Granular resource limits proposal #8702
Conversation
k8s-ci-robot
added
release-note-none
|
Hi @norbertcyran. Thanks for your PR. I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/L
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: norbertcyran The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
This proposal was initially discussed within autoscaling SIG in this doc: https://docs.google.com/document/d/1ORj3oW2ZaciROAbTmqBG1agCmP_8B4BqmCNnQAmqmyc/edit?usp=sharing |
|
FYI -- there is a karpenter specific proposal for this feature: https://github.com/kubernetes-sigs/karpenter/pull/2525/files#diff-5eac97882a24e1c56d7ac0dc9cd56c6c5d7ca182f5e1344bfe644eee898a5132R23. One of the key challenges mentioned is the "launch before terminate" challenge when doing upgrades and gracefully rolling capacity. This can cause you to get stuck if you're at your limits. Thoughts on expanding this proposal to reason about this case? |
From the perspective of the current state of CAS, differentiation between hard and soft limits does not make much sense, as there's no equivalent of Karpenter's node replacement. Scale down only consolidates the node if all pods running on it can be scheduled on other nodes already existing in the cluster. Therefore, functionality-wise, there would be no difference between hard and soft limits. However, such a solution would be more future-proof. FWIW, in GKE we have surge upgrades: https://docs.cloud.google.com/kubernetes-engine/docs/concepts/node-pool-upgrade-strategies#surge. As they are not handled by CAS, they bypass resource limits, but additionally we don't want the surge nodes to be counted towards the limits at all (i.e. if there exist both the old node and the surge node, we count them as one), so they don't block scale ups. To handle that, in the CAS resource limits implementation we plan to have a Alternatively to the soft and hard limits, I was thinking that something like
Having that said, I can see the potential usefulness of having both soft and hard limits, even if it makes the API slightly more complicated. Would you suggest having an API like that? ...
limits:
soft:
resources:
nodes: 8
hard:
resources:
nodes: 12 |
Agree with these. Personally, I am not sure I am convinced by the soft/hard proposal. As you mention, there are other factors (like IPs) that cause limits as well. I suspect we will be forced to "terminate-before-launch" when at those limits (within PDBs). I lean towards a solution that treats limits as best-effort, where there are cases (i.e. surge updates) where the limits can temporarily be exceeded. I'm not sure the state of the art today, but when we first released limits in Karpenter, it was best effort due to launch parallelism. Mostly, I wanted to highlight this problem and get you in touch with the karpenter folks who are thinking about this (@maxcao13, @jmdeal, @jonathan-innis). I want to avoid Karpenter's limit semantics diverging from SIG Autoscaling API standards unless absolutely necessary. |
|
Thanks for the ping. Yeah, I have a similar proposal for Karpenter itself, since it does not support node limits for non-static capacity: kubernetes-sigs/karpenter#2525 I'm proposing soft/hard limits in a similar way. The API fields are slightly different because of backwards compatibility concerns, but generally the semantics I am agreeing with where soft limits can temporarily exceed the limit, but hard limits definitively constrain nodes from ever going over. If we can agree on one semantic across both proposals that would be ideal. For now I don't see a reason why it would be necessary to differ. |
Yeah, that would be ideal. I think the only difference is that we don't need the distinction between hard and soft limits yet in CAS, but we might need in the future, and I believe it's not a great cost to add it. Would you agree on the API suggested in #8702 (comment)? I'd prefer that API over Do you think you'll implement this API at some point in the future on the Karpenter side? |
Well for Karpenter, limits already exist in the spec of spec:
limits:
soft:
nodes: 10
hard:
nodes: 12
# Soft limits can still be specified at the top-level for backwards compatibility,
# but this approach would no longer be documented.
cpu: 10like what was proposed in kubernetes-sigs/karpenter#2525 (comment).. But it doesn't matter too much whether the API looks the same or not, just that intended semantic behaviour is consistent. This is a question just about the proposal in this PR, Is there a reason why there needs to be a
Would need to defer to the Karpenter reviewers/maintainers on this one :-) |
To be clear, hard/soft is @maxcao13's proposal for Karpenter. I am not convinced that making this distinction is the right direction. I am curious to explore https://kubernetes.io/docs/concepts/policy/resource-quotas/#quota-scopes as an answer to the launch before terminate problem. I could imagine customers including or excluding disruption reasons (i.e. drift/underutilized, cc: @jmdeal for commentary) as a way to achieve "soft" quotas.
