Add ability to add annotations to Runner Pods once they start running a job

[Nuru]

What would you like added?

Currently, you can add annotations to every Pod in a RunnerDeployment by adding them to the RunnerDeployment Spec under

spec:
  template:
    metadata:
      annotations:

I would like the ability to specify annotations to be added to Pods at the time the Pods are assigned jobs, so that idle Pods waiting for jobs do not have the same annotations as Pods running jobs.

Why is this needed?

Kubernetes cluster autoscaling solutions generally expect that a Pod runs a service that can be terminated on one Node and restarted on another with only a short duration needed to finish processing any in-flight requests. When the cluster is resized, the Cluster Autoscaler will do just that. However, GitHub Action Runner Jobs do not fit this model. If a Pod is terminated in the middle of a job, the job is lost. The likelihood of this happening is increased by the fact that the Action Runner Controller Autoscaler is expanding and contracting the size of the Runner Pool on a regular basis, causing the Cluster Autoscaler to more frequently want to scale up or scale down the EKS cluster, and, consequently, to move
Pods around.

In order to handle situations like this, cluster autoscalers typically allow Pods to indicate that they cannot be safely interrupted via an annotation. For the Kubernetes Cluster Autoscaler, you can add the annotation

"cluster-autoscaler.kubernetes.io/safe-to-evict": "false"

For Karpenter, you can add the annotation

karpenter.sh/do-not-evict: "true"

An annotation like this should be added to Pods running jobs, so that the job can finish.

However, we do not want this annotation on idle Pods waiting for jobs. Otherwise, the Cluster Autoscaler would be prevented from removing nodes where the idle Pods are waiting, which is exactly the opposite of what we want.

The obvious solution is to have the ARC add the annotation to the Pod once a job is assigned to it. In the case of persistent runners, the annotation should be removed once the job is finished.

Additional context

It is practically impossible to run very long jobs on a Runner which the Cluster Autoscaler can terminate and evict unless the cluster is very stable in its capacity. Currently the only acceptable solutions are:

1. Set minReplicas = 0 and add the annotation to all pods, solving the problem by never leaving idle Pods deployed
2. Set up an ARC Autoscaler scheduled override to regularly drop minReplicas to zero to allow the Cluster Autoscaler to reclaim the Node(s) the idle Pod(s) are on

These solutions are less desirable because of (1) the lack of idle Runners to pick up jobs quickly and (2) long periods of time where the Cluster Autoscaler is prevented from scaling down the cluster.

[chlunde]

@nikola-jokic hi, it looks like this is possible now with ephemeral runners, as the object is updated with WORKFLOWRUNID etc. Is this something you plan to implement? If not, will you accept contributions for?

Do we need any way to configure what annotations are added? Do you have a suggestion for the API for that?

The new annotation for karpenter in the beta phase is karpenter.sh/do-not-disrupt: "true": https://karpenter.sh/v0.33/concepts/disruption/#pod-level-controls

[nikola-jokic]

Hey @chlunde,

You are completely right! We are planning to create configurable metrics for the listener and we can create an API that should make this feature easy to implement.

I applied both labels so this enhancement is also for the gha-runner-scale-set

[Nuru]

@nikola-jokic Please cross reference this request with https://github.com/orgs/community/discussions/82207 which explicitly asks for this feature for Runner Sets.

[pranjalg131]

Hey @nikola-jokic , we are using GIthub ARC at my organisation and would like to know If pull requests will be accepted for this issue as my usecase would just tag the pods with the correct labels to help in better cost accounting.

[nikola-jokic]

Hey everyone,

Just for me to better understand the problem statement, should labels be configured per scale set, or globally? My understanding is that global configuration would solve this problem (i.e. all scale sets will re-use this configuration to tag pods that are not safe to evict once the job lands on the runner). Are there any cases where users would benefit to have this configuration scale-set based?

[chlunde]

@nikola-jokic for our use case, we don't have any requirement to set this per scale set.

[Nuru]

@nikola-jokic for our use case, we would like to be able to set the annotations on some sets but not others. We would have a separate set for jobs that run on a schedule and would be OK to kill because they will be run again soon enough.

To clarify, there are for sure annotations we want set on all pods that are specific to a runner set; that is a common use case. However, regarding additional annotations to add to idle pods once they start running a job, I suspect ours is an uncommon use case, and that most users would want to add some version of "do not evict" annotations to all runners across all sets.

[synack-badamson]

However, regarding additional annotations to add to idle pods once they start running a job, I suspect ours is an uncommon use case, and that most users would want to add some version of "do not evict" annotations to all runners across all sets.

Both ideally would be great. I'm running into this use case now.
I want to keep a small number of idle pods available, but I want them to be safe to evict. Pods actively executing a job should not be safe to evict. So having a configurable option for annotations to add to both idle and running pods, as well as annotations to a scale set overall would be great.

[synack-badamson]

Got this working how I wanted with job hooks. We have kubectl and other tools in our internal image, so it worked out perfectly.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: actions-runners
  name: pod-annotator
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "patch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-annotator-binding
  namespace: actions-runners
subjects:
- kind: ServiceAccount
  name: my-runner-service-account
  namespace: actions-runners
roleRef:
  kind: Role
  name: pod-annotator
  apiGroup: rbac.authorization.k8s.io
  
 ---
 
apiVersion: v1
kind: ConfigMap
metadata:
  name: runner-hooks
  namespace: actions-runners
data:
  pre-run.sh: |
    #!/bin/sh
    kubectl annotate pod $HOSTNAME cluster-autoscaler.kubernetes.io/safe-to-evict=false --overwrite
    
---
# values.yml

template:
  metadata:
    annotations:
      cluster-autoscaler.kubernetes.io/safe-to-evict: "true" # idle pods can get evicted
  spec:
      containers:
      - name: runner
        env:
          - name: ACTIONS_RUNNER_HOOK_JOB_STARTED
            value: /hooks/pre-run.sh # triggers when a job is started, and sets the pod to NOT safe-to-evict
        volumeMounts:
          - name: hooks
            mountPath: /hooks
      volumes:
      - name: hooks
        configMap:
          name: runner-hooks

[alec-drw]

@synack-badamson are you aware if we have access to the org and repo in the pre-run hooks? Applying a label with this information would be very useful to me