Initial commit

Author: technicianted

Diff for: .vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "makefile.configureOnOpen": false
+}

Diff for: README.md

@@ -16,6 +16,16 @@ $ # build docker image
 $ make docker-build
 ```
 
+### Running
+Simplest way is to use the helm chart. Edit the file `configs/_policies.yaml` to define your staggering policies then install the helm chart:
+```bash
+$ helm upgrade \
+  --install \
+  --namespace stagger \
+  --create-namespace 
+  stagger helm/stagger
+```
+
 ### Example
 Consider the following example where we want to stagger access to image pulls such that something like [spegel](https://github.com/spegel-org/spegel) gets a chance to seed the images. We want to control staggering per image, not as a whole for cache population and seeding:
 ```yaml
@@ -71,11 +81,6 @@ spec:
 
 In some situations where a staggering policy spans multiple pods controlled by different Kubernets controllers, we may want to bypass staggering for a certain set of these pods due to subtle startup dependencies. To do that, policies include `BypassLabelSelector` that lets you specify a label selector that if matched, this policy will not apply but the pod itself will be counted against pacing.
 
-### How it works
-Stagger works by monitoring pods via an admission controller. With each new pods, it is evaluated against defined policies. Once it is associated with one, its pacer is consulted to see if it should be allowed to start. If it is not, a special `nodeSelector` is added to block its scheduling.
-
-Next, a reconciler controller monitors pods events and status changes. With each change of a staggered pod, its corresponding pacer is consulted. If it is allowed to start, the pod is evicted and will be recreated where the admission controller will let it be scheduled.
-
 ### Job controllers special handling
 Special handling is needed for pods created by a Job controller. By default, Job controllers do not differentiate between an evicted pod and a failed one. Since we use pod eviction to reschedule the pod, Job specs need to be changed to inject the following failure policy:
 ```yaml
@@ -87,3 +92,18 @@ Special handling is needed for pods created by a Job controller. By default, Job
 ```
 
 **Note: if your Job spec already has a `DisruptionTarget` policy with `action` not set to `Ignore`, stagger will issue a warning and will not apply policies**
+
+### FAQ
+* Can a single stagger group span multiple controllers?
+Yes. It can even span multiple namespaces.
+
+* How are pods prevented from starting up (staggered)?
+Stagger works by monitoring pods via an admission controller. With each new pods, it is evaluated against defined policies. Once it is associated with one, its pacer is consulted to see if it should be allowed to start. If it is not, a special pod specs are replaced with stub specs with same resources. Further, an init container is appended that will block the startup of the pod. When the reconciler is ready, the pod is evicted and restarted with its original specs.
+
+Next, a reconciler controller monitors pods events and status changes. With each change of a staggered pod, its corresponding pacer is consulted. If it is allowed to start, the pod is evicted and will be recreated where the admission controller will let it be scheduled.
+
+* Why not use `scale` subresource?
+One of the important design objectives is to be controller agnostic, and be able to stagger across multiple controllers. If `scale` subresource is used as a mechanism of staggering then it'll pose many restrictions. For example, the owning controller must support `scale`. Also other controllers such as HPA may be already controlling the `scale` subresource and will conflict with staggering.
+
+* What about gang scheduling?
+Gang scheduling blocks the scheduling of a group of pods until all requested resources are ready. Stagger handles this by using an init container to block the startup of the pod such that gang schedulers are not affected.

Diff for: cmd/stagger/cmd/container.go

@@ -0,0 +1,33 @@
+// Copyright (c) stagger team and contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for details.
+package cmd
+
+import (
+	"os"
+	"os/signal"
+	"stagger/pkg/version"
+	"syscall"
+
+	"github.com/spf13/cobra"
+)
+
+var containerCMD = &cobra.Command{
+	Use:   "container",
+	Short: "stub for staggered pod containers",
+	Run:   runContainer,
+}
+
+func init() {
+	RootCMD.AddCommand(containerCMD)
+}
+
+func runContainer(command *cobra.Command, args []string) {
+	logger := SetupTelemetryAndLogging()
+	logger.Info("starting stagger container", "version", version.Build, "options", options)
+
+	sigs := make(chan os.Signal, 1)
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+	<-sigs
+
+	os.Exit(0)
+}

Diff for: cmd/stagger/cmd/initcontainer.go

@@ -0,0 +1,23 @@
+// Copyright (c) stagger team and contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for details.
+package cmd
+
+import (
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+var initContainerCMD = &cobra.Command{
+	Use:   "initcontainer",
+	Short: "stub for staggered pod init containers",
+	Run:   runInitContainer,
+}
+
+func init() {
+	RootCMD.AddCommand(initContainerCMD)
+}
+
+func runInitContainer(command *cobra.Command, args []string) {
+	os.Exit(0)
+}

Diff for: cmd/stagger/cmd/root.go

@@ -1,9 +1,7 @@
-package cmd
-
-//
 // Copyright (c) stagger team and contributors. All rights reserved.
 // Licensed under the MIT license. See LICENSE file in the project root for details.
-//
+package cmd
+
 import (
 	"net/http"
 

