Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Network binding plugin: Support sidecar resource specification #309

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

orelmisan
Copy link
Member

What this PR does / why we need it:
When registering a network binding plugin in the KubeVirt CR, it is possible to specify an optional sidecar container image.
The sidecar is currently created without resource specification, unless some spacial conditions apply.
This PR discusses the alternatives of specifying the sidecar container's resource requests.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:
The contents of this PR was split from #303.

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

Release note:

None

@kubevirt-bot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign cwilkers for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Jul 9, 2024
@orelmisan
Copy link
Member Author

/uncc @cwilkers @aburdenthehand
/cc @EdDev @ormergi

@kubevirt-bot kubevirt-bot requested review from EdDev and ormergi and removed request for aburdenthehand and cwilkers July 9, 2024 15:43
@orelmisan orelmisan changed the title Network binding plugin: Address sidecar resource specification Network binding plugin: Support sidecar resource specification Jul 9, 2024
Signed-off-by: Orel Misan <omisan@redhat.com>
@kubevirt-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@kubevirt-bot kubevirt-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 7, 2024
@aburdenthehand
Copy link
Member

/remove-lifecycle stale
@EdDev @ormergi please review

@kubevirt-bot kubevirt-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 14, 2024
Copy link
Member

@EdDev EdDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an important security improvement to protect such sidecards from leaking resources beyond what the plugin author and/or the cluster admin expected it to.

the network binding plugin sidecar containers do not have CPU/Memory requests and limits.
The sidecar container can have a memory leak and may cause node's destabilization.

Suggested solution:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: "Solution:" is enough.

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Oct 14, 2024
>
> Setting CPU/memory requests and/or limits for sidecar pods on the KubeVirt CR will apply uniformly on all [hook sidecar containers](https://kubevirt.io/user-guide/user_workloads/hook-sidecar/) and network binding plugin sidecar containers.

In the common scenario of a regular VM and no spacial configuration on the KubeVirt CR,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean special?

Suggested change
In the common scenario of a regular VM and no spacial configuration on the KubeVirt CR,
In the common scenario of a regular VM and no special configuration on the KubeVirt CR,

Comment on lines +259 to +263
sidecarImage: quay.io/kubevirt/mynetbindingplugin
sidecarResources:
requests:
cpu: 200m
memory: 20Mi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about introducing some kind of sidecar configuration type?
For example:

sidecar:
  image:
  resources: 
    requests: 
    ...
    limits: 
    ....

Since API is in alpha stage I think this change can be done.

> Setting CPU/memory requests and/or limits for sidecar pods on the KubeVirt CR will apply uniformly on all [hook sidecar containers](https://kubevirt.io/user-guide/user_workloads/hook-sidecar/) and network binding plugin sidecar containers.

In the common scenario of a regular VM and no spacial configuration on the KubeVirt CR,
the network binding plugin sidecar containers do not have CPU/Memory requests and limits.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that users may not realize its a must to prevent resource leak.
Sure we can say its the user responsibility, but in practice it may turn out to be bad UX.

Does is it make sense to change Kubevirt to set some arbitrary default req/limits for the sidecar (that will be documented) to prevent potential leak?
The suggested API will enable override it.

@kubevirt-bot
Copy link

Pull requests that are marked with lgtm should receive a review
from an approver within 1 week.

After that period the bot marks them with the label needs-approver-review.

/label needs-approver-review

@kubevirt-bot kubevirt-bot added the needs-approver-review Indicates that a PR requires a review from an approver. label Oct 22, 2024
@xpivarc
Copy link
Member

xpivarc commented Nov 18, 2024

/sig network

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. needs-approver-review Indicates that a PR requires a review from an approver. sig/network size/L
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants