhargav-InfraCloud Bhargav-InfraCloud changed the title WIP: fix(ScaledObject): Check default limits from LimitRange for ScaledObject validations fix(ScaledObject): Check default limits from LimitRange for ScaledObject validations Jan 16, 2024
@Bhargav-InfraCloud
Copy link
Contributor Author

Minimal Steps to Test the Changes

  1. Deploy from the current branch.
  2. Run test scripts from keda-5348.zip.
    Only no-default-cpu-memory-limits.sh should throw the below-mentioned error, and no error for default-limits-in-limitrange.sh.
Error from server (Forbidden): error when creating "STDIN": admission webhook "vscaledobject.kb.io" denied the request: the scaledobject has a cpu trigger but the container test-app doesn't have the cpu request defined

CHANGELOG.md Outdated Show resolved Hide resolved
@JorTurFer
Copy link
Member

JorTurFer commented Jan 16, 2024

/run-e2e internal
Update: You can check the progress here

…ect Validations

KEDA admission webhook rejects ScaledObject requests with CPU or memory
triggers when the resource limits (CPU/memory based on triggers) are
not set in the pod spec. This is expected behavior.

But if default limits are set in the LimitRange object in the same
namespace, the admission webhook should allow the ScaledObject request,
which currently doesn’t.

This change will check if there is a LimitRange with default limits
(CPU/memory based on triggers) in the namespace that ScaledObject is
in, and allows the request to proceed.

Also, added RBAC permissions for list & watch LimitRange.

Updated Change Log.

Signed-off-by: Bhargav Ravuri <[email protected]>
@Bhargav-InfraCloud Bhargav-InfraCloud force-pushed the br_allow_scaledobject_when_resource_limits_in_limitrange branch from e71f15f to edecc39 Compare January 16, 2024 19:12
@JorTurFer
Copy link
Member

JorTurFer commented Jan 16, 2024

/run-e2e internal
Update: You can check the progress here

@zroubalik
Copy link
Member

And with that, I realized, 😅 I should probably add a note in the docs about the controller picking the default limits from LimitRange for validation.

@Bhargav-InfraCloud yeah, we should document this for sure :)

@Bhargav-InfraCloud
Copy link
Contributor Author

Please review the PR for updating the docs. Thanks!
kedacore/keda-docs#1296

Copy link
Member

@zroubalik zroubalik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't got time to review properly, but to be clear, we don't enforce requests, but only limits set on the target resource, is this respected in this PR?

#4802

@Bhargav-InfraCloud
Copy link
Contributor Author

Bhargav-InfraCloud commented Jan 16, 2024

I haven't got time to review properly, but to be clear, we don't enforce requests, but only limits set on the target resource, is this respected in this PR?

#4802

Not exactly. The fix to that issue has only added the validation for limits and hasn't removed the existing validation on requests. It is ORed though. We should probably open a card for that and update the docs too. I see docs have examples with just requests.

requests, requestsSet := rr.Requests[name]
limits, limitsSet := rr.Limits[name]
return (requestsSet || limitsSet) && (requests.AsApproximateFloat64() > 0 || limits.AsApproximateFloat64() > 0)

https://github.com/kedacore/keda-docs/blob/675cdd9b61728a210175075bd284359f27ebd0d6/content/docs/2.13/scalers/cpu.md?plain=1#L23-L30

Copy link
Member

@wozniakjan wozniakjan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

excellent PR, I think this can be merged, @zroubalik, although I don't know how to get to the failing e2e test logs

I haven't got time to review properly, but to be clear, we don't enforce requests, but only limits set on the target resource, is this respected in this PR?

isn't it the other way around in 2.12.1? from my quick testing requests are enforced, limits can be missing.
never mind 🤦‍♂️, I just realized #4803 is not part of 2.12.1 and will be released in 2.13.0...

apis/keda/v1alpha1/scaledobject_webhook.go Show resolved Hide resolved
Copy link
Member

@zroubalik zroubalik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not exactly. The fix to that issue has only added the validation for limits and hasn't removed the existing validation on requests. It is ORed though. We should probably open a card for that and update the docs too. I see docs have examples with just requests.

@Bhargav-InfraCloud could you please incorporate this into your docs PR. Once the docs PR is done, we can proceed and merge this PR. Great job, thanks!

@zroubalik
Copy link
Member

zroubalik commented Jan 18, 2024

/run-e2e internal
Update: You can check the progress here

@tomkerkhove
Copy link
Member

tomkerkhove commented Jan 18, 2024

/run-e2e internal
Update: You can check the progress here

@zroubalik zroubalik merged commit 05bbf8d into kedacore:main Jan 18, 2024
33 of 34 checks passed
@Bhargav-InfraCloud
Copy link
Contributor Author

Thanks, everyone! :-)

@Bhargav-InfraCloud Bhargav-InfraCloud deleted the br_allow_scaledobject_when_resource_limits_in_limitrange branch March 11, 2024 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Keda Admission Webhook rejects ScaledObject requests that use Range Limit
5 participants