Allow VPA updater to actuate recommendations in-place

Signed-off-by: Max Cao <[email protected]>

Author: maxcao13

vertical-pod-autoscaler/pkg/admission-controller/config.go

@@ -157,8 +157,7 @@ func selfRegistration(clientset kubernetes.Interface, caCert []byte, webHookDela
 				AdmissionReviewVersions: []string{"v1"},
 				Rules: []admissionregistration.RuleWithOperations{
 					{
-						// we're watching for updates now also because of in-place VPA, but we only patch if the update was triggered by the updater
-						Operations: []admissionregistration.OperationType{admissionregistration.Create, admissionregistration.Update},
+						Operations: []admissionregistration.OperationType{admissionregistration.Create},
 						Rule: admissionregistration.Rule{
 							APIGroups:   []string{""},
 							APIVersions: []string{"v1"},

vertical-pod-autoscaler/pkg/admission-controller/resource/pod/handler.go

@@ -78,15 +78,6 @@ func (h *resourceHandler) GetPatches(ctx context.Context, ar *admissionv1.Admiss
 		pod.Namespace = namespace
 	}
 
-	// We're watching for updates now also because of in-place VPA, but we only want to act on the ones
-	// that were triggered by the updater so we don't violate disruption quotas
-	if ar.Operation == admissionv1.Update {
-		// The patcher will remove this annotation, it's just the signal that the updater okayed this
-		if _, ok := pod.Annotations["autoscaling.k8s.io/resize"]; !ok {
-			return nil, nil
-		}
-	}
-
 	klog.V(4).InfoS("Admitting pod", "pod", klog.KObj(&pod))
 	controllingVpa := h.vpaMatcher.GetMatchingVPA(ctx, &pod)
 	if controllingVpa == nil {
@@ -102,12 +93,6 @@ func (h *resourceHandler) GetPatches(ctx context.Context, ar *admissionv1.Admiss
 	if pod.Annotations == nil {
 		patches = append(patches, patch.GetAddEmptyAnnotationsPatch())
 	}
-	// TODO(jkyros): this is weird here, work it out with the above block somehow, but
-	// we need to have this annotation patched out
-	if ar.Operation == admissionv1.Update {
-		// TODO(jkyros): the squiggle is escaping the / in the annotation
-		patches = append(patches, patch.GetRemoveAnnotationPatch("autoscaling.k8s.io~1resize"))
-	}
 
 	for _, c := range h.patchCalculators {
 		partialPatches, err := c.CalculatePatches(&pod, controllingVpa)

vertical-pod-autoscaler/pkg/admission-controller/resource/pod/patch/util.go

@@ -39,11 +39,3 @@ func GetAddAnnotationPatch(annotationName, annotationValue string) resource_admi
 		Value: annotationValue,
 	}
 }
-
-// GetRemoveAnnotationPatch returns a patch that removes the specified annotation.
-func GetRemoveAnnotationPatch(annotationName string) resource_admission.PatchRecord {
-	return resource_admission.PatchRecord{
-		Op:   "remove",
-		Path: fmt.Sprintf("/metadata/annotations/%s", annotationName),
-	}
-}

vertical-pod-autoscaler/pkg/recommender/input/cluster_feeder.go

@@ -443,33 +443,6 @@ func (feeder *clusterStateFeeder) LoadPods() {
 	}
 }
 
-// PruneContainers prunes any containers from the intial aggregate states
-// that are no longer present in the aggregate states. This is important
-// for cases where a container has been renamed or removed, as otherwise
-// the VPA will split the recommended resources across containers that
-// are no longer present, resulting in the containers that are still
-// present being under-resourced
-func (feeder *clusterStateFeeder) PruneContainers2() {
-
-	var keysPruned int
-	// Look through all of our VPAs
-	for _, vpa := range feeder.clusterState.Vpas {
-		// TODO(jkyros): maybe vpa.PruneInitialAggregateContainerStates() ?
-		aggregates := vpa.AggregateStateByContainerNameWithoutCheckpoints()
-		// Check each initial state to see if it's still "real"
-		for container := range vpa.ContainersInitialAggregateState {
-			if _, ok := aggregates[container]; !ok {
-				delete(vpa.ContainersInitialAggregateState, container)
-				keysPruned = keysPruned + 1
-
-			}
-		}
-	}
-	if keysPruned > 0 {
-		klog.Infof("Pruned %d stale initial aggregate container keys", keysPruned)
-	}
-}
-
 // PruneContainers removes any containers from the aggregates and initial aggregates that are no longer
 // present in the feeder's clusterState. Without this, we would be averaging our resource calculations
 // over containers that no longer exist, and continuing to update checkpoints that should be left to expire.

