VPA: Allow VPA updater to actuate recommendations in-place

Signed-off-by: Max Cao <[email protected]>

Author: maxcao13

vertical-pod-autoscaler/deploy/vpa-rbac.yaml

@@ -121,6 +121,32 @@ rules:
       - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:vpa-updater-in-place
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods/resize
+      - pods
+    verbs:
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:vpa-updater-in-place-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:vpa-updater-in-place
+subjects:
+  - kind: ServiceAccount
+    name: vpa-updater
+    namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: system:metrics-reader

vertical-pod-autoscaler/pkg/admission-controller/resource/pod/patch/resource_updates.go

@@ -78,7 +78,7 @@ func getContainerPatch(pod *core.Pod, i int, annotationsPerContainer vpa_api_uti
 	// Add empty resources object if missing.
 	if pod.Spec.Containers[i].Resources.Limits == nil &&
 		pod.Spec.Containers[i].Resources.Requests == nil {
-		patches = append(patches, getPatchInitializingEmptyResources(i))
+		patches = append(patches, GetPatchInitializingEmptyResources(i))
 	}
 
 	annotations, found := annotationsPerContainer[pod.Spec.Containers[i].Name]
@@ -96,31 +96,35 @@ func getContainerPatch(pod *core.Pod, i int, annotationsPerContainer vpa_api_uti
 func appendPatchesAndAnnotations(patches []resource_admission.PatchRecord, annotations []string, current core.ResourceList, containerIndex int, resources core.ResourceList, fieldName, resourceName string) ([]resource_admission.PatchRecord, []string) {
 	// Add empty object if it's missing and we're about to fill it.
 	if current == nil && len(resources) > 0 {
-		patches = append(patches, getPatchInitializingEmptyResourcesSubfield(containerIndex, fieldName))
+		patches = append(patches, GetPatchInitializingEmptyResourcesSubfield(containerIndex, fieldName))
 	}
 	for resource, request := range resources {
-		patches = append(patches, getAddResourceRequirementValuePatch(containerIndex, fieldName, resource, request))
+		patches = append(patches, GetAddResourceRequirementValuePatch(containerIndex, fieldName, resource, request))
 		annotations = append(annotations, fmt.Sprintf("%s %s", resource, resourceName))
 	}
 	return patches, annotations
 }
 
-func getAddResourceRequirementValuePatch(i int, kind string, resource core.ResourceName, quantity resource.Quantity) resource_admission.PatchRecord {
+// GetAddResourceRequirementValuePatch returns a patch record to add resource requirements to a container.
+func GetAddResourceRequirementValuePatch(i int, kind string, resource core.ResourceName, quantity resource.Quantity) resource_admission.PatchRecord {
 	return resource_admission.PatchRecord{
 		Op:    "add",
 		Path:  fmt.Sprintf("/spec/containers/%d/resources/%s/%s", i, kind, resource),
 		Value: quantity.String()}
 }
 
-func getPatchInitializingEmptyResources(i int) resource_admission.PatchRecord {
+// GetPatchInitializingEmptyResources returns a patch record to initialize an empty resources object for a container.
+func GetPatchInitializingEmptyResources(i int) resource_admission.PatchRecord {
 	return resource_admission.PatchRecord{
 		Op:    "add",
 		Path:  fmt.Sprintf("/spec/containers/%d/resources", i),
 		Value: core.ResourceRequirements{},
 	}
 }
 
-func getPatchInitializingEmptyResourcesSubfield(i int, kind string) resource_admission.PatchRecord {
+// GetPatchInitializingEmptyResourcesSubfield returns a patch record to initialize an empty subfield
+// (e.g., "requests" or "limits") within a container's resources object.
+func GetPatchInitializingEmptyResourcesSubfield(i int, kind string) resource_admission.PatchRecord {
 	return resource_admission.PatchRecord{
 		Op:    "add",
 		Path:  fmt.Sprintf("/spec/containers/%d/resources/%s", i, kind),

vertical-pod-autoscaler/pkg/updater/eviction/pods_eviction_restriction.go

@@ -28,6 +28,7 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	apiv1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/admission-controller/resource/pod/patch"
 	appsinformer "k8s.io/client-go/informers/apps/v1"
 	coreinformer "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes/fake"
@@ -47,6 +48,10 @@ func getBasicVpa() *vpa_types.VerticalPodAutoscaler {
 	return test.VerticalPodAutoscaler().WithContainer("any").Get()
 }
 