Diff for: cmd/stagger/cmd/service.go

@@ -1,9 +1,7 @@
-package cmd
-
-//
 // Copyright (c) stagger team and contributors. All rights reserved.
 // Licensed under the MIT license. See LICENSE file in the project root for details.
-//
+package cmd
+
 import (
 	"os"
 	"os/signal"

Diff for: go.mod

@@ -24,6 +24,7 @@ require (
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
 	sigs.k8s.io/controller-runtime v0.19.0
 	sigs.k8s.io/e2e-framework v0.4.0
+	volcano.sh/apis v1.10.0
 )
 
 require (

Diff for: go.sum

@@ -14,8 +14,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
-github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
+github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
@@ -279,3 +279,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+s
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+volcano.sh/apis v1.10.0 h1:Z9eLwibQmhpFmYGLWxjsTWwsYeTEKvvjFcLptmP2qxE=
+volcano.sh/apis v1.10.0/go.mod h1:z8hhFZ2qcUMR1JIjVYmBqL98CVaXNzsQAcqKiytQW9s=

Diff for: pkg/blocker/stubpod.go

@@ -0,0 +1,63 @@
+// Copyright (c) stagger team and contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for details.
+package blocker
+
+import (
+	"fmt"
+	"stagger/pkg/blocker/types"
+
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+)
+
+var _ types.PodBlocker = &stubPod{}
+
+type stubPod struct {
+	containerImage string
+}
+
+func NewStubPod(containerImage string) types.PodBlocker {
+	return &stubPod{
+		containerImage: containerImage,
+	}
+}
+
+func (b *stubPod) Block(podSpec *corev1.PodSpec, logger logr.Logger) error {
+	for i, container := range podSpec.InitContainers {
+		container.Image = b.containerImage
+		container.Command = nil
+		container.Args = []string{"initcontainer"}
+		container.VolumeMounts = nil
+		podSpec.InitContainers[i] = container
+	}
+	// these will never start, just stubs to prevent image pulls
+	for i, container := range podSpec.Containers {
+		container.Image = b.containerImage
+		container.Command = nil
+		container.Args = nil
+		container.VolumeMounts = nil
+		podSpec.Containers[i] = container
+	}
+	podSpec.InitContainers = append(podSpec.InitContainers, corev1.Container{
+		Name:  "stagger",
+		Image: b.containerImage,
+		Args:  []string{"container"},
+	})
+
+	return nil
+}
+
+func (b *stubPod) Unblock(podSpec *corev1.PodSpec, logger logr.Logger) error {
+	return fmt.Errorf("not supported")
+}
+
+func (b *stubPod) IsBlocked(podSpec *corev1.PodSpec) bool {
+	for _, container := range podSpec.InitContainers {
+		if container.Name == "stagger" &&
+			container.Image == b.containerImage {
+			return true
+		}
+	}
+
+	return false
+}

Diff for: pkg/blocker/stubpod_test.go

@@ -0,0 +1,60 @@
+// Copyright (c) stagger team and contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for details.
+package blocker
+
+import (
+	"testing"
+
+	"github.com/go-logr/zapr"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestStubPodSuccess(t *testing.T) {
+	zlog, _ := zap.NewDevelopment()
+	logger := zapr.NewLogger(zlog)
+
+	pod := corev1.Pod{
+		Spec: corev1.PodSpec{
+			InitContainers: []corev1.Container{
+				{
+					Name:    "init1",
+					Image:   "image1",
+					Command: []string{"command1"},
+					Args:    []string{"args1"},
+				},
+			},
+			Containers: []corev1.Container{
+				{
+					Name:    "container1",
+					Image:   "image1",
+					Command: []string{"command1"},
+					Args:    []string{"args1"},
+				},
+			},
+		},
+	}
+
+	blocker := NewStubPod("staggerimage")
+	err := blocker.Block(&pod.Spec, logger)
+	require.NoError(t, err)
+	require.Len(t, pod.Spec.InitContainers, 2)
+	initContainer := pod.Spec.InitContainers[0]
+	require.Nil(t, initContainer.Command)
+	require.Equal(t, "staggerimage", initContainer.Image)
+	initContainer = pod.Spec.InitContainers[1]
+	require.Equal(t, "staggerimage", initContainer.Image)
+
+	require.Len(t, pod.Spec.Containers, 1)
+	container := pod.Spec.Containers[0]
+	require.Nil(t, container.Command)
+	require.Equal(t, "staggerimage", container.Image)
+
+	blocked := blocker.IsBlocked(&pod.Spec)
+	require.True(t, blocked)
+
+	pod.Spec.InitContainers[1].Image = "someotherimage"
+	blocked = blocker.IsBlocked(&pod.Spec)
+	require.False(t, blocked)
+}

Diff for: pkg/cmd/cmd.go

@@ -31,7 +31,11 @@ func NewCMDWithManager(mgr manager.Manager, options Options, logger logr.Logger)
 		return nil, err
 	}
 
