kubernetes 如何在k8s中启用资源管理?对k8s资源配置的质疑

mi7gmzs6  于 4个月前  发布在  Kubernetes
关注(0)|答案(1)|浏览(66)

K8s的官方文档指出,必须在apiserver的--enable-admission-plugins中包含ResourceManager才能启用资源配额。https://kubernetes.io/docs/concepts/policy/resource-quotas/#enabling-resource-quota
在某个K8s 1.19环境中,我在--enable-admission-plugins中没有找到ResourceQuota配置,但是一旦为每个队列空间设置了resourcequota,这个resourcequota就会生效。enter image description here
此外,通过检查apiserver的源代码,(release-1.28),pkg/admission/plugin/resourcequota/admission.go中的Register方法没有被引用。在pkg/server/options/admission.go中,AdmissionOptions的register方法会检查配置中的插件是否注册,如果没有注册,则返回错误。这个register方法是从RecommendedOptions的register方法调用的,但不调用NewRecommendedOptions。
我糊涂了
如果有Maven的指导,我将不胜感激。谢谢。
我想弄清楚K8s中的ResourceSort是如何生效的。我想从源代码中找到依据。

kubernetes

1条答案

按热度按时间
edqdpe6u

edqdpe6u1#

我自己找到了这个问题的答案,vendor/k8s.io/apiserver/pkg/server/options/admission.go中AdmissionOptions的“enablePluginNames”函数就是答案。

// enabledPluginNames makes use of RecommendedPluginOrder, DefaultOffPlugins,
// EnablePlugins, DisablePlugins fields
// to prepare a list of ordered plugin names that are enabled.
func (a *AdmissionOptions) enabledPluginNames() []string {
    allOffPlugins := append(a.DefaultOffPlugins.List(), a.DisablePlugins...)
    disabledPlugins := sets.NewString(allOffPlugins...)
    enabledPlugins := sets.NewString(a.EnablePlugins...)
    disabledPlugins = disabledPlugins.Difference(enabledPlugins)

    orderedPlugins := []string{}
    for _, plugin := range a.RecommendedPluginOrder {
        if !disabledPlugins.Has(plugin) {
            orderedPlugins = append(orderedPlugins, plugin)
        }
    }

    return orderedPlugins
}

字符串
RecommendedPluginOrder中的插件只要没有被禁用,就会默认启用。
RecommendedPlugionOrder在pkg/kubeapiserver/options/admission. go中的NewAdmissionOptions方法中初始化。

// NewAdmissionOptions creates a new instance of AdmissionOptions
// Note:
//
//  In addition it calls RegisterAllAdmissionPlugins to register
//  all kube-apiserver admission plugins.
//
//  Provides the list of RecommendedPluginOrder that holds sane values
//  that can be used by servers that don't care about admission chain.
//  Servers that do care can overwrite/append that field after creation.
func NewAdmissionOptions() *AdmissionOptions {
    options := genericoptions.NewAdmissionOptions()
    // register all admission plugins
    RegisterAllAdmissionPlugins(options.Plugins)
    // set RecommendedPluginOrder
    options.RecommendedPluginOrder = AllOrderedPlugins
    // set DefaultOffPlugins
    options.DefaultOffPlugins = DefaultOffAdmissionPlugins()

    return &AdmissionOptions{
        GenericAdmission: options,
    }
}


AllOrderedPlugins是这样声明的:

// AllOrderedPlugins is the list of all the plugins in order.
var AllOrderedPlugins = []string{
    admit.PluginName,                        // AlwaysAdmit
    autoprovision.PluginName,                // NamespaceAutoProvision
    lifecycle.PluginName,                    // NamespaceLifecycle
    exists.PluginName,                       // NamespaceExists
    scdeny.PluginName,                       // SecurityContextDeny
    antiaffinity.PluginName,                 // LimitPodHardAntiAffinityTopology
    limitranger.PluginName,                  // LimitRanger
    serviceaccount.PluginName,               // ServiceAccount
    noderestriction.PluginName,              // NodeRestriction
    nodetaint.PluginName,                    // TaintNodesByCondition
    alwayspullimages.PluginName,             // AlwaysPullImages
    imagepolicy.PluginName,                  // ImagePolicyWebhook
    podsecurity.PluginName,                  // PodSecurity
    podnodeselector.PluginName,              // PodNodeSelector
    podpriority.PluginName,                  // Priority
    defaulttolerationseconds.PluginName,     // DefaultTolerationSeconds
    podtolerationrestriction.PluginName,     // PodTolerationRestriction
    eventratelimit.PluginName,               // EventRateLimit
    extendedresourcetoleration.PluginName,   // ExtendedResourceToleration
    label.PluginName,                        // PersistentVolumeLabel
    setdefault.PluginName,                   // DefaultStorageClass
    storageobjectinuseprotection.PluginName, // StorageObjectInUseProtection
    gc.PluginName,                           // OwnerReferencesPermissionEnforcement
    resize.PluginName,                       // PersistentVolumeClaimResize
    runtimeclass.PluginName,                 // RuntimeClass
    certapproval.PluginName,                 // CertificateApproval
    certsigning.PluginName,                  // CertificateSigning
    ctbattest.PluginName,                    // ClusterTrustBundleAttest
    certsubjectrestriction.PluginName,       // CertificateSubjectRestriction
    defaultingressclass.PluginName,          // DefaultIngressClass
    denyserviceexternalips.PluginName,       // DenyServiceExternalIPs

    // new admission plugins should generally be inserted above here
    // webhook, resourcequota, and deny plugins must go at the end

    mutatingwebhook.PluginName,           // MutatingAdmissionWebhook
    validatingadmissionpolicy.PluginName, // ValidatingAdmissionPolicy
    validatingwebhook.PluginName,         // ValidatingAdmissionWebhook
    resourcequota.PluginName,             // ResourceQuota
    deny.PluginName,                      // AlwaysDeny
}


因此,默认情况下将启用ResourcesPlugin,事件不会在--enable-admission-plugins参数中声明。

赞(0)分享  回复(0)举报  4个月前
我来回答

相关问题

    查看更多
    微信公众号

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com