+func getNoopPatchCalculators() []patch.Calculator {
+	return []patch.Calculator{}
+}
+
 func TestEvictReplicatedByController(t *testing.T) {
 	rc := apiv1.ReplicationController{
 		ObjectMeta: metav1.ObjectMeta{
@@ -73,13 +78,15 @@ func TestEvictReplicatedByController(t *testing.T) {
 		replicas          int32
 		evictionTolerance float64
 		vpa               *vpa_types.VerticalPodAutoscaler
+		calculators       []patch.Calculator
 		pods              []podWithExpectations
 	}{
 		{
 			name:              "Evict only first pod (half of 3).",
 			replicas:          3,
 			evictionTolerance: 0.5,
 			vpa:               getBasicVpa(),
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 				{
 					pod:             generatePod().Get(),
@@ -103,6 +110,7 @@ func TestEvictReplicatedByController(t *testing.T) {
 			replicas:          4,
 			evictionTolerance: 0.5,
 			vpa:               getBasicVpa(),
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 				{
 
@@ -132,6 +140,7 @@ func TestEvictReplicatedByController(t *testing.T) {
 			replicas:          4,
 			evictionTolerance: 0.5,
 			vpa:               getBasicVpa(),
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 				{
 					pod:             generatePod().Get(),
@@ -155,6 +164,7 @@ func TestEvictReplicatedByController(t *testing.T) {
 			replicas:          3,
 			evictionTolerance: 0.1,
 			vpa:               getBasicVpa(),
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 				{
 					pod:             generatePod().Get(),
@@ -178,6 +188,7 @@ func TestEvictReplicatedByController(t *testing.T) {
 			replicas:          3,
 			evictionTolerance: 0.1,
 			vpa:               getBasicVpa(),
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 				{
 					pod:             generatePod().Get(),
@@ -196,6 +207,7 @@ func TestEvictReplicatedByController(t *testing.T) {
 			replicas:          3,
 			evictionTolerance: 0.5,
 			vpa:               getBasicVpa(),
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 				{
 					pod:             generatePod().Get(),
@@ -219,6 +231,7 @@ func TestEvictReplicatedByController(t *testing.T) {
 			replicas:          4,
 			evictionTolerance: 0.5,
 			vpa:               getBasicVpa(),
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 				{
 					pod:             generatePod().Get(),
@@ -247,6 +260,7 @@ func TestEvictReplicatedByController(t *testing.T) {
 			replicas:          1,
 			evictionTolerance: 0.5,
 			vpa:               getBasicVpa(),
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 				{
 					pod:             generatePod().Get(),
@@ -260,6 +274,7 @@ func TestEvictReplicatedByController(t *testing.T) {
 			replicas:          1,
 			evictionTolerance: 0.5,
 			vpa:               vpaSingleReplica,
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 				{
 					pod:             generatePod().Get(),
@@ -279,7 +294,7 @@ func TestEvictReplicatedByController(t *testing.T) {
 			pods = append(pods, p.pod)
 		}
 		factory, _ := getEvictionRestrictionFactory(&rc, nil, nil, nil, 2, testCase.evictionTolerance)
-		eviction := factory.NewPodsEvictionRestriction(pods, testCase.vpa)
+		eviction := factory.NewPodsEvictionRestriction(pods, testCase.vpa, testCase.calculators)
 		for i, p := range testCase.pods {
 			assert.Equalf(t, p.canEvict, eviction.CanEvict(p.pod), "TC %v - unexpected CanEvict result for pod-%v %#v", testCase.name, i, p.pod)
 		}
@@ -318,7 +333,7 @@ func TestEvictReplicatedByReplicaSet(t *testing.T) {
 