vertical-pod-autoscaler/pkg/updater/eviction/inplace_recommendation_provider.go

@@ -0,0 +1,137 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package eviction
+
+import (
+	"fmt"
+
+	core "k8s.io/api/core/v1"
+	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/admission-controller/resource/pod/recommendation"
+	"k8s.io/klog/v2"
+
+	vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1"
+	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/limitrange"
+	vpa_api_util "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/vpa"
+)
+
+type inPlaceRecommendationProvider struct {
+	limitsRangeCalculator   limitrange.LimitRangeCalculator
+	recommendationProcessor vpa_api_util.RecommendationProcessor
+}
+
+// NewProvider constructs the recommendation provider that can be used to determine recommendations for pods.
+func NewInPlaceProvider(calculator limitrange.LimitRangeCalculator,
+	recommendationProcessor vpa_api_util.RecommendationProcessor) recommendation.Provider {
+	return &inPlaceRecommendationProvider{
+		limitsRangeCalculator:   calculator,
+		recommendationProcessor: recommendationProcessor,
+	}
+}
+
+// TODO(maxcao13): Strip down function to remove unnecessary stuff, or refactor so that it can be used in the admission controller as well
+// GetContainersResources returns the recommended resources for each container in the given pod in the same order they are specified in the pod.Spec.
+// If addAll is set to true, containers w/o a recommendation are also added to the list (and their non-recommended requests and limits will always be preserved if present),
+// otherwise they're skipped (default behaviour).
+func GetContainersResources(pod *core.Pod, vpaResourcePolicy *vpa_types.PodResourcePolicy, podRecommendation vpa_types.RecommendedPodResources, limitRange *core.LimitRangeItem,
+	addAll bool) []vpa_api_util.ContainerResources {
+	resources := make([]vpa_api_util.ContainerResources, len(pod.Spec.Containers))
+	for i, container := range pod.Spec.Containers {
+		recommendation := vpa_api_util.GetRecommendationForContainer(container.Name, &podRecommendation)
+		if recommendation == nil {
+			if !addAll {
+				klog.V(2).InfoS("No recommendation found for container, skipping", "container", container.Name)
+				continue
+			}
+			klog.V(2).InfoS("No match found for container, using Pod request", "container", container.Name)
+			resources[i].Requests = container.Resources.Requests
+		} else {
+			resources[i].Requests = recommendation.Target
+		}
+		defaultLimit := core.ResourceList{}
+		if limitRange != nil {
+			defaultLimit = limitRange.Default
+		}
+		containerControlledValues := vpa_api_util.GetContainerControlledValues(container.Name, vpaResourcePolicy)
+		if containerControlledValues == vpa_types.ContainerControlledValuesRequestsAndLimits {
+			proportionalLimits, _ := vpa_api_util.GetProportionalLimit(container.Resources.Limits, container.Resources.Requests, resources[i].Requests, defaultLimit)
+			if proportionalLimits != nil {
+				resources[i].Limits = proportionalLimits
+			}
+		}
+		// If the recommendation only contains CPU or Memory (if the VPA was configured this way), we need to make sure we "backfill" the other.
+		// Only do this when the addAll flag is true.
+		if addAll {
+			cpuRequest, hasCpuRequest := container.Resources.Requests[core.ResourceCPU]
+			if _, ok := resources[i].Requests[core.ResourceCPU]; !ok && hasCpuRequest {
+				resources[i].Requests[core.ResourceCPU] = cpuRequest
+			}
+			memRequest, hasMemRequest := container.Resources.Requests[core.ResourceMemory]