If the shape of the API works for the Karpenter product experience, it's definitely preferable to support a standard -- I like how it's shaping up :). If we go this route, I could see these AutoscalingResourceQuotas being the preferred mechanism for specifying limits instead of |
| selector: | ||
| matchLabels: | ||
| example.cloud.com/machine-family: e2 | ||
| limits: |
There was a problem hiding this comment.
We may want to consider hard here to conceptually align with https://kubernetes.io/docs/concepts/policy/resource-quotas/
There was a problem hiding this comment.
Especially if we agree on hard/soft limits distinction. Let's see how the discussion goes and let's get back to this one
| memory: 256Gi | ||
| ``` | ||
| * `selector`: A standard Kubernetes label selector that determines which nodes |
There was a problem hiding this comment.
I have finally realized why you called it scopeSelector, it's because it's in ResourceQuota 🤦♂️ .
There was a problem hiding this comment.
yeah exactly, though @jonathan-innis noted that scopeSelector in ResourceQuota is a bit different, since it's not just a label selector, but rather a named filter that you need to reference via scopeName field. Here we just want to use a plain label selector. Therefore, indeed scopeSelector might not be an accurate name, and probably it's better to go with selector or nodeSelector (though this one might be inaccurate if we were to support DRA)
@maxcao13 That might seem redundant, yes. The main reason was to account for possible future support for DRA limits. There was a discussion around this here: https://docs.google.com/document/d/1ORj3oW2ZaciROAbTmqBG1agCmP_8B4BqmCNnQAmqmyc/edit?disco=AAABsjPQRlI In general, if we were to support DRA limits, we would probably put limits on devices. We will not be able to simply put them at the same level of nesting as other resources. Therefore, we have 2 options:
spec:
limits:
resources:
cpu: 64
draDevices: ... # possibly added in the future
spec:
limits:
cpu: 64
draLimits: ...API-wise, option 1 looks cleaner to me, even if it leaves more boilerplate initially. I'm open to other suggestions, though. |
|
I like the current proposal (modulo naming, but the comment thread about that seems to be converging to a better alternative). Regarding soft/hard limits, I would stick with proposed simple semantics. Excluding nodes from quota is possible based on labels, which will work in some cases. What I don't like about quota scopes is that they require specifying arbitrary categories that are not derived from labels. Would ensuring proper labels be a better solution? Specifically, a label saying "this node is intended to be removed" would be enough to exclude it from quota accounting. |
|
@x13n Thanks for review!