 	basicVpa := getBasicVpa()
 	factory, _ := getEvictionRestrictionFactory(nil, &rs, nil, nil, 2, 0.5)
-	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa)
+	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa, getNoopPatchCalculators())
 
 	for _, pod := range pods {
 		assert.True(t, eviction.CanEvict(pod))
@@ -358,7 +373,7 @@ func TestEvictReplicatedByStatefulSet(t *testing.T) {
 
 	basicVpa := getBasicVpa()
 	factory, _ := getEvictionRestrictionFactory(nil, nil, &ss, nil, 2, 0.5)
-	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa)
+	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa, getNoopPatchCalculators())
 
 	for _, pod := range pods {
 		assert.True(t, eviction.CanEvict(pod))
@@ -397,7 +412,7 @@ func TestEvictReplicatedByDaemonSet(t *testing.T) {
 
 	basicVpa := getBasicVpa()
 	factory, _ := getEvictionRestrictionFactory(nil, nil, nil, &ds, 2, 0.5)
-	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa)
+	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa, getNoopPatchCalculators())
 
 	for _, pod := range pods {
 		assert.True(t, eviction.CanEvict(pod))
@@ -433,7 +448,7 @@ func TestEvictReplicatedByJob(t *testing.T) {
 
 	basicVpa := getBasicVpa()
 	factory, _ := getEvictionRestrictionFactory(nil, nil, nil, nil, 2, 0.5)
-	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa)
+	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa, getNoopPatchCalculators())
 
 	for _, pod := range pods {
 		assert.True(t, eviction.CanEvict(pod))
@@ -473,7 +488,7 @@ func TestEvictTooFewReplicas(t *testing.T) {
 
 	basicVpa := getBasicVpa()
 	factory, _ := getEvictionRestrictionFactory(&rc, nil, nil, nil, 10, 0.5)
-	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa)
+	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa, getNoopPatchCalculators())
 
 	for _, pod := range pods {
 		assert.False(t, eviction.CanEvict(pod))
@@ -510,7 +525,7 @@ func TestEvictionTolerance(t *testing.T) {
 
 	basicVpa := getBasicVpa()
 	factory, _ := getEvictionRestrictionFactory(&rc, nil, nil, nil, 2 /*minReplicas*/, tolerance)
-	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa)
+	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa, getNoopPatchCalculators())
 
 	for _, pod := range pods {
 		assert.True(t, eviction.CanEvict(pod))
@@ -551,7 +566,7 @@ func TestEvictAtLeastOne(t *testing.T) {
 
 	basicVpa := getBasicVpa()
 	factory, _ := getEvictionRestrictionFactory(&rc, nil, nil, nil, 2, tolerance)
-	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa)
+	eviction := factory.NewPodsEvictionRestriction(pods, basicVpa, getNoopPatchCalculators())
 
 	for _, pod := range pods {
 		assert.True(t, eviction.CanEvict(pod))
@@ -591,6 +606,7 @@ func TestEvictEmitEvent(t *testing.T) {
 		replicas          int32
 		evictionTolerance float64
 		vpa               *vpa_types.VerticalPodAutoscaler
+		calculators       []patch.Calculator
 		pods              []podWithExpectations
 		errorExpected     bool
 	}{
@@ -599,6 +615,7 @@ func TestEvictEmitEvent(t *testing.T) {
 			replicas:          4,
 			evictionTolerance: 0.5,
 			vpa:               basicVpa,
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 				{
 					pod:             generatePod().WithPhase(apiv1.PodPending).Get(),
@@ -618,6 +635,7 @@ func TestEvictEmitEvent(t *testing.T) {
 			replicas:          4,
 			evictionTolerance: 0.5,
 			vpa:               basicVpa,
+			calculators:       getNoopPatchCalculators(),
 			pods: []podWithExpectations{
 
 				{
@@ -639,7 +657,7 @@ func TestEvictEmitEvent(t *testing.T) {
 			pods = append(pods, p.pod)
 		}
 		factory, _ := getEvictionRestrictionFactory(&rc, nil, nil, nil, 2, testCase.evictionTolerance)
-		eviction := factory.NewPodsEvictionRestriction(pods, testCase.vpa)
+		eviction := factory.NewPodsEvictionRestriction(pods, testCase.vpa, testCase.calculators)
 
 		for _, p := range testCase.pods {
 			mockRecorder := test.MockEventRecorder()

vertical-pod-autoscaler/pkg/updater/eviction/pods_eviction_restriction_test.go

@@ -0,0 +1,83 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package inplace
+
+import (
+	"fmt"
+
+	core "k8s.io/api/core/v1"
+	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/admission-controller/resource/pod/recommendation"
+	"k8s.io/klog/v2"
+
+	vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1"
+	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/limitrange"
+	vpa_api_util "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/vpa"
+)
+
+type inPlaceRecommendationProvider struct {
+	limitsRangeCalculator   limitrange.LimitRangeCalculator
+	recommendationProcessor vpa_api_util.RecommendationProcessor
+}
+
+// NewInPlaceRecommendationProvider constructs the recommendation provider that can be used to determine recommendations for pods.
+func NewInPlaceRecommendationProvider(calculator limitrange.LimitRangeCalculator,
+	recommendationProcessor vpa_api_util.RecommendationProcessor) recommendation.Provider {
+	return &inPlaceRecommendationProvider{
+		limitsRangeCalculator:   calculator,
+		recommendationProcessor: recommendationProcessor,
+	}
+}
+
+// GetContainersResourcesForPod returns recommended request for a given pod.
+// The returned slice corresponds 1-1 to containers in the Pod.
+func (p *inPlaceRecommendationProvider) GetContainersResourcesForPod(pod *core.Pod, vpa *vpa_types.VerticalPodAutoscaler) ([]vpa_api_util.ContainerResources, vpa_api_util.ContainerToAnnotationsMap, error) {
+	if vpa == nil || pod == nil {
+		klog.V(2).InfoS("Can't calculate recommendations, one of VPA or Pod is nil", "vpa", vpa, "pod", pod)
+		return nil, nil, nil
+	}
+	klog.V(2).InfoS("Updating requirements for pod", "pod", pod.Name)
+
+	recommendedPodResources := &vpa_types.RecommendedPodResources{}
+
+	if vpa.Status.Recommendation != nil {
+		var err error
+		// ignore annotations as they are cannot be used when patching resize subresource
+		recommendedPodResources, _, err = p.recommendationProcessor.Apply(vpa, pod)
+		if err != nil {
+			klog.V(2).InfoS("Cannot process recommendation for pod", "pod", klog.KObj(pod))
+			return nil, nil, err
+		}
+	}
+	containerLimitRange, err := p.limitsRangeCalculator.GetContainerLimitRangeItem(pod.Namespace)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error getting containerLimitRange: %s", err)
+	}
+	var resourcePolicy *vpa_types.PodResourcePolicy
+	if vpa.Spec.UpdatePolicy == nil || vpa.Spec.UpdatePolicy.UpdateMode == nil || *vpa.Spec.UpdatePolicy.UpdateMode != vpa_types.UpdateModeOff {
+		resourcePolicy = vpa.Spec.ResourcePolicy
+	}
+	containerResources := recommendation.GetContainersResources(pod, resourcePolicy, *recommendedPodResources, containerLimitRange, false, nil)
+
+	// Ensure that we are not propagating empty resource key if any.
+	for _, resource := range containerResources {
+		if resource.RemoveEmptyResourceKeyIfAny() {
+			klog.InfoS("An empty resource key was found and purged", "pod", klog.KObj(pod), "vpa", klog.KObj(vpa))
+		}
+	}
+
+	return containerResources, nil, nil
+}