Add v1beta1 API

[alculquicondor]

What type of PR is this?

/kind feature

/kind api-change

What this PR does / why we need it:

Adds a v1beta1 API with changes summarized in this doc https://docs.google.com/document/d/1Uu4hfGxux4Wh_laqZMLxXdEVdty06Sb2DwB035hj700/edit?usp=sharing&resourcekey=0-b7mU7mGPCkEfhjyYDsXOBg (join https://groups.google.com/a/kubernetes.io/g/wg-batch to access)

Which issue(s) this PR fixes:

Ref #23

Special notes for your reviewer:

The first commit contains a pure copy of the v1alpha2 API objects, to facilitate reviewing the diff.

This PR keeps the storage version as v1alpha2 so that tests continue passing. I plan to remove in a follow up PR, along with updating the implementation of the controllers.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alculquicondor

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [alculquicondor]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tenzen-y]

/cc

[mwielgus]

The field has the same name as the one in FlavorQuota but a different type. Maybe one of them should have a different name? It looks a bit weird in yaml.

[alculquicondor]

I think that's ok. They are in different contexts.

[kerthcet]

+1 with @mwielgus

[alculquicondor]

Changed

[ahg-g]

any changes compared to v1alpha1 other than clusterqueue_types.go and the queue-name label?

[ahg-g]

Following up on @liggitt suggestion, we can use AssuredLimit for absolute value, and in the future we can add AssuredLimitShares or AssuredLimitPercentage (depending on the semantics we want to enable) when we build hierarchal quota.

[alculquicondor]

The source for this suggestion was API priority and fairness.

In alpha they used AssuredConcurrencyShares https://github.com/kubernetes/kubernetes/blob/f97d14c6c88e92cb505f8a9147294705a93247e3/staging/src/k8s.io/api/flowcontrol/v1alpha1/types.go#L437

But in beta they are using NominalConcurrencyShares https://github.com/kubernetes/kubernetes/blob/f97d14c6c88e92cb505f8a9147294705a93247e3/staging/src/k8s.io/api/flowcontrol/v1beta3/types.go#L471

Definition of nominal:

stated or expressed but not necessarily corresponding exactly to the real value.

It matches our intent, don't you think?

[mwielgus]

Here seems to be a bit of inconsistency. In spec we have base + borrowed. Here is total + borrowed.

[alculquicondor]

That is a good point, but I think it's rather useful:
If an administrator considers increasing the quota, it's useful for them to directly see the total usage.
And observing the borrowed quota is useful for adjusting borrowingLimit.

[mwielgus]

What about resources borrowed BY the cohort?

[alculquicondor]

We cannot quantify those. A ClusterQueue doesn't directly borrow from another ClusterQueue. They borrow from the pool of unused resources in the Cohort.

This is so that a single Workload can use borrowed quota from multiple CQs at the same time.

[mwielgus]

Well, we kind-of do. Imagine the situation when all capacity in the cohort is taken and the queue itself has no admitted workloads. Then borrowedByCohort = base queue quota. If All queues have low usage, within their quota then borrowedByCohort = 0. Right :)? So we can generalize it to:

max(0, SumOfUsageInOtherQueuesInCohort - SumOfQuotaInOtherQuesesInCohort)

[alculquicondor]

Good point, but it can be added later. Not sure how much worth it is. We don't maintain those numbers in the cache. We just calculate them when we snapshot the cache to run the admission cycle.

[mwielgus]

Why no Spec and Status?

[alculquicondor]

So far we haven't found a case for Status, so we skipped it for simplicity. Can you think of something?

This is similar to how PriorityClasses are defined https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass

[mwielgus]

I think that we will have a problem IF we find a use case for status (like resource depleted notification or so). Without Spec and Status we will have to do another api version, deprecation, migration etc just to have that bit of info exposed. Empty Status doesn't cost us much at this moment, but may be very handy in the future.

[alculquicondor]

I guess we don't need to add a status field, but we can add the spec. See update.

[tenzen-y]

Can we mention that it does not guarantee the actual availability of resources?
Moreover, can we add examples, the same as v1alpha2?

