Merge remote-tracking branch 'upstream/master' into kube2iam-docs

Author: MattiasGees

Gopkg.lock

@@ -92,7 +92,7 @@ required = [
 
 [[constraint]]
   name = "github.com/hashicorp/terraform"
-  version = "0.11.5"
+  version = "0.11.7"
 
 [[constraint]]
   name = "github.com/terraform-providers/terraform-provider-aws"

Gopkg.toml

@@ -78,3 +78,7 @@ plugin
 checklist
 localhost
 ReplicaSet
+overprovisioning
+autoscaling
+preempted
+millicores

docs/spelling_wordlist.txt

@@ -176,6 +176,57 @@ The current implementation will configure the first instance pool of type worker
 in your cluster configuration to scale between `minCount` and `maxCount`. We
 plan to add support for an arbitrary number of worker instance pools.
 
+Overprovisioning
+++++++++++++++++
+
+Tarmak supports overprovisioning to give a
+fixed or proportional amount of headroom in the cluster. The technique used to
+implement overprovisioning is the same as described in the `cluster autoscaler
+documentation
+<https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#user-content-how-can-i-configure-overprovisioning-with-cluster-autoscaler>`_.
+The following `tarmak.yaml` snippet shows how to configure fixed
+overprovisioning. Note that cluster autoscaling must also be enabled.
+
+.. code-block:: yaml
+
+    kubernetes:
+      clusterAutoscaler:
+        enabled: true
+        overprovisioning:
+          enabled: true
+          reservedMillicoresPerReplica: 100
+          reservedMegabytesPerReplica: 100
+          replicaCount: 10
+    ...
+
+This will deploy 10 pause Pods with a negative `PriorityClass
+<https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/>`_
+so that they will be preempted by any other pending Pods. Each Pod will request
+the specified number of millicores and megabytes. The following `tarmak.yaml`
+snippet shows how to configure proportional overprovisioning.
+
+.. code-block:: yaml
+
+    kubernetes:
+      clusterAutoscaler:
+        enabled: true
+        overprovisioning:
+          enabled: true
+          reservedMillicoresPerReplica: 100
+          reservedMegabytesPerReplica: 100
+          nodesPerReplica: 1
+          coresPerReplica: 4
+    ...
+
+The `nodesPerReplica` and `coresPerReplica` configuration parameters are
+described in the `cluster-proportional-autoscaler documentation
+<https://github.com/kubernetes-incubator/cluster-proportional-autoscaler#user-content-linear-mode>`_.
+
+The image and version used by the cluster-proportional-autoscaler can also be
+specified using the `image` and `version` fields of the `overprovisioning`
+block. These values default to
+`k8s.gcr.io/cluster-proportional-autoscaler-amd64` and `1.1.2` respectively.
+
 Logging
 ~~~~~~~
 
@@ -413,6 +464,19 @@ configuration like that:
       enabled: true
       externalScrapeTargetsOnly: true
 
+
+API Server
+~~~~~~~~~~~
+
+It is possible to let Tarmak create an public endpoint for your APIserver.
+This can be used together with `Secure public endpoints <user-guide.html#secure-api-server>`__.
+
+.. code-block:: yaml
+
+  kubernetes:
+    apiServer:
+      public: true
+
 Secure public endpoints
 ~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -460,12 +524,16 @@ by adding ``allowCIDRs`` in the instance pool block:
     size: large
     type: jenkins
 
+.. _secure-api-server:
 
 API Server
 ++++++++++
 
 For API server you can overwrite the environment level by adding ``allowCIDRs``
-to the kubernetes block
+to the kubernetes block.
+
+.. warning::
+  For this to work, you need to set your `API Server public <user-guide.html#api-server>`__ first.
 
 .. code-block:: yaml
 

docs/user-guide.rst

@@ -84,9 +84,21 @@ type ClusterKubernetes struct {
 }
 
 type ClusterKubernetesClusterAutoscaler struct {
-	Enabled bool   `json:"enabled,omitempty"`
-	Image   string `json:"image,omitempty"`
-	Version string `json:"version,omitempty"`
+	Enabled          bool                                                `json:"enabled,omitempty"`
+	Image            string                                              `json:"image,omitempty"`
+	Version          string                                              `json:"version,omitempty"`
