Relax namespace restriction for critical pods

[ravisantoshgudimetla]

What type of PR is this?

/kind bug

What this PR does / why we need it:

I think, we should relax the restriction on critical pods to be created within kube-system, I have outlined an approach which ensures that, initial quota will be restricted to kube-system namespace which can later be expanded to other namespaces(https://github.com/kubernetes/kubernetes/pull/76310/files#diff-4e1245d9faac6e47c01c1c068f4de517R199). Let me know, if I have missed something.

Which issue(s) this PR fixes:

Fixes #76308

Special notes for your reviewer:
/cc @bsalamat @vikaschoudhary16

Does this PR introduce a user-facing change?:

Critical pods can now be created in namespaces other than kube-system. To limit critical pods to the kube-system namespace, cluster admins should create an admission configuration file limiting critical pods by default, and a matching quota object in the `kube-system` namespace permitting critical pods in that namespace. See https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default for details.

Ref: document

[ravisantoshgudimetla]

/sig scheduling
/kind bug

[vikaschoudhary16]

I think we would desire that quota is required mandatorily to be present in a namespace for allowing SystemPriorityClasses to be created in that namespace. To enforce this, AdmissionConfiguration object with matching scopes for SystemPriorityClasses must be configured.

Then to allow creation, quota can be created in desired namespaces.

[ravisantoshgudimetla]

Thnx, @vikaschoudhary16, yes that's what I am planning to do. Will create an admission config obj with SystemPriorityClasses in kube-system namespace at the bootstrap phase so that we are backwards compatible.

/cc @bsalamat

[bsalamat]

The problem with this approach is that users will need to add extra configuration to their clusters when they enable ResourceQuotaScopeSelectors. If they don't, this change may create a security gap in their clusters.
Whatever solution we propose here should not need extra configuration by users.

[bsalamat]

This restriction was an informed decision that we made to prevent a potential vulnerability where a user may create a lot of high priority pods that would preempt system critical components. I still believe that other pods in the system shouldn't be run with those predefined priority classes reserved for system critical components. Why pods in other namespaces need to run with these special priority classes instead of running with a user defined priority that is higher than any other priority, but lower than the system critical priorities?

[bsalamat]

Our recent benchmarks show that checking feature gates is relatively slow. We should avoid checking feature gates here. Instead we should check the feature gates at the time of plugin creation and store it in a member variable and use that variable instead.

[trdavi2]

Is there any estimate as to when this will be merged and released? My team and I could really use it

[liggitt]

/hold cancel
/lgtm
/approve

[liggitt]

matches changes discussed with @deads2k, @ravisantoshgudimetla, and @ahg-g

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, ravisantoshgudimetla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• plugin/pkg/admission/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

@ravisantoshgudimetla: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-local-e2e	9dd610719afb182d32456ab5b9526ace3dceebde	link	/test pull-kubernetes-local-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[ravisantoshgudimetla]

/retest

[pires]

Can someone please clarify why this is labeled as a bug, has been fixed but not backported? Right now, every version where the feature-gate is enabled actually didn't get this relaxation. So what is the point of validating the feature-gate is enabled when it is already GA in 1.17?

[liggitt]

Can someone please clarify why this is labeled as a bug, has been fixed but not backported?

This was incorrectly labeled as a bug. It is the completion of the feature which includes support for default quota limiting critical pods.

Right now, every version where the feature-gate is enabled actually didn't get this relaxation. So what is the point of validating the feature-gate is enabled when it is already GA in 1.17?

In 1.17, the feature is enabled unconditionally, and the supporting quota configuration graduated to v1 status.

[pires]

Thanks.