github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #72076 from derekwaynecarr/pid-limiting

Browse Source 
SupportPodPidsLimit feature beta with tests
This commit is contained in:
Kubernetes Prow Robot
2019-01-10 01:18:30 -08:00
committed by GitHub
parent 152226c557 bce9d5f204
commit 0dbc99719a
7 changed files with 166 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/features/kube_features.go
View File

@@ -236,8 +236,9 @@ const (
// Implement IPVS-based in-cluster service load balancing
SupportIPVSProxyMode utilfeature.Feature = "SupportIPVSProxyMode"
// owner: @dims
// owner: @dims, @derekwaynecarr
// alpha: v1.10
// beta: v1.14
//
// Implement support for limiting pids in pods
SupportPodPidsLimit utilfeature.Feature = "SupportPodPidsLimit"
@@ -433,7 +434,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
StorageObjectInUseProtection: {Default: true, PreRelease: utilfeature.GA},
ResourceLimitsPriorityFunction: {Default: false, PreRelease: utilfeature.Alpha},
SupportIPVSProxyMode: {Default: true, PreRelease: utilfeature.GA},
SupportPodPidsLimit: {Default: false, PreRelease: utilfeature.Alpha},
SupportPodPidsLimit: {Default: true, PreRelease: utilfeature.Beta},
HyperVContainer: {Default: false, PreRelease: utilfeature.Alpha},
ScheduleDaemonSetPods: {Default: true, PreRelease: utilfeature.Beta},
TokenRequest: {Default: true, PreRelease: utilfeature.Beta},

2
pkg/kubelet/apis/config/types.go
View File

@@ -218,7 +218,7 @@ type KubeletConfiguration struct {
// The CIDR to use for pod IP addresses, only used in standalone mode.
// In cluster mode, this is obtained from the master.
PodCIDR string
// PodPidsLimit is the maximum number of pids in any pod.
// The maximum number of processes per pod. If -1, the kubelet defaults to the node allocatable pid capacity.
PodPidsLimit int64
// ResolverConfig is the resolver configuration file used as the basis
// for the container DNS resolution configuration.

3
pkg/kubelet/apis/config/v1beta1/defaults.go
View File

@@ -158,7 +158,8 @@ func SetDefaults_KubeletConfiguration(obj *kubeletconfigv1beta1.KubeletConfigura
if obj.MaxPods == 0 {
obj.MaxPods = 110
}
if obj.PodPidsLimit == nil {
// default nil or negative value to -1 (implies node allocatable pid limit)
if obj.PodPidsLimit == nil || *obj.PodPidsLimit < int64(0) {
temp := int64(-1)
obj.PodPidsLimit = &temp
}

10
pkg/kubelet/cm/cgroup_manager_linux.go
View File

@@ -257,7 +257,9 @@ func (m *cgroupManagerImpl) Exists(name CgroupName) bool {
// in https://github.com/opencontainers/runc/issues/1440
// once resolved, we can remove this code.
whitelistControllers := sets.NewString("cpu", "cpuacct", "cpuset", "memory", "systemd")
if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.SupportPodPidsLimit) {
whitelistControllers.Insert("pids")
}
var missingPaths []string
// If even one cgroup path doesn't exist, then the cgroup doesn't exist.
for controller, path := range cgroupPaths {
@@ -377,7 +379,11 @@ func (m *cgroupManagerImpl) toResources(resourceConfig *ResourceConfig) *libcont
if resourceConfig.CpuPeriod != nil {
resources.CpuPeriod = *resourceConfig.CpuPeriod
}
if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.SupportPodPidsLimit) {
if resourceConfig.PodPidsLimit != nil {
resources.PidsLimit = *resourceConfig.PodPidsLimit
}
}
// if huge pages are enabled, we set them in libcontainer
if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.HugePages) {
// for each page size enumerated, set that value