New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exclude kube-system namespace from seed VPA webhook #9727
Exclude kube-system namespace from seed VPA webhook #9727
Conversation
Skipping CI for Draft Pull Request. |
@andrerun: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/assign |
if v.values.ClusterType == component.ClusterTypeSeed { | ||
namespaceSelector = &metav1.LabelSelector{ | ||
MatchExpressions: []metav1.LabelSelectorRequirement{ | ||
{Key: "name", Operator: metav1.LabelSelectorOpNotIn, Values: []string{"kube-system"}}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The key should be kubernetes.io/metadata.name
, and there are constants that can be used here.
{Key: "name", Operator: metav1.LabelSelectorOpNotIn, Values: []string{"kube-system"}}, | |
{Key: corev1.LabelMetadataName, Operator: metav1.LabelSelectorOpNotIn, Values: []string{metav1.NamespaceSystem}}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Thanks for pointing me to the specific constant definitions!
/kind enhancement |
I am just wondering is this the right approach? If a GKE cluster has VPA enabled then isn't it better to not install VPA via Gardener, i.e. set The feature to install VPA on seeds was implemented for k8s clusters that are not equipped with VPA by the cluster vendor. With this change, such clusters will get the VPA from Gardener, however any component in the |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Is this related to this PR? When VPA is enabled for a Seed gardenlet installs the VPA CRDs and I think we can assume that there are no other VPAs in the cluster except the ones Gardener creates.
I am not sure this is something we have to consider or support. As I shared gardenlet is the component that installs the VPA CRDs on Seed bootstrap. So, the case you describe could only happen if GKE or any other K8s cluster provider for some reason initially does not create a VPA in kube-system, then gardenlet installs the CRDs and afterwards it decides to create a VPA in the kube-system namespace. cc @voelzmo |
The questions should be "Does Gardener have to install VPA controllers, CRDs, admission webhooks, etc. in the seeds that have VPA installed and maintained by the vendor?" My understanding is "no" as two different instances of controllers are acting on the same set of resources which leads to conflicts. So, for GKE clusters the landscape administrator must instruct Gardener to not install the VPA controllers, CRDs, webhooks, etc. in favor of the ones managed by Google. Alternatively, it should be explored if GKE can be configured to not enable the VPA for the cluster and then Gardener can install its own version of the controller. In both cases, I think the change in this PR is not needed. |
We had a short sync with @vpnachev and we found killer arguments against this PR:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: <omitted>
service:
name: vpa-webhook
namespace: garden
port: 443
failurePolicy: Ignore
matchPolicy: Exact
name: vpa.k8s.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: IfNeeded
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
scope: '*'
- apiGroups:
- autoscaling.k8s.io
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- verticalpodautoscalers
scope: '*'
sideEffects: None
timeoutSeconds: 10 Due to /hold Any other opinions? Otherwise I would suggest to close this PR. If the warning in GKE is problem, we should rather open a ticket to them. |
Actually, it is public component: |
This was also discussed in the upstream VPA issue, with the same line of arguments: GKE shouldn't care about a webhook in kube-system, as long as And if we do put VPAs into |
/close |
@ialidzhikov: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
How to categorize this PR?
/area auto-scaling
/kind improvement
What this PR does / why we need it:
Before this PR, Gardener uses the same mutating webhook for VPA on shoots and seeds. In result, seed VPA performs admission control to the seed's kube-system namespace. This has no benefits, as seed VPA has no targets in that namespace, and can only cause problems. Specifically, it fails a sanity check currently implemented by GKE and leads to GKE issuing warning messages.
This PR excludes the
kube-system
namespace from the seed VPA webhook.Release note: