Implement dedicated nodes using taints and tolerations

[davidopp]

This is really a meta-feature; it can be built from other features that we already have or plan to have.

The requirements are

• nodes are partitioned into groups
• administrator can specify a policy that forces pods meeting particular criteria to only run on machines in one of these groups
• optionally, the policy can say that pods that do not meet the criteria can not run on those machines

One possible implementation that meets these requirements is

• each node optionally has a label with key 'dedicated' and some value denoting a group name
• an admission controller has a table mapping namespace name to label value, and adds the corresponding <"dedicated", value> node selector to a pod if its namespace is in the table (ideally this is done in a way that the end-user cannot later modify, but I don't think we have that ability yet)
• not sure yet about how to implement the third bullet from the requirements; Restrict/prefer what pods schedule on particular nodes #14573 has some discussion.

(I guess this could be done with annotations instead of labels.)

The user who requested this feature also requested the following: kube-proxy on a node in the dedicated machine group belonging to namespace A should not know about any of the services outside of namespace A (except system services of course). Of course this only makes sense if the policy in the admission controller assigns pod to dedicated machine group based on the pod's namespace.

This is closely related to the discussion in #14573, but here I'm trying to capture the exact feature that was requested from a user in-person recently.

There is of course a "preferred" variant of this that acts as a preference rather than a hard constraint.

[davidopp]

@kevin-wangzefeng

[HaiyangDING]

Some quick thoughts here, I will think it through later.

Maybe we can start with pod instead of namespace (as we plan to do for multi-scheduler), and this could avoid touching admission controller. Also, I'd prefer using annotations over labels.

[bgrant0607]

See also #17097

cc @derekwaynecarr @smarterclayton

[kevin-wangzefeng]

Very attractive feature. Our customers have some similar requirements:

1. Multi-AZ nodes in one k8s cluster. (also found in some previous discussion Kubernetes should support cross-zone cluster #4235 Kubernetes on AWS should be Multi-AZ by default #13056 Kubernetes on AWS mutli-AZ by default #13063)
   • User can choose which one or more AZ(s) to run Pods in.
   • Pods belongs to one RC will be spread across zones as a preference
   • Pods (belongs to different services) that talks to each other, will be running in the same AZ.
2. Run one k8s cluster across multiple VLANs
   • Users will specify in which VLAN they want Pods to run.
   • Also some customized scheduling policies based on configuration.

In a summary, the common points (including this issue) are:

• partition nodes into groups
• add some new scheduling policies based on these groups.

We've just started to do the design work, and I have similar views on the implementation as you mentioned above, which is a easy way to start.

A quick thought about labeling each node to denote a group name, we can make it configurable, or define some well known label key like this way [https://github.com/justinsb/kubernetes/commit/5737b1fb551ec0a72246b49328e3d4f88a3d5a70].

[davidopp]

Hi Kevin. I would suggest that you add the requirements you listed to #17059 and get feedback there. I think #17059 is more relevant than this one. I have copied your comments over there, and written a reply.

[alfred-huangjian]

@davidopp
Give a addition explanation about the point 2 @kevin-wangzefeng mentioned above.

"Run one k8s cluster across multiple VLANs"

One of our users have such requirements base on their original IT infrastructure:

1. The nodes are divided into several groups. Each group may have about 30 nodes, And their network are located in a VLAN/subnet.
2. The Pods need to be associated with endpoint IP in the same subnet with Node. It can be access directly without OVS/flannel overlay networks.
3. So the new applications can be arranged to any group of the node at first. And it will assign an IP address according to the scheduled node, and we will set the pod's hostname/IP to the DNS server.
4. When the user update the applications, or during a failure recover. The scheduler need to make sure the POD should not move to another node which are not in the same group(Hard constraint). As they prefer the POD's IP address will not change because the DNS refresh time is a bit longer.

BTW, the user doesn't use the service as the above scenarios are only for their legacy applications. Besides that, they also need application instances to spread across AZ automatically. Each AZ may contains several groups.

Our requirements mentioned above are not related to the namespace. And doesn't need to map the node to the dedicated namespace.

But we are also considering creating the multi-tenant shared K8S cluster, and also noticed that the kube-proxy is not namespace aware. So several nodes are served for namespace A and the kube-proxy on that can only be aware of the services belongs to service A can be a good choice.

[kevin-wangzefeng]

@davidopp thanks for you suggestion, then in this issue we just focus on dedicated machines requirements.

1. The table mapping namespace name to label/annotation value, we can add new resource type and store it into etcd

   type Dedicated struct {
       Namespace string `json:"namespace"`
       LabelValue string `json:"labelvalue"`
   }

   then implement corresponding methods in registry, kubectl printer etc.

2. Add a new admission controller (or add new logic in existing admission controller) to handle pod dedicated info. As you mentioned, admission controller will add the corresponding <"dedicated", value> node selector to a pod if its namespace matches `dedicated.Namespace.
   If use annotations instead of labels, may need to make node selector support annotations, I'm not very clear about how to implement here.

3. Third bullet from the requirements, I think it relies on label selectors supporting "not in" operator.

Let me know if I misunderstood anything. And I will send a draft version PR in a few days, so we can have more detailed discussion.