+			if _, ok := resources[i].Requests[core.ResourceMemory]; !ok && hasMemRequest {
+				resources[i].Requests[core.ResourceMemory] = memRequest
+			}
+			cpuLimit, hasCpuLimit := container.Resources.Limits[core.ResourceCPU]
+			if _, ok := resources[i].Limits[core.ResourceCPU]; !ok && hasCpuLimit {
+				resources[i].Limits[core.ResourceCPU] = cpuLimit
+			}
+			memLimit, hasMemLimit := container.Resources.Limits[core.ResourceMemory]
+			if _, ok := resources[i].Limits[core.ResourceMemory]; !ok && hasMemLimit {
+				resources[i].Limits[core.ResourceMemory] = memLimit
+			}
+		}
+	}
+	return resources
+}
+
+// GetContainersResourcesForPod returns recommended request for a given pod and associated annotations.
+// The returned slice corresponds 1-1 to containers in the Pod.
+func (p *inPlaceRecommendationProvider) GetContainersResourcesForPod(pod *core.Pod, vpa *vpa_types.VerticalPodAutoscaler) ([]vpa_api_util.ContainerResources, vpa_api_util.ContainerToAnnotationsMap, error) {
+	if vpa == nil || pod == nil {
+		klog.V(2).InfoS("Can't calculate recommendations, one of VPA or Pod is nil", "vpa", vpa, "pod", pod)
+		return nil, nil, nil
+	}
+	klog.V(2).InfoS("Updating requirements for pod", "pod", pod.Name)
+
+	recommendedPodResources := &vpa_types.RecommendedPodResources{}
+
+	if vpa.Status.Recommendation != nil {
+		var err error
+		// ignore annotations as they are not used in the in-place update
+		recommendedPodResources, _, err = p.recommendationProcessor.Apply(vpa, pod)
+		if err != nil {
+			klog.V(2).InfoS("Cannot process recommendation for pod", "pod", klog.KObj(pod))
+			return nil, nil, err
+		}
+	}
+	containerLimitRange, err := p.limitsRangeCalculator.GetContainerLimitRangeItem(pod.Namespace)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error getting containerLimitRange: %s", err)
+	}
+	var resourcePolicy *vpa_types.PodResourcePolicy
+	if vpa.Spec.UpdatePolicy == nil || vpa.Spec.UpdatePolicy.UpdateMode == nil || *vpa.Spec.UpdatePolicy.UpdateMode != vpa_types.UpdateModeOff {
+		resourcePolicy = vpa.Spec.ResourcePolicy
+	}
+	containerResources := GetContainersResources(pod, resourcePolicy, *recommendedPodResources, containerLimitRange, false)
+
+	// Ensure that we are not propagating empty resource key if any.
+	for _, resource := range containerResources {
+		if resource.RemoveEmptyResourceKeyIfAny() {
+			klog.InfoS("An empty resource key was found and purged", "pod", klog.KObj(pod), "vpa", klog.KObj(vpa))
+		}
+	}
+
+	return containerResources, nil, nil
+}

vertical-pod-autoscaler/pkg/updater/eviction/last_inplace_update.go

@@ -0,0 +1,39 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package eviction
+
+import (
+	core "k8s.io/api/core/v1"
+	resource_admission "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/admission-controller/resource"
+	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/admission-controller/resource/pod/patch"
+
+	vpa_types "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1"
+	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/annotations"
+)
+
+type observedContainers struct{}
+
+func (*observedContainers) CalculatePatches(pod *core.Pod, _ *vpa_types.VerticalPodAutoscaler) ([]resource_admission.PatchRecord, error) {
+	vpaObservedContainersValue := annotations.GetVpaObservedContainersValue(pod)
+	return []resource_admission.PatchRecord{patch.GetAddAnnotationPatch(annotations.VpaObservedContainersLabel, vpaObservedContainersValue)}, nil
+}
+
+// NewLastInPlaceUpdateCalculator returns calculator for
+// observed containers patches.
+func NewLastInPlaceUpdateCalculator() patch.Calculator {
+	return &observedContainers{}
+}