Draft: GPU Mutating Webhook

cmd/gpu-mutating-webhook/admission_controller.go

@@ -24,7 +24,7 @@
 	"log"
 	"net/http"
 
 	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
@@ -46,6 +46,7 @@
 
 type admitFunc func(*admissionv1.AdmissionRequest) ([]patchOperation, error)
 
+// Swati: skip nvidia-dra-driver-gpu ns as well
 func isKubeNamespace(ns string) bool {
 	return (ns == metav1.NamespacePublic || ns == metav1.NamespaceSystem)
 }

cmd/gpu-mutating-webhook/main.go

@@ -26,126 +26,155 @@ import (
 	admissionv1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
 )
 
 const (
-	tlsDir      = `/etc/webhook/tls`
-	tlsCertFile = `tls.crt`
-	tlsKeyFile  = `tls.key`
+	tlsDir          = `/etc/webhook/tls`
+	tlsCertFile     = `tls.crt`
+	tlsKeyFile      = `tls.key`
+	gpuResourceName = "nvidia.com/gpu"
+	gpuClaimName    = "nvidia-gpu-resourceclaim"
+	gpuTemplateName = "nvidia-gpu-resourceclaim-template"
 )
 
 var (
-	podResource     = metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
-	gpuClaimName    = "nvidia-gpu-resourceclaim"
-	gpuTemplateName = "nvidia-gpu-resourceclaim-template"
+	podResource = metav1.GroupVersionResource{Version: "v1", Resource: "pods"}
 )
 
 func applyGPUMutation(req *admissionv1.AdmissionRequest) ([]patchOperation, error) {
-	// Only mutate if the incoming resource is a Pod CREATE request.
-	if req.Resource != podResource {
-		log.Printf("applyGPUMutation invoked for a non-Pod resource: %v", req.Resource)
-		return nil, nil
-	}
-	if req.Operation != admissionv1.Create {
-		log.Printf("applyGPUMutation invoked for operation %s, ignoring", req.Operation)
+	// Only mutate Pod CREATE
+	// Swati: may be add UPDATE
+	if req.Resource != podResource || req.Operation != admissionv1.Create {
+		klog.Infof("skip mutation for %v/%v", req.Resource, req.Operation)
 		return nil, nil
 	}
 
-	raw := req.Object.Raw
 	var pod corev1.Pod
-	if _, _, err := universalDeserializer.Decode(raw, nil, &pod); err != nil {
-		return nil, fmt.Errorf("could not deserialize pod object: %v", err)
+	if _, _, err := universalDeserializer.Decode(req.Object.Raw, nil, &pod); err != nil {
+		klog.Errorf("failed to decode Pod: %v", err)
+		return nil, fmt.Errorf("could not deserialize pod: %w", err)
 	}
 
+	key := escapeJSONPointer(gpuResourceName)
 	var patches []patchOperation
-
-	// Check if the Pod already has a resource claim
-	hasGPUClaim := false
-	for _, rc := range pod.Spec.ResourceClaims {
-		if rc.Name == gpuClaimName {
-			hasGPUClaim = true
-			break
+	var ctrGPUResourceClaims []string
+
+	// Iterate on all containers and check for "nvidia.com/gpu" limits
+	// using the logic described here for prefering limits over requests
+	// GPUs are only supposed to be specified in the limits section, meaning
+	// - can specify GPU limits without specifying requests. limit will be used as request value by default
+	// - can specify GPU in both limits and requests but they must be equal
+	// - cannot specify GPU requests without specifying limits
+	// refer: https://kubernetes.io/docs/tasks/manage-gpus/scheduling-gpus/#using-device-plugins
+	for ci, ctr := range pod.Spec.Containers {
+		ctrName := ctr.Name
+		limitCount, limitOk := ctr.Resources.Limits[gpuResourceName]
+
+		// skip if no GPUs in limits
+		if !limitOk || limitCount.Value() < 1 {
+			continue
 		}
-	}
-
-	// Escape "nvidia.com/gpu" for JSON Patch
-	escapedGPUKey := strings.ReplaceAll(strings.ReplaceAll("nvidia.com/gpu", "~", "~0"), "/", "~1")
-
-	for i, c := range pod.Spec.Containers {
-		foundGPU := false
-
-		if _, ok := c.Resources.Requests["nvidia.com/gpu"]; ok {
-			foundGPU = true
-			patches = append(patches, patchOperation{
-				Op:   "remove",
-				Path: fmt.Sprintf("/spec/containers/%d/resources/requests/%s", i, escapedGPUKey),
-			})
+		gpuCount := limitCount.Value()
+
+		// check any GPUs in requests
+		// it must be equal to limits
+		if reqCount, reqOK := ctr.Resources.Requests[gpuResourceName]; reqOK {
+			if reqCount.Value() != gpuCount {
+				klog.Warningf("container[%q]: gpu request (%d) != limit (%d), skipping mutation", ctrName, reqCount.Value(), gpuCount)
+				continue
+			}
+			reqPatch := removeResourceRequest(ci, "requests", key)
+			patches = append(patches, reqPatch)
+			klog.Infof("removed container[%q].Resources.Requests: %v", ctrName, reqPatch)
 		}
-
-		if _, ok := c.Resources.Limits["nvidia.com/gpu"]; ok {
-			foundGPU = true
-			patches = append(patches, patchOperation{
-				Op:   "remove",
-				Path: fmt.Sprintf("/spec/containers/%d/resources/limits/%s", i, escapedGPUKey),
-			})
+		limitPatch := removeResourceRequest(ci, "limits", key)
+		patches = append(patches, limitPatch)
+		klog.Infof("removed container[%q].Resources.Limits: %v", ctrName, limitPatch)
+
+		// ensure container-claims slice exists
+		// this is JSON way to first creating the field if it does not exist and append later with "-"
+		if len(ctr.Resources.Claims) == 0 {
+			createPatch := createClaimPatch(fmt.Sprintf("/spec/containers/%d/resources/claims", ci))
+			patches = append(patches, createPatch)
+			klog.Infof("created container[%q] empty claims array: %v", ctrName, createPatch)
 		}
 