+	Overprovisioning *ClusterKubernetesClusterAutoscalerOverprovisioning `json:"overprovisioning,omitempty"`
+}
+
+type ClusterKubernetesClusterAutoscalerOverprovisioning struct {
+	Enabled                      bool   `json:"enabled,omitempty"`
+	Image                        string `json:"image,omitempty"`
+	Version                      string `json:"version,omitempty"`
+	ReservedMillicoresPerReplica int    `json:"reservedMillicoresPerReplica,omitempty"`
+	ReservedMegabytesPerReplica  int    `json:"reservedMegabytesPerReplica,omitempty"`
+	CoresPerReplica              int    `json:"coresPerReplica,omitempty"`
+	NodesPerReplica              int    `json:"nodesPerReplica,omitempty"`
+	ReplicaCount                 int    `json:"replicaCount,omitempty"`
 }
 
 type ClusterKubernetesTiller struct {

pkg/apis/cluster/v1alpha1/cluster.go

@@ -170,6 +170,29 @@ func kubernetesClusterConfigPerRole(conf *clusterv1alpha1.ClusterKubernetes, rol
 		if conf.ClusterAutoscaler.Version != "" {
 			hieraData.variables = append(hieraData.variables, fmt.Sprintf(`kubernetes_addons::cluster_autoscaler::version: "%s"`, conf.ClusterAutoscaler.Version))
 		}
+		if conf.ClusterAutoscaler.Overprovisioning != nil && conf.ClusterAutoscaler.Overprovisioning.Enabled {
+			hieraData.variables = append(hieraData.variables, `kubernetes_addons::cluster_autoscaler::enable_overprovisioning: true`)
+			hieraData.variables = append(hieraData.variables, `kubernetes::enable_pod_priority: true`)
+
+			if conf.ClusterAutoscaler.Overprovisioning.Image != "" {
+				hieraData.variables = append(hieraData.variables, fmt.Sprintf(`kubernetes_addons::cluster_autoscaler::proportional_image: "%s"`, conf.ClusterAutoscaler.Overprovisioning.Image))
+			}
+			if conf.ClusterAutoscaler.Overprovisioning.Version != "" {
+				hieraData.variables = append(hieraData.variables, fmt.Sprintf(`kubernetes_addons::cluster_autoscaler::proportional_version: "%s"`, conf.ClusterAutoscaler.Overprovisioning.Version))
+			}
+
+			hieraData.variables = append(hieraData.variables, fmt.Sprintf(`kubernetes_addons::cluster_autoscaler::reserved_millicores_per_replica: %d`, conf.ClusterAutoscaler.Overprovisioning.ReservedMillicoresPerReplica))
+			hieraData.variables = append(hieraData.variables, fmt.Sprintf(`kubernetes_addons::cluster_autoscaler::reserved_megabytes_per_replica: %d`, conf.ClusterAutoscaler.Overprovisioning.ReservedMegabytesPerReplica))
+			hieraData.variables = append(hieraData.variables, fmt.Sprintf(`kubernetes_addons::cluster_autoscaler::cores_per_replica: %d`, conf.ClusterAutoscaler.Overprovisioning.CoresPerReplica))
+			hieraData.variables = append(hieraData.variables, fmt.Sprintf(`kubernetes_addons::cluster_autoscaler::nodes_per_replica: %d`, conf.ClusterAutoscaler.Overprovisioning.NodesPerReplica))
+			hieraData.variables = append(hieraData.variables, fmt.Sprintf(`kubernetes_addons::cluster_autoscaler::replica_count: %d`, conf.ClusterAutoscaler.Overprovisioning.ReplicaCount))
+		}
+	}
+
+	if roleName == clusterv1alpha1.KubernetesWorkerRoleName && conf.ClusterAutoscaler != nil && conf.ClusterAutoscaler.Enabled {
+		if conf.ClusterAutoscaler.Overprovisioning != nil && conf.ClusterAutoscaler.Overprovisioning.Enabled {
+			hieraData.variables = append(hieraData.variables, `kubernetes::enable_pod_priority: true`)
+		}
 	}
 
 	if roleName == clusterv1alpha1.KubernetesMasterRoleName && conf.Tiller != nil && conf.Tiller.Enabled {
@@ -332,6 +355,12 @@ func (p *Puppet) writeHieraData(puppetPath string, cluster interfaces.Cluster) e
 			variables = append(variables, fmt.Sprintf(`kubernetes_addons::cluster_autoscaler::instance_pool_name: "%s"`, workerInstancePoolName))
 		}
 
+		// etcd
+		if instancePool.Role().Name() == clusterv1alpha1.KubernetesEtcdRoleName {
+			variables = append(variables, fmt.Sprintf(`tarmak::etcd_instances: %d`, instancePool.MinCount()))
+			variables = append(variables, `tarmak::etcd_mount_unit: "var-lib-etcd.mount"`)
+		}
+
 		//  classes
 		err = p.writeLines(
 			filepath.Join(hieraPath, "instance_pools", fmt.Sprintf("%s_classes.yaml", instancePool.Name())), classes,

