Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable PodTolerationRestriction admission in AKS #1719

Closed
slenky opened this issue Jul 8, 2020 · 8 comments
Closed

Enable PodTolerationRestriction admission in AKS #1719

slenky opened this issue Jul 8, 2020 · 8 comments
Assignees
@jluk @gtxistxgao @wenwu449
Labels
feature-request Requested Features resolution/shipped spot

Comments

@slenky
Copy link

slenky commented Jul 8, 2020

I'd like to deploy Kubeflow resources to AKS spot instances but Azure adds spot nodeTaints by default.

I need to either remove that taint from all spot nodes or use PodTolerationRestriction in the kubeflow namespaces.
@slenky slenky changed the title Enable PodTolerationRestriction Enable PodTolerationRestriction admission in AKS Jul 8, 2020
@ghost
Copy link

ghost commented Jul 22, 2020

@Azure/aks-pm issue needs labels

@Azure Azure deleted a comment Jul 22, 2020
@palma21
Copy link
Member

palma21 commented Jul 22, 2020

That taint is added to avoid workloads to inadvertently land on those pools that can cause disruptions so we require an explicit toleration to the workloads that can go there.

Adding your ask for PodTolerationRestriction to the backlog

@palma21 palma21 added feature feature-request Requested Features labels Jul 22, 2020
@palma21 palma21 added the spot label Jul 22, 2020
@brudnyhenry
Copy link

Hi,
We have the same problem- for some environments we don't want to have automatic taint added.
For now we have to manually remove the taint with kubectl, but whenever new node is provisioned it has the taint by default.
Is there a way to disable it from the spot nodepool ?

@slenky
Copy link
Author

slenky commented Aug 4, 2020

Hi,
We have the same problem- for some environments we don't want to have automatic taint added.
For now we have to manually remove the taint with kubectl, but whenever new node is provisioned it has the taint by default.
Is there a way to disable it from the spot nodepool ?

I am currently deploying the DaemonSet with nodeSelector and kubectl inside container which does untaints for us. So when the new spot instance appears it also gets immediately untained.

I'd rather do some checkbox for disabling that :)

@brudnyhenry
Copy link

@slenky could you share how you untaint the node ? We are trying the same, but for an AKS cluster with just spot instances (default nodepool scaled to 0, spot nodepool scales to 0 at night and 1 in the morning)
We tried your approach, but the thing is kubectl from "untainter" pod can not connect to kubectl API to do the untainting, because coredns pod can not be scheduled, and coredns pod can not be scheduled because of the taint... chicken and egg problem :)

@slenky
Copy link
Author

slenky commented Aug 9, 2020

@slenky could you share how you untaint the node ? We are trying the same, but for an AKS cluster with just spot instances (default nodepool scaled to 0, spot nodepool scales to 0 at night and 1 in the morning)
We tried your approach, but the thing is kubectl from "untainter" pod can not connect to kubectl API to do the untainting, because coredns pod can not be scheduled, and coredns pod can not be scheduled because of the taint... chicken and egg problem :)

We are having a small system nodes always running so no problems with that. Not sure, but will that work if you set the Kubernetes API host to 10.0.0.1 inside that pod?

daemonset.yaml

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: spot-node-untaint
  namespace: kube-system
  labels:
    app: spot-node-untaint
spec:
  selector:
    matchLabels:
      app: spot-node-untaint
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: spot-node-untaint
    spec:
      serviceAccountName: node-untaint
      containers:
      - name: node-untaint
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        image: bitnami/kubectl:latest
        imagePullPolicy: Always
        command: ["/bin/bash"]
        args: ["/scripts/node-untaint-script.sh"]
        volumeMounts:
          - name: node-untaint-script
            mountPath: /scripts/
            readOnly: true
      volumes:
        - name: node-untaint-script
          configMap:
            name: node-untaint-script
      nodeSelector:
        kubernetes.azure.com/scalesetpriority: "spot"
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
        - key: "kubernetes.azure.com/scalesetpriority"
          operator: "Equal"
          value: "spot"
          effect: "NoSchedule"

configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: node-untaint-script
  namespace: kube-system
data:
  node-untaint-script.sh: |
    #!/bin/bash

    kubectl taint node ${NODE_NAME} kubernetes.azure.com/scalesetpriority-
    tail -f /dev/null

rbac.yaml

kind: ServiceAccount
apiVersion: v1
metadata:
  name: node-untaint
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-untaint
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["*"]
---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: node-untaint
roleRef:
  kind: ClusterRole
  name: node-untaint
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: node-untaint
    namespace: kube-system

@mtparet mtparet mentioned this issue Oct 6, 2020
Closed
@matthewi
Copy link

matthewi commented Oct 7, 2020

This would be very useful outside of spot pools. (and/or PodNodeSelector)

@github-actions github-actions bot mentioned this issue Oct 24, 2020
Open
@ghost
Copy link

ghost commented Oct 31, 2020

Thank you for the feature request. I'm closing this issue as this feature has shipped and it hasn't had activity for 7 days.

@ghost ghost closed this as completed Oct 31, 2020
@ghost ghost locked as resolved and limited conversation to collaborators Dec 1, 2020
@aritraghosh aritraghosh moved this to Archive (GA older than 1 month) in Azure Kubernetes Service Roadmap (Public) Jul 10, 2024
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jluk jluk

@gtxistxgao gtxistxgao

@wenwu449 wenwu449

Labels
feature-request Requested Features resolution/shipped spot
Projects
Azure Kubernetes Service Roadmap (Public)
Archived in project
Milestone
No milestone
Development

No branches or pull requests
7 participants
@matthewi @slenky @jluk @gtxistxgao @palma21 @wenwu449 @brudnyhenry