-	podGroupClassifier, err := NewPodgroupClassifier(mgr, logger)
+	blocker, err := NewBlocker(options)
+	if err != nil {
+		return nil, err
+	}
+	podGroupClassifier, err := NewPodgroupClassifier(mgr, blocker, logger)
 	if err != nil {
 		return nil, err
 	}
@@ -59,6 +63,7 @@ func NewCMDWithManager(mgr manager.Manager, options Options, logger logr.Logger)
 		options,
 		matchPredicate,
 		mgr,
+		blocker,
 		classifier,
 		podGroupClassifier,
 		recorderFactory,
@@ -113,10 +118,12 @@ func (c *CMD) Start(logger logr.Logger) error {
 func (c *CMD) Stop(logger logr.Logger) error {
 	logger.Info("shutting down")
 
-	c.shutdownContextCancel()
-	logger.Info("waiting for shutdown")
-	<-c.shutdownCompleteChan
-	logger.Info("shutdown completed")
+	if c.shutdownCompleteChan != nil {
+		c.shutdownContextCancel()
+		logger.Info("waiting for shutdown")
+		<-c.shutdownCompleteChan
+		logger.Info("shutdown completed")
+	}
 
 	return nil
 }

Diff for: pkg/cmd/factories.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"stagger/pkg/blocker"
+	blockertypes "stagger/pkg/blocker/types"
 	"stagger/pkg/config/types"
 	"stagger/pkg/controller"
 	controllertypes "stagger/pkg/controller/types"
@@ -105,8 +106,10 @@ func NewGroupClassifier(policies []StaggeringPolicy, logger logr.Logger) (contro
 	return classifier, nil
 }
 
-func NewPodgroupClassifier(mgr manager.Manager, logger logr.Logger) (controllertypes.PodGroupStandingClassifier, error) {
-	return controller.NewPodGroupStandingClassifier(mgr.GetClient(), blocker.NewNodeSelectorPodBlocker()), nil
+func NewPodgroupClassifier(mgr manager.Manager, blocker blockertypes.PodBlocker, logger logr.Logger) (controllertypes.PodGroupStandingClassifier, error) {
+	return controller.NewPodGroupStandingClassifier(
+		mgr.GetClient(),
+		blocker), nil
 }
 
 func NewRecorderFactory(logger logr.Logger) (controllertypes.ObjectRecorderFactory, error) {
@@ -117,6 +120,7 @@ func RegisterAdmissionController(
 	options Options,
 	matchPredicate predicate.Predicate,
 	mgr manager.Manager,
+	blocker blockertypes.PodBlocker,
 	classifier controllertypes.PodClassifier,
 	podGroupClassifier controllertypes.PodGroupStandingClassifier,
 	recorderFactory controllertypes.ObjectRecorderFactory,
@@ -141,7 +145,7 @@ func RegisterAdmissionController(
 		classifier,
 		podGroupClassifier,
 		recorderFactory,
-		blocker.NewNodeSelectorPodBlocker(),
+		blocker,
 		flightTracker,
 		options.BypassFailure,
 		options.EnableLabel,
@@ -226,3 +230,11 @@ func CreateKubernetesConfig(opts KubernetesOptions) (*rest.Config, error) {
 
 	return config, err
 }
+
+func NewBlocker(opts Options) (blockertypes.PodBlocker, error) {
+	if len(opts.StaggerContainerImage) == 0 {
+		return nil, fmt.Errorf("stagger container image must be specified")
+	}
+
+	return blocker.NewStubPod(opts.StaggerContainerImage), nil
+}

Diff for: pkg/cmd/options.go

@@ -30,6 +30,7 @@ type Options struct {
 	KubernetesOptions
 
 	StaggeringConfigPath   string        `cliArgName:"staggering-config-path" cliArgDescription:"path to staggering config yaml file" cliArgGroup:"Staggering"`
+	StaggerContainerImage  string        `cliArgName:"staggering-container-image" cliArgDescription:"stagger container image to use for stub pods" cliArgGroup:"Staggering"`
 	BypassFailure          bool          `cliArgName:"staggering-bypass-errors" cliArgDescription:"do not block admission on errors" cliArgGroup:"Staggering"`
 	EnableLabel            string        `cliArgName:"staggering-enable-label" cliArgDescription:"pod label to enable staggering behavior" cliArgGroup:"Staggering"`
 	MaxFlightDuration      time.Duration `cliArgName:"staggering-max-pod-flight-duration" cliArgDescription:"maximum time to wait for a pod from admission to reconciliation after which it is assumed committed" cliArgGroup:"Staggering"`
@@ -57,6 +58,7 @@ func NewLeaderElectionOptions() LeaderElectionOptions {
 func NewOptions() Options {
 	return Options{
 		KubernetesOptions:      NewKubernetesOptions(),
+		StaggerContainerImage:  "technicianted/stagger",
 		BypassFailure:          true,
 		EnableLabel:            controller.DefaultEnableLabel,
 		MaxFlightDuration:      1000 * time.Millisecond,