-		if foundGPU {
-			gpuClaimPresent := false
-			for _, claimRef := range c.Resources.Claims {
-				if claimRef.Name == gpuClaimName {
-					gpuClaimPresent = true
-					break
-				}
-			}
-			if !gpuClaimPresent {
-				if c.Resources.Claims == nil {
-					patches = append(patches, patchOperation{
-						Op:   "add",
-						Path: fmt.Sprintf("/spec/containers/%d/resources/claims", i),
-						Value: []map[string]string{
-							{"name": gpuClaimName},
-						},
-					})
-				} else {
-					patches = append(patches, patchOperation{
-						Op:    "add",
-						Path:  fmt.Sprintf("/spec/containers/%d/resources/claims/-", i),
-						Value: map[string]string{"name": gpuClaimName},
-					})
-				}
-			}
+		// append one claim per GPU
+		for i := int64(0); i < gpuCount; i++ {
+			claimName := fmt.Sprintf("%s-%d", gpuClaimName, i)
+			ctrGPUResourceClaims = append(ctrGPUResourceClaims, claimName)
+			appendPatch := appendClaimPatch(
+				fmt.Sprintf("/spec/containers/%d/resources/claims", ci),
+				map[string]string{"name": claimName},
+			)
+			patches = append(patches, appendPatch)
+			klog.Infof("added to container[%q].Resources.Claims: %v", ctrName, appendPatch)
 		}
 	}
 
-	if len(patches) > 0 && !hasGPUClaim {
-		newClaim := map[string]string{
-			"name":                      gpuClaimName,
-			"resourceClaimTemplateName": gpuTemplateName,
+	// Add claims pod-level
+	podName := pod.Name
+	if len(ctrGPUResourceClaims) > 0 {
+		// ensure pod-claims slice exists
+		if len(pod.Spec.ResourceClaims) == 0 {
+			createPatch := createClaimPatch("/spec/resourceClaims")
+			patches = append(patches, createPatch)
+			klog.Infof("created pod[%q] empty claims array: %v", podName, createPatch)
 		}
 
-		if pod.Spec.ResourceClaims == nil {
-			patches = append(patches, patchOperation{
-				Op:   "add",
-				Path: "/spec/resourceClaims",
-				Value: []map[string]string{
-					newClaim,
+		// append each container GPU claim at pod-level
+		for _, name := range ctrGPUResourceClaims {
+			appendPatch := appendClaimPatch(
+				"/spec/resourceClaims",
+				map[string]string{
+					"name":                      name,
+					"resourceClaimTemplateName": gpuTemplateName,
 				},
-			})
-		} else {
-			patches = append(patches, patchOperation{
-				Op:    "add",
-				Path:  "/spec/resourceClaims/-",
-				Value: newClaim,
-			})
+			)
+			patches = append(patches, appendPatch)
+			klog.Infof("added ResourceClaim %q (template=%q) to %q: %v", name, gpuTemplateName, podName, appendPatch)
 		}
-		log.Printf("Added ResourceClaim %q referencing template %q to Pod %q",
-			gpuClaimName, gpuTemplateName, pod.Name)
 	}
 
 	return patches, nil
 }
 
+// escapeJSONPointer replace "/" with "~1"
+// refer: https://github.com/json-patch/json-patch-tests/issues/42
+// needed for "nvidia.com/gpu". otherwise JSON will treat "/" as a path delimiter and treat "gpu" as new field
+func escapeJSONPointer(s string) string {
+	return strings.ReplaceAll(s, "/", "~1")
+}
+
+// removeResourceRequest removes either .resources.requests or .resources.limits
+func removeResourceRequest(ci int, field, key string) patchOperation {
+	return patchOperation{
+		Op:   "remove",
+		Path: fmt.Sprintf("/spec/containers/%d/resources/%s/%s", ci, field, key),
+	}
+}
+
+// createClaimPatch creates an empty slice at the given path
+func createClaimPatch(path string) patchOperation {
+	return patchOperation{
+		Op:    "add",
+		Path:  path,
+		Value: []map[string]string{},
+	}
+}
+
+// appendClaimPatch appends to the slice at path
+// "-" is JSON way to inserting at the end of the array when no index is specified.
+// refer: https://datatracker.ietf.org/doc/html/rfc6902
+func appendClaimPatch(path string, entry map[string]string) patchOperation {
+	return patchOperation{
+		Op:    "add",
+		Path:  path + "/-",
+		Value: entry,
+	}
+}
+
 func main() {
 	certPath := filepath.Join(tlsDir, tlsCertFile)
 	keyPath := filepath.Join(tlsDir, tlsKeyFile)
@@ -157,6 +186,10 @@ func main() {
 		Addr:    ":8443",
 		Handler: mux,
 	}
-	log.Printf("Starting webhook server on %s", server.Addr)
-	log.Fatal(server.ListenAndServeTLS(certPath, keyPath))
+
+	if err := server.ListenAndServeTLS(certPath, keyPath); err != nil {
+		// Swati: need better error handling here
+		log.Fatalf("Failed to start server: %v", err)
+	}
+	klog.Infof("Started gpu-mutating-webhook server at %s", server.Addr)
 }