[alculquicondor]

I rephrased a little the definition of nominalQuota below

[tenzen-y]

The word, nominal sounds good.
Thanks for the updates!

[tenzen-y]

Do you plan to add the conversion webhooks?

[alculquicondor]

Most likely not. But that's part of the justification of going to beta: that from now on we would have a conversion webhook if there are breaking changes from v1beta1 to v1beta2 or v1.
But if you know of users running in prod, it would be good to have their feedback.

[tenzen-y]

Most likely not. But that's part of the justification of going to beta: that from now on we would have a conversion webhook if there are breaking changes from v1beta1 to v1beta2 or v1.

It sounds good to me.

But if you know of users running in prod, it would be good to have their feedback.

I haven't known of users running in production, ever.

[alculquicondor]

/retest

[tenzen-y]

Is this domain correct?
Probably, kueue.x-k8s.io/resource-in-use?

[tenzen-y]

Ah, this is my misunderstanding.
Since the API will be graduated to beta, kueue.k8s.io/resource-in-use is correct.

[alculquicondor]

We'll stay in x-k8s. We have consulted with @liggitt in any case, to make sure we are following best practices in our first beta release.

[tenzen-y]

Sounds good. Thanks for letting me know.

[kerthcet]

"kueue.k8s.io/resource-in-use" or"kueue.x-k8s.io/resource-in-use"?

[alculquicondor]

I swear I had changed it before :|

It should be kueue.x-k8s.io. Fixed.

[mwielgus]

Can we have a switch to turn off a resource flavor in all of the queues (possibly as a follow up PR)?

[alculquicondor]

That's beyond the scope of this PR and it deserves it's own kep with stories.

[tenzen-y]

Also, how do reviewers feel about merging this as is and have a separate PR for swapping the controllers into the new APIs?

I'm ok.

[tenzen-y]

Suggested change

	NominalQuota resource.Quantity `json:"quota"`
	NominalQuota resource.Quantity `json:"nominalQuota"`

[tenzen-y]

Suggested change

	// cohort. Only quota from [resource, flavor] pairs listed in the CQ can be
	// borrowed.
	// cohort. Only borrowingLimit from [resources, flavors] pairs listed in the CQ can be
	// borrowed.

[alculquicondor]

The word quota was intended. The documentation for how much quota is allowed to be borrowed is left for the description of the borrowingLimit field itself.

[tenzen-y]

It sounds good to me.

[netlify]

✅ Deploy Preview for kubernetes-sigs-kueue canceled.

Name	Link
🔨 Latest commit	6136eed
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-kueue/deploys/64022527101eb900082c18e7

[tenzen-y]

Is the removal of shortName intended?

[alculquicondor]

yeah.... too cryptic

[tenzen-y]

It sounds good to me.
In this case, we may need to remove kubebuiler markers from v1alpha1 API.

[tenzen-y]

Is the removal of shortName intended?

[alculquicondor]

same, too cryptic. flavor is better

[tenzen-y]

Good.

[tenzen-y]

Generally, LGTM.

[kerthcet]

+1 with @mwielgus

[kerthcet]

What about MinItems here?

[alculquicondor]

Yes, good catch, added.

[kerthcet]

Suggested change

	// combination that this ClusterQueue is allowed to borrow from the unused
	// quota of other ClusterQueues in the same cohort.
	// combination that this ClusterQueue is allowed to borrow from the unused
	// quota of other ClusterQueues in the same cohort, but not guaranteed.

[alculquicondor]

Not sure... I already mentioned this is unused quota. Or are you referring to something else? But please check the update for your previous comment.

[kerthcet]

Where we used this? Didn't find them.

[alculquicondor]

I forgot to delete it :)

[kerthcet]

"kueue.k8s.io/resource-in-use" or"kueue.x-k8s.io/resource-in-use"?

[kerthcet]

Do you mean we'll validate this in Kueue? Or we'll ignore other fields directly.

[alculquicondor]

Yes, we'll validate in Kueue.

[kerthcet]

Maybe describe that MaximumQuota = NominalQuota + BorrowingLimit is more intuitive.

[alculquicondor]

See update.

[kerthcet]

Suggested change

	// QueueLabel is the label key in the workload that holds the queue name.
	// QueueLabel is the label key in the job that holds the queue name.

[alculquicondor]

uhm... not sure. Others Job APIs should use the same label.

[alculquicondor]

/retest

[alculquicondor]

It looks like the CI was not liking having different shortnames across versions.

[mimowo]

Suggested change

	ReclaimWithinCohort PreemptionPolicy `json:"withinCohort,omitempty"`
	WithinCohort PreemptionPolicy `json:"withinCohort,omitempty"`

In order to align the struct name and the json field name.

[alculquicondor]

Oops, this was a mistake in #514. It should be reclaimWithinCohort

[mimowo]

Extend the list with PodsReady for consistency.

[alculquicondor]

Added.

[ahg-g]

I wonder if we can disambiguate this by naming it allowedNamespcesSelector?

[alculquicondor]

I don't anticipate other kind of namespaceSelector, so I don't see a strong benefit. There is also precedence in the NetworkPolicy https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource

[ahg-g]

The confusion I heard once was that this field selects the Jobs submitted to the queue. It would be better if the name coveys that this is about policy.

@liggitt any thoughts on naming here?

[liggitt]

how does a namespace submit workloads to the cluster queue? what happens if a workload in a namespace not matched by this selector tries to use this cluster queue?

[alculquicondor]

A namespace submits workloads to a LocalQueue. A LocalQueue references a ClusterQueue.

If the selector doesn't match, the Workload gets a Condition indicating that the Workload is not admitted because it doesn't match the namespaceSelector.

[ahg-g]

This is a basic form of policy enforcement, ideally the cluster admin sets up something like gatekeeper, but in most cases gatekeeper is an overkill.

[kerthcet]

I read the design docs https://docs.google.com/document/d/1Uu4hfGxux4Wh_laqZMLxXdEVdty06Sb2DwB035hj700/edit?resourcekey=0-b7mU7mGPCkEfhjyYDsXOBg#heading=h.dkobprho4lxe and I got the intension about adding a slice of resource names as a visual aid, just want to make sure we all agree on this. cc @ahg-g

[alculquicondor]

In addition to being a visual aid, it makes the API more explicit, which is a good principle.

But I agree that it might add burden, specially for resource groups with a single resource. But, on the other hand, ClusterQueues should be APIs that don't change often.

[kerthcet]

Oh, that means borrowed, not borrowing. my brain....

[kerthcet]

Thanks @alculquicondor for the great work, LGTMed.

[alculquicondor]

Thank you all
I think we are pretty much settled now.
I have been working in transitioning the controllers to the new APIs. I'll keep this PR open (on hold) just in case I find some limitations in the implementation.

[tenzen-y]

Thank you all I think we are pretty much settled now. I have been working in transitioning the controllers to the new APIs. I'll keep this PR open (on hold) just in case I find some limitations in the implementation.

Sounds good. I'm looking forward to kueue v1beta1 :)
If you would help from others, feel free to send a ping to me.

[kerthcet]

Revisit this label, I'm reading the api designs about MatchFields https://github.com/kubernetes/kubernetes/blob/fc8b5668f506b6d71ddc5243a21f5d0c5f8271d3/pkg/apis/core/types.go#L2558-L2563

This field was designed specially for daemonSet pod scheduling, one reason why we avoid to reuse MatchExpressions is because we can't model label as non-label usages(take daemonset for example, we're finding the exactly node not a set of nodes), in this case, it should be an unique localQueue name, not a set of queue names. Annotation is something we think not bad as an experimental feature, and considering we haven't populate queueName to job yet.

[alculquicondor]

Are you saying that we should stay with an annotation instead of a label?

I'm not understanding what you mean by a unique localQueue name. Multiple workloads can point to the same queue.

[kerthcet]

I mean a workload can only belong to one localQueue, we're taking the name field into labels,, which seems like we're abusing the label.

[alculquicondor]

This label is for the (custom) Job objects, not the Workloads. We call them workloads in general. Maybe we should call them jobs? not sure.

[alculquicondor]

/close
in favor of #604

[k8s-ci-robot]

@alculquicondor: Closed this PR.

In response to this:

/close
in favor of #604

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.