add nodeselector field to builds #11144
Conversation
|
@openshift/api-review before i go any further w/ this, can i get an api-review? |
bparees
force-pushed
the
build_nodeselector
branch
from
5921bc4
to
1d92117
Compare
Would I be correct in assuming that you'll expect to add tolerations at some point as well? The name of the type implies it affects creates. Does it also apply to updates? Is the name immutable? |
yes, though that may not be part of the build definition itself since it likely would not be under user control, it might be something we directly apply to build pods.
the name+behavior is the same name pod templates use for node selection. i don't follow your questions... the build pod nodeselector field will be populated w/ whatever value exists on the buildconfig or build at the time the build is started. |
Seems like a cluster-admin would expect that if he says: "build pods will have node selector A", no user would be able to control the node selector, so allowing it to be set per-buildconfig may not be appropriate except as an additional constraint. |
if they set the admission controller override value, that's what they'll get, right? they'll get the selector labels defined by the override settings, and then any additional selectors they explicitly define on their buildconfig. short of a user waiting for their build pod to be created, then updating the nodeselector value on the build pod (if that's even possible? if it is, perhaps we can enforce a constraint that prevents that). And there are valid use cases for letting users pick the nodeselector for their build (consider a cluster that has multiple build farms, some for memory bound builds, some for cpu bound builds) my understanding from discussions w/ @smarterclayton is that basically we recognize users can make apps pretend to be builds and builds pretend to be apps, so pretending that nodeselectors provide any real guarantees against subversive users doesn't make sense. |
You can't stop a user from creating a pod and pretending its a build, but you can prevent the build controller from creating a pod and pretending its not a build. And-ing the condition would work. If you doing that unconditionally, this isn't defaulting, its forcing. |
which is what the override admission controller does.
the overrider applies all the keys explicitly. the defaulter applies the keys if the buildconfig itself hasn't already defined it. |
|
Knowing that there's two, the idea seems fine. Applying this to build pods (or pods you recognize as build pods) means that this will be hard to compose on top of a stock kube. This seems like it could be applied to Builds themselves, which would allow the same effect (build controller makes the build pods according to the build), but setting the values on builds would allow this admission plugin to live cleanly in origin. |
openshift-bot
added
the
needs-rebase
bparees
force-pushed
the
build_nodeselector
branch
from
1d92117
to
c834bf5
Compare
bparees
force-pushed
the
build_nodeselector
branch
from
e2c3417
to
d8814bb
Compare
|
[test] |
openshift-bot
removed
the
needs-rebase
bparees
force-pushed
the
build_nodeselector
branch
from
d8814bb
to
8a953c9
Compare
So i do think we want to refactor these admission controllers in general to operate on builds instead of pods, but there are a few things preventing us from doing that today:
The answer to all of these in the future is for us to get cleaner about separating "spec" and "status" fields in our builds, and setting the override/default values on the status section, not the spec section, and then ensure that users can't update the status fields, only the spec fields. But for now, i think we will just follow the patterns we've laid out for build admission controllers, which is that we modify the pod directly to control behavior. I think the refactor would be part of a v2 api, there's a lot of other things about the current build spec/status api that we need to address with that. wdyt? |
bparees
force-pushed
the
build_nodeselector
branch
4 times, most recently
from
0805f61
to
fc83a44
Compare
openshift-bot
added
the
needs-rebase
|
flake #9548 |
bparees
force-pushed
the
build_nodeselector
branch
2 times, most recently
from
c8338ed
to
537542b
Compare
|
@openshift/api-review can i get a sign off? |
bparees
force-pushed
the
build_nodeselector
branch
from
537542b
to
000a45e
Compare
openshift-bot
removed
the
needs-rebase
| @@ -41,10 +41,11 @@ type buildOverrides struct { | |||
| // NewBuildOverrides returns an admission control for builds that overrides | |||
| // settings on builds | |||
| func NewBuildOverrides(overridesConfig *overridesapi.BuildOverridesConfig) admission.Interface { | |||
| return &buildOverrides{ | |||
| a := &buildOverrides{ | |||
There was a problem hiding this comment.
i think it's leftover from some debugging, i'll remove it.
|
Your admission plugin runs after |
bparees
force-pushed
the
build_nodeselector
branch
from
000a45e
to
af36a77
Compare
|
I'm fine with the new fields, but this allows any clever project-editor to bypass the node selection criteria and get any pod he wants scheduled to a different location by bypassing the node selector admission plugins. I don't think that sort of "escalate me" behavior was intended. If it was, some reasoning about the repercussions of allowing any user to escape their node selector would be helpful. |
bparees
force-pushed
the
build_nodeselector
branch
from
af36a77
to
3573064
Compare
|
ok @smarterclayton we've reached the point where we need you to weigh in: if we run the build admission controllers last(such that they can override nodeselector values from the project nodeselector admission control), @deads2k's concern is that an admin does the following:
then bob creates a pod that looks like a build but runs as root/etc. That pod gets scheduled onto the build farm nodes but has scary privileges. my concern with running the build admission controllers first is:
Users will get a "nodeselector conflict" when the project nodeselector admission control tries to set the nodeselector to node=FOO when it's already set to node=BAR. Using a distinct set of keys (app=FOO, build=BAR) doesn't help because now even if you label your app nodes as "app=FOO" and your build nodes as "app=FOO,build=BAR", apps can get scheduled onto the build farm nodes. So do we want an impossible to use feature or an insecure feature? :) |
|
Also, once admission is split into mutation and authorization stages, this admission plugin would be impossible to have in the chain and in conflict with the pod node selector authorization stage of admission. If we allow it to bypass the pod node selector admission plugin now, in 1.5 or 1.6 we'll have to choose one admission plugin to remove from the chain. |
bparees
force-pushed
the
build_nodeselector
branch
from
3573064
to
f548db0
Compare
A taint/toleration with control over who can use a toleration (authorization check we can allow for the buildcontroller), would prevent apps from being scheduled to build nodes. |
except that:
|
|
I'll read the thread tomorrow.
|
|
discussed with @smarterclayton, the selection was "implement the useless version of the feature" but also a bonus prize of "and rip out all the admission controllers while you're at it", so..i'll be back. |
|
With the ability to set a default toleration on builds so that admins can On Wed, Oct 12, 2016 at 4:22 PM, Ben Parees notifications@github.com
|
not in 3.4, no. |
|
Discussion today is that without that this feature isn't complete enough. On Oct 12, 2016, at 4:52 PM, Ben Parees notifications@github.com wrote: With the ability to set a default toleration on builds so that admins can not in 3.4, no. — |
then we should punt on doing this until we can do it right. which is not 3.4. |
openshift-bot
added
the
needs-rebase
|
@smarterclayton @liggitt ok here's my compromise proposal: in addition to default/override nodeselectors, we'll allow default/override annotations that will be applied to the pod. Admins can use that to set the toleration annotation as an override/default annotation on build pods. Acceptable? It avoids tying us directly to the current taints/toleration implementation while providing a semi-useful general feature. |
|
Evaluated for origin test up to 73c8473 |
|
continuous-integration/openshift-jenkins/test Running (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10075/) (Base Commit: 2142bdb) |
|
Origin Action Required: Pull request cannot be automatically merged, please rebase your branch from latest HEAD and push again |
|
I still don't understand what you mean by the "default taints/toleration I'm fine with adding default override annotations. On Fri, Oct 14, 2016 at 1:04 PM, Ben Parees notifications@github.com
|
since i never said those words, i don't know either? what structs? The only aspect of taints/tolerations i know about/care about is that you specify tolerations by putting an annotation on your pod:
With those things in mind, I don't want to expose build override/defaulting logic that is explicitly tied to an alpha annotation. I'm ok w/ tying it to a generic annotation mechanism and letting users use it to set an alpha annotation if they so choose. if/when toleration becomes a first class field, we'll have to revisit the override/defaulter to add another field (tolerations) that admins can explicitly provide an override for. |
|
abandoning this in favor of #11380 due to merge conflict mess. |
fixes #9971