pkg/puppet/puppet.go

@@ -194,6 +194,11 @@ func (c *Cluster) Validate() (result error) {
 		result = multierror.Append(result, err)
 	}
 
+	// validate overprovisioning
+	if err := c.validateClusterAutoscaler(); err != nil {
+		result = multierror.Append(result, fmt.Errorf("invalid overprovisioning configuration: %s", err))
+	}
+
 	//validate apiserver
 	if k := c.Config().Kubernetes; k != nil {
 		if apiServer := k.APIServer; apiServer != nil {
@@ -249,6 +254,37 @@ func (c *Cluster) validateLoggingSinks() (result error) {
 	return nil
 }
 
+// validate overprovisioning
+func (c *Cluster) validateClusterAutoscaler() (result error) {
+
+	if c.Config().Kubernetes != nil && c.Config().Kubernetes.ClusterAutoscaler != nil && c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning != nil {
+		if !c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.Enabled {
+			return nil
+		}
+		if c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.Enabled && !c.Config().Kubernetes.ClusterAutoscaler.Enabled {
+			return fmt.Errorf("cannot enable overprovisioning if cluster autoscaling is disabled")
+		}
+		if c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.ReservedMegabytesPerReplica < 0 ||
+			c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.ReservedMillicoresPerReplica < 0 ||
+			c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.CoresPerReplica < 0 ||
+			c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.NodesPerReplica < 0 ||
+			c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.ReplicaCount < 0 {
+			return fmt.Errorf("cannot set negative overprovisioning parameters")
+		}
+		if c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.ReservedMegabytesPerReplica == 0 && c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.ReservedMillicoresPerReplica == 0 {
+			return fmt.Errorf("one of reservedMillicoresPerReplica and reservedMegabytesPerReplica must be set")
+		}
+		if (c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.CoresPerReplica > 0 || c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.NodesPerReplica > 0) && c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.ReplicaCount > 0 {
+			return fmt.Errorf("cannot configure both static and per replica overprovisioning rules")
+		}
+		if (c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.Image != "" || c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.Version != "") && (c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.CoresPerReplica == 0 && c.Config().Kubernetes.ClusterAutoscaler.Overprovisioning.NodesPerReplica == 0) {
+			return fmt.Errorf("setting overprovisioning image or version is only valid when proportional overprovisioning is enabled")
+		}
+	}
+
+	return nil
+}
+
 // Validate APIServer
 func (c *Cluster) validateAPIServer() (result error) {
 	for _, cidr := range c.Config().Kubernetes.APIServer.AllowCIDRs {

pkg/tarmak/cluster/cluster.go

@@ -163,6 +163,62 @@ func TestCluster_NewMinimalHub(t *testing.T) {
 	}
 }
 
+func TestValidateClusterAutoscaler(t *testing.T) {
+	clusterConfig := config.NewClusterSingle("single", "cluster")
+	config.ApplyDefaults(clusterConfig)
+	clusterConfig.Kubernetes.ClusterAutoscaler.Enabled = true
+	clusterConfig.Kubernetes.ClusterAutoscaler.Overprovisioning = &clusterv1alpha1.ClusterKubernetesClusterAutoscalerOverprovisioning{}
+	clusterConfig.Kubernetes.ClusterAutoscaler.Overprovisioning.Enabled = false
+
+	cluster := &Cluster{
+		conf: clusterConfig,
+	}
+
+	// overprovisioning disabled without required settings
+	if err := cluster.validateClusterAutoscaler(); err != nil {
+		t.Errorf("validation should pass when cluster autoscaler is enabled and overprovisioning is disabled without required settings: %s", err)
+	}
+
+	// reservations not set
+	clusterConfig.Kubernetes.ClusterAutoscaler.Overprovisioning.Enabled = true
+	if cluster.validateClusterAutoscaler() == nil {
+		t.Errorf("validation should fail when no reservations are set")
+	}
+
+	// autoscaler and overprovisioning enabled
+	clusterConfig.Kubernetes.ClusterAutoscaler.Overprovisioning.ReservedMillicoresPerReplica = 1
