add defaultTolerationSeconds admission controller

gavinxub · Feb 18, 2017 · 83545a6 · 83545a6
1 parent b2df7e5
commit 83545a6
Show file tree

Hide file tree

Showing 6 changed files with 562 additions and 0 deletions.
diff --git a/hack/.linted_packages b/hack/.linted_packages
@@ -254,6 +254,7 @@ plugin/cmd/kube-scheduler
 plugin/cmd/kube-scheduler/app/options
 plugin/pkg/admission/admit
 plugin/pkg/admission/alwayspullimages
+plugin/pkg/admission/defaulttolerationseconds
 plugin/pkg/admission/deny
 plugin/pkg/admission/exec
 plugin/pkg/admission/gc

diff --git a/pkg/api/v1/helpers.go b/pkg/api/v1/helpers.go
@@ -296,6 +296,45 @@ func GetPodTolerations(pod *Pod) ([]Toleration, error) {
 	return GetTolerationsFromPodAnnotations(pod.Annotations)
 }
 
+// Tries to add a toleration to annotations list. Returns true if something was updated
+// false otherwise.
+func AddOrUpdateTolerationInPod(pod *Pod, toleration *Toleration) (bool, error) {
+	podTolerations, err := GetPodTolerations(pod)
+	if err != nil {
+		return false, err
+	}
+
+	var newTolerations []*Toleration
+	updated := false
+	for i := range podTolerations {
+		if toleration.MatchToleration(&podTolerations[i]) {
+			if api.Semantic.DeepEqual(toleration, podTolerations[i]) {
+				return false, nil
+			}
+			newTolerations = append(newTolerations, toleration)
+			updated = true
+			continue
+		}
+
+		newTolerations = append(newTolerations, &podTolerations[i])
+	}
+
+	if !updated {
+		newTolerations = append(newTolerations, toleration)
+	}
+
+	tolerationsData, err := json.Marshal(newTolerations)
+	if err != nil {
+		return false, err
+	}
+
+	if pod.Annotations == nil {
+		pod.Annotations = make(map[string]string)
+	}
+	pod.Annotations[TolerationsAnnotationKey] = string(tolerationsData)
+	return true, nil
+}
+
 // GetTaintsFromNodeAnnotations gets the json serialized taints data from Pod.Annotations
 // and converts it to the []Taint type in api.
 func GetTaintsFromNodeAnnotations(annotations map[string]string) ([]Taint, error) {
@@ -313,6 +352,16 @@ func GetNodeTaints(node *Node) ([]Taint, error) {
 	return GetTaintsFromNodeAnnotations(node.Annotations)
 }
 
+// MatchToleration checks if the toleration matches tolerationToMatch. Tolerations are unique by <key,effect,operator,value>,
+// if the two tolerations have same <key,effect,operator,value> combination, regard as they match.
+// TODO: uniqueness check for tolerations in api validations.
+func (t *Toleration) MatchToleration(tolerationToMatch *Toleration) bool {
+	return t.Key == tolerationToMatch.Key &&
+		t.Effect == tolerationToMatch.Effect &&
+		t.Operator == tolerationToMatch.Operator &&
+		t.Value == tolerationToMatch.Value
+}
+
 // ToleratesTaint checks if the toleration tolerates the taint.
 // The matching follows the rules below:
 // (1) Empty toleration.effect means to match all taint effects,

diff --git a/plugin/BUILD b/plugin/BUILD
@@ -17,6 +17,7 @@ filegroup(
         "//plugin/pkg/admission/admit:all-srcs",
         "//plugin/pkg/admission/alwayspullimages:all-srcs",
         "//plugin/pkg/admission/antiaffinity:all-srcs",
+        "//plugin/pkg/admission/defaulttolerationseconds:all-srcs",
         "//plugin/pkg/admission/deny:all-srcs",
         "//plugin/pkg/admission/exec:all-srcs",
         "//plugin/pkg/admission/gc:all-srcs",