Just to clarify, we are not planning to have scopes similar to these in k8s
To be honest, this is something that I'd prefer to avoid - very often in cases like that, excluding/including specific categories of nodes should be considered a part of the business logic, and it doesn't really make sense to override this behavior. For example, nodes that are intended to be removed should always be included in the calculations. Otherwise, the following scenario is possible:
Similarly, excluding surge upgrade nodes in GKE also should be done by the business logic, opposed to the user having to remember to exclude surge nodes in their quota definitions (and the label used for marking surge upgrade nodes), see #8702 (comment) for an idea how I plan to handle this specific case. If we take Karpenter's launch-before-terminate consolidation as an example, excluding nodes undergoing consolidation with labels is far from perfect too: first, again the user would have to remember to exclude those nodes in the quotas. Second, there would be no limit how many extra resources would be spun up during the consolidation (the user might be fine with going 2 or 3 nodes above the limit temporarily, but not more). Third, the scenario I described before also applies here, I think: when we exclude nodes undergoing deletion from the usage calculations, Karpenter could provision new nodes, and if the consolidation fails, we end up with exceeded limit. Having that said, I think that hard/soft distinction might be indeed the most suitable solution for use cases like that. Though initially, I'd probably suggest starting with only hard/soft limits, potentially adding the other limits in the future. That could look like the proposal in #8702 (comment), with the exception that the first iteration of the API would only include spec:
limits:
resources:
cpu: 16
burst:
resources:
cpu: 8 # during consolidation we can temporarily provision at most 8 additional CPUsor: spec:
limits:
resources:
cpu: 16
hardLimits:
resources:
cpu: 24 Knowing for sure that in Karpenter hard/soft limit distinction will be required, it seems like a good decision to make the API extensible enough for it. Therefore, I think that starting with spec:
limits:
hard:
resources:
cpu: 8
soft: # to be added in the future@ellistarn WDYT? Do you possibly have ideas other than hard/soft limits distinction for the Karpenter's launch-before-terminate use case? I remember that you mentioned scopes like in k8s |
norbertcyran
force-pushed
the
resource-limits-proposal
branch
from
b668556 to
fbb591b
Compare
|
We had a chat about this with @norbertcyran. The summary from my perspective:
@norbertcyran let me know if I missed anything! |
|
@x13n I think you summarized it very well, thank you! One thing to add regarding:
That probably needs further discussion, and it's unlikely that we will implement it in the first iteration. Though we definitely agree that there are potential current and future use cases of soft/hard limits distinction in CAS. For API completeness, we can include both soft and hard limits, even if we won't implement the soft limits on the CAS from the start. We will at least document that soft limits are no-op in CAS for now, or we can also add an admission webhook to ensure that soft limits are not used |
I really agree with this assertion. I'm not sure how or when customers would configure this, or how I would advise them to do so. This is also something that makes me generally uneasy about the soft/hard limits. I do not have any idea how I would explain to our customers when or how to use them. From an algorithm perspective, a soft limit would allow our launch-before-terminate behavior to work. A hard limit would not, leading to customers getting stuck. I think this is essentially unacceptable for 99% of customers, so we would likely recommend that everyone use Further, from a distributed systems perspective, I think we are overcomplicating this proposal, and should just focus on the core use case, which is granular limits based on label selections of nodes. From a naming perspective, I think we probably want to follow cc: @x13n @norbertcyran . Happy to jump on a call if it helps us close on this discussion more quickly. |
I am wondering then, is Karpenter not trending in the direction of general hard limits altogether? I think it is mentioned in the Karpenter specifc proposal that the idea of hard limits is an acceptable one and that there's real use cases to want hard limits, at least for nodes, but due to the constraints you just mentioned I understand it is a very difficult problem by design. I know @jmdeal mentioned general hard limits is perhaps a natural next step, but I want to make sure we are on the same page here. FWIW, as someone who would very much like to see this proposal pass in both CAS and Karpenter, whatever limits are decided on are not crucial to my particular use cases, and I am not opinionated on the direction the community wants to go. |
|
Limits have to be best effort in my view, as making them consistent would require leasing/locking and have unacceptable performance implications. For this reason, I agree that hard is misleading. By the time we're best effort, I don't think it's unreasonable that we would use them for safe upgrades / etc in Karpenter. I could also see letting customers configure "terminate-before-launch" in some scenarios, but that would be a Karpenter feature, and unrelated to limits in my view. Soft could be interpreted in many ways -- I think of it more like a preference than anything. i.e., maybe soft would mean that customers would want to "fill up" all of their soft limits and then start breaking them? The use cases are very unclear to me, and I typically avoid trying to predict customer requirements unless I have to. It's somewhat indicative to me that ResourceQuota never found a use case for soft limits in a ~decade. In summary, I like this option best: |
5 participants
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR adds a proposal for support of granular resource limits in node autoscalers.
Does this PR introduce a user-facing change?