+	if err := cluster.validateClusterAutoscaler(); err != nil {
+		t.Errorf("validation should pass when cluster autoscaler and overprovisioning are enabled: %s", err)
+	}
+
+	// autoscaler disabled with overprovisioning enabled
+	clusterConfig.Kubernetes.ClusterAutoscaler.Enabled = false
+	if cluster.validateClusterAutoscaler() == nil {
+		t.Errorf("validation should fail when cluster autoscaler is disabled and overprovisioning is enabled")
+	}
+	clusterConfig.Kubernetes.ClusterAutoscaler.Enabled = true
+
+	// negative reserved millicores
+	clusterConfig.Kubernetes.ClusterAutoscaler.Overprovisioning.ReservedMillicoresPerReplica = -1
+	if cluster.validateClusterAutoscaler() == nil {
+		t.Errorf("validation should fail when reserving negative millicores")
+	}
+	clusterConfig.Kubernetes.ClusterAutoscaler.Overprovisioning.ReservedMillicoresPerReplica = 1
+
+	// static overprovisioning with propoertional autoscaler
+	clusterConfig.Kubernetes.ClusterAutoscaler.Overprovisioning.Image = "image"
+	if cluster.validateClusterAutoscaler() == nil {
+		t.Errorf("validation should fail when configuring static overprovisioning and proportional autoscaler")
+	}
+
+	// static and proportional overprovisioning
+	clusterConfig.Kubernetes.ClusterAutoscaler.Overprovisioning.CoresPerReplica = 1
+	clusterConfig.Kubernetes.ClusterAutoscaler.Overprovisioning.ReplicaCount = 1
+	if cluster.validateClusterAutoscaler() == nil {
+		t.Errorf("validation should fail when configuring static and proportional overprovisioning")
+	}
+}
+
 /*
 func testDefaultClusterConfig() *config.Cluster {
 	return &config.Cluster{

pkg/tarmak/cluster/cluster_test.go

@@ -33,21 +33,22 @@ type Rule struct {
 }
 
 var (
-	zeroPort          = uint16(0)
-	sshPort           = uint16(22)
-	bgpPort           = uint16(179)
-	overlayPort       = uint16(2359)
-	k8sEventsPort     = uint16(2369)
-	k8sPort           = uint16(2379)
-	apiPort           = uint16(6443)
-	consulRCPPort     = uint16(8300)
-	consulSerfPort    = uint16(8301)
-	vaultPort         = uint16(8200)
-	calicoMetricsPort = uint16(9091)
-	nodePort          = uint16(9100)
-	blackboxPort      = uint16(9115)
-	wingPort          = uint16(9443)
-	maxPort           = uint16(65535)
+	zeroPort                     = uint16(0)
+	sshPort                      = uint16(22)
+	bgpPort                      = uint16(179)
+	overlayPort                  = uint16(2359)
+	k8sEventsPort                = uint16(2369)
+	k8sPort                      = uint16(2379)
+	apiPort                      = uint16(6443)
+	consulRCPPort                = uint16(8300)
+	consulSerfPort               = uint16(8301)
+	vaultPort                    = uint16(8200)
+	clusterAutoscalerMetricsPort = uint16(8085)
+	calicoMetricsPort            = uint16(9091)
+	nodePort                     = uint16(9100)
+	blackboxPort                 = uint16(9115)
+	wingPort                     = uint16(9443)
+	maxPort                      = uint16(65535)
 
 	k8sIdentifier       = "k8s"
 	k8sEventsIdentifier = "k8sevents"
@@ -96,14 +97,24 @@ func newSSHService() Service {
 
 func newCalicoMetricsService() Service {
 	return Service{
-		Name:     "metrics",
+		Name:     "calico",
 		Protocol: "tcp",
 		Ports: []Port{
 			Port{Single: &calicoMetricsPort},
 		},
 	}
 }
 
+func newClusterAutoscalerMetricsService() Service {
+	return Service{
+		Name:     "cluster_autoscaler",
+		Protocol: "tcp",
+		Ports: []Port{
+			Port{Single: &clusterAutoscalerMetricsPort},
+		},
+	}
+}
+
 func newIPIPService() Service {
 	return Service{
 		Name:     "ipip",
@@ -302,8 +313,8 @@ func Rules() (rules []*Rule) {
 
 		//// Master
 		&Rule{
-			Comment:   "allow workers/master to connect to calico's service + api server",
-			Services:  []Service{newBGPService(), newIPIPService(), newCalicoMetricsService(), newAPIService()},
+			Comment:   "allow workers/master to connect to calico's service, cluster autoscaler's service + api server",
+			Services:  []Service{newBGPService(), newIPIPService(), newCalicoMetricsService(), newClusterAutoscalerMetricsService(), newAPIService()},
 			Direction: "ingress",
 			Sources: []Host{
 				Host{Role: "master"},