diff --git a/plugin/pkg/admission/defaulttolerationseconds/BUILD b/plugin/pkg/admission/defaulttolerationseconds/BUILD
@@ -0,0 +1,47 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["admission_test.go"],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/v1:go_default_library",
+        "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
+        "//vendor:k8s.io/apiserver/pkg/admission",
+    ],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["admission.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api/v1:go_default_library",
+        "//vendor:github.com/golang/glog",
+        "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
+        "//vendor:k8s.io/apiserver/pkg/admission",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
diff --git a/plugin/pkg/admission/defaulttolerationseconds/admission.go b/plugin/pkg/admission/defaulttolerationseconds/admission.go
@@ -0,0 +1,126 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package defaulttolerationseconds
+
+import (
+	"flag"
+	"fmt"
+	"io"
+
+	"github.com/golang/glog"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/kubernetes/pkg/api/v1"
+)
+
+var (
+	defaultNotReadyTolerationSeconds = flag.Int64("default-not-ready-toleration-seconds", 300,
+		"Indicates the tolerationSeconds of the toleration for `notReady:NoExecute`"+
+			" that is added by default to every pod that does not already have such a toleration.")
+
+	defaultUnreachableTolerationSeconds = flag.Int64("default-unreachable-toleration-seconds", 300,
+		"Indicates the tolerationSeconds of the toleration for unreachable:NoExecute"+
+			" that is added by default to every pod that does not already have such a toleration.")
+)
+
+func init() {
+	admission.RegisterPlugin("DefaultTolerationSeconds", func(config io.Reader) (admission.Interface, error) {
+		return NewDefaultTolerationSeconds(), nil
+	})
+}
+
+// plugin contains the client used by the admission controller
+// It will add default tolerations for every pod
+// that tolerate taints `notReady:NoExecute` and `unreachable:NoExecute`,
+// with tolerationSeconds of 300s.
+// If the pod already specifies a toleration for taint `notReady:NoExecute`
+// or `unreachable:NoExecute`, the plugin won't touch it.
+type plugin struct {
+	*admission.Handler
+}
+
+// NewDefaultTolerationSeconds creates a new instance of the DefaultTolerationSeconds admission controller
+func NewDefaultTolerationSeconds() admission.Interface {
+	return &plugin{
+		Handler: admission.NewHandler(admission.Create, admission.Update),
+	}
+}
+
+func (p *plugin) Admit(attributes admission.Attributes) (err error) {
+	if attributes.GetResource().GroupResource() != v1.Resource("pods") {
+		return nil
+	}
+
+	pod, ok := attributes.GetObject().(*v1.Pod)
+	if !ok {
+		glog.Errorf("expected pod but got %s", attributes.GetKind().Kind)
+		return nil
+	}
+
+	tolerations, err := v1.GetPodTolerations(pod)
+	if err != nil {
+		glog.V(5).Infof("Invalid pod tolerations detected, but we will leave handling of this to validation phase")
+		return nil
+	}
+
+	toleratesNodeNotReady := false
+	toleratesNodeUnreachable := false
+	for _, toleration := range tolerations {
+		if (toleration.Key == metav1.TaintNodeNotReady || len(toleration.Key) == 0) &&
+			(toleration.Effect == v1.TaintEffectNoExecute || len(toleration.Effect) == 0) {
+			toleratesNodeNotReady = true
+		}
+
+		if (toleration.Key == metav1.TaintNodeUnreachable || len(toleration.Key) == 0) &&
+			(toleration.Effect == v1.TaintEffectNoExecute || len(toleration.Effect) == 0) {
+			toleratesNodeUnreachable = true
+		}
+	}
+
+	// no change is required, return immediately
+	if toleratesNodeNotReady && toleratesNodeUnreachable {
+		return nil
+	}
+
+	if !toleratesNodeNotReady {
+		_, err := v1.AddOrUpdateTolerationInPod(pod, &v1.Toleration{
+			Key:               metav1.TaintNodeNotReady,
+			Operator:          v1.TolerationOpExists,
+			Effect:            v1.TaintEffectNoExecute,
+			TolerationSeconds: defaultNotReadyTolerationSeconds,
+		})
+		if err != nil {
+			return admission.NewForbidden(attributes,
+				fmt.Errorf("failed to add default tolerations for taints `notReady:NoExecute` and `unreachable:NoExecute`, err: %v", err))
+		}
+	}
+
+	if !toleratesNodeUnreachable {
+		_, err := v1.AddOrUpdateTolerationInPod(pod, &v1.Toleration{
+			Key:               metav1.TaintNodeUnreachable,
+			Operator:          v1.TolerationOpExists,
+			Effect:            v1.TaintEffectNoExecute,
+			TolerationSeconds: defaultUnreachableTolerationSeconds,
+		})
+		if err != nil {
+			return admission.NewForbidden(attributes,
+				fmt.Errorf("failed to add default tolerations for taints `notReady:NoExecute` and `unreachable:NoExecute`, err: %v", err))
+		}
+	}
+	return nil
+}