Increase kubelet resource reservations

Author: Luke Addison

puppet/modules/kubernetes/manifests/kubelet.pp

@@ -10,8 +10,21 @@
   String $role = 'worker',
   String $container_runtime = 'docker',
   String $kubelet_dir = '/var/lib/kubelet',
-  String $hard_eviction_memory_threshold =
-    five_percent_of_total_ram(dig44($facts, ['memory', 'system', 'total_bytes'], 1)),
+  Optional[String] $eviction_hard_memory_available_threshold = '5%',
+  Optional[String] $eviction_hard_nodefs_available_threshold = '10%',
+  Optional[String] $eviction_hard_nodefs_inodes_free_threshold = '5%',
+  Boolean $eviction_soft_enabled = true,
+  Optional[String] $eviction_soft_memory_available_threshold = '10%',
+  Optional[String] $eviction_soft_nodefs_available_threshold = '15%',
+  Optional[String] $eviction_soft_nodefs_inodes_free_threshold = '10%',
+  Optional[String] $eviction_soft_memory_available_grace_period = '0m',
+  Optional[String] $eviction_soft_nodefs_available_grace_period = '0m',
+  Optional[String] $eviction_soft_nodefs_inodes_free_grace_period = '0m',
+  String $eviction_max_pod_grace_period = '-1',
+  String $eviction_pressure_transition_period = '2m',
+  Optional[String] $eviction_minimum_reclaim_memory_available = '100Mi',
+  Optional[String] $eviction_minimum_reclaim_nodefs_available = '1Gi',
+  Optional[String] $eviction_minimum_reclaim_nodefs_inodes_free = undef,
   Optional[String] $network_plugin = undef,
   Integer $network_plugin_mtu = 1460,
   Boolean $allow_privileged = true,
@@ -26,7 +39,7 @@
   $pod_cidr = undef,
   $hostname_override = undef,
   Enum['systemd', 'cgroupfs'] $cgroup_driver =  $::osfamily ? {
-    'RedHat' => 'systemd',
+    'RedHat' => 'cgroupfs',
     default  => 'cgroupfs',
   },
   String $cgroup_root = '/',
@@ -43,6 +56,30 @@
 ){
   require ::kubernetes
 
+  if ! $eviction_soft_memory_available_threshold or ! $eviction_soft_memory_available_grace_period {
+    $_eviction_soft_memory_available_threshold = undef
+    $_eviction_soft_memory_available_grace_period = undef
+  } else {
+    $_eviction_soft_memory_available_threshold = $eviction_soft_memory_available_threshold
+    $_eviction_soft_memory_available_grace_period = $eviction_soft_memory_available_grace_period
+  }
+
+  if ! $eviction_soft_nodefs_available_threshold or ! $eviction_soft_nodefs_available_grace_period {
+    $_eviction_soft_nodefs_available_threshold = undef
+    $_eviction_soft_nodefs_available_grace_period = undef
+  } else {
+    $_eviction_soft_nodefs_available_threshold = $eviction_soft_nodefs_available_threshold
+    $_eviction_soft_nodefs_available_grace_period = $eviction_soft_nodefs_available_grace_period
+  }
+
+  if ! $eviction_soft_nodefs_inodes_free_threshold or ! $eviction_soft_nodefs_inodes_free_grace_period {
+    $_eviction_soft_nodefs_inodes_free_threshold = undef
+    $_eviction_soft_nodefs_inodes_free_grace_period = undef
+  } else {
+    $_eviction_soft_nodefs_inodes_free_threshold = $eviction_soft_nodefs_inodes_free_threshold
+    $_eviction_soft_nodefs_inodes_free_grace_period = $eviction_soft_nodefs_inodes_free_grace_period
+  }
+
   $_systemd_wants = $systemd_wants
   if $container_runtime == 'docker' {
     $_systemd_after = ['docker.service'] + $systemd_after

puppet/modules/kubernetes/spec/classes/kubelet_spec.rb

@@ -20,7 +20,7 @@
       should_not contain_file(service_file).with_content(/--network-plugin/)
       should contain_file(service_file).with_content(/--container-runtime=docker/)
       should contain_file(service_file).with_content(%r{--kubeconfig=/etc/kubernetes/kubeconfig-kubelet})
-      should contain_file(service_file).with_content(%r{--eviction-hard=memory.available<191Mi})
+      should contain_file(service_file).with_content(%r{--eviction-hard=memory.available<5%})
     end
   end
 

puppet/modules/kubernetes/templates/kubelet.service.erb

@@ -68,6 +68,8 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/kubelet \
 <% if not @kernelversion.nil? and scope.function_versioncmp([scope['kubernetes::version'], '1.6.0']) >= 0 and scope.function_versioncmp([scope['kubernetes::version'], '1.7.0']) < 0 and scope.function_versioncmp([@kernelversion, '4.9']) >= 0 -%>
   --cgroups-per-qos=false \
   --enforce-node-allocatable= \
+<% else -%>
+  --enforce-node-allocatable=pods \
 <% end -%>
 <% if scope.function_versioncmp([scope['kubernetes::version'], '1.6.0']) >= 0 -%>
   --cgroup-driver=<%= @cgroup_driver %> \
@@ -103,7 +105,53 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/kubelet \
   "--tls-cert-file=<%= @cert_file %>" \
   "--tls-private-key-file=<%= @key_file %>" \
 <% end -%>
-  "--eviction-hard=memory.available<<%= @hard_eviction_memory_threshold %>" \
+<%
+    # build eviction hard command line
+    @eviction_hard = []
+    @eviction_hard << "memory.available<#{@eviction_hard_memory_available_threshold}" unless @eviction_hard_memory_available_threshold.nil? or @eviction_hard_memory_available_threshold == 'nil'
+    @eviction_hard << "nodefs.available<#{@eviction_hard_nodefs_available_threshold}" unless @eviction_hard_nodefs_available_threshold.nil? or @eviction_hard_nodefs_available_threshold == 'nil'
+    @eviction_hard << "nodefs.inodesFree<#{@eviction_hard_nodefs_inodes_free_threshold}" unless @eviction_hard_nodefs_inodes_free_threshold.nil? or @eviction_hard_nodefs_inodes_free_threshold == 'nil'
+    if @eviction_hard.length > 0
+-%>
+  "--eviction-hard=<%= @eviction_hard.join(',') %>" \
+<% end -%>
+<% if @eviction_soft_enabled -%>
+<%
+    # build eviction soft command line
+    @eviction_soft = []
+
+    @eviction_soft << "memory.available<#{@_eviction_soft_memory_available_threshold}" unless @_eviction_soft_memory_available_threshold.nil? or @_eviction_soft_memory_available_threshold == 'nil'
+    @eviction_soft << "nodefs.available<#{@_eviction_soft_nodefs_available_threshold}" unless @_eviction_soft_nodefs_available_threshold.nil? or @_eviction_soft_nodefs_available_threshold == 'nil'
+    @eviction_soft << "nodefs.inodesFree<#{@_eviction_soft_nodefs_inodes_free_threshold}" unless @_eviction_soft_nodefs_inodes_free_threshold.nil? or @_eviction_soft_nodefs_inodes_free_threshold == 'nil'
+    if @eviction_soft.length > 0
+-%>
+<%
+    # build eviction soft grace period command line
+    @eviction_soft_grace_period = []
+
+    @eviction_soft_grace_period << "memory.available=#{@_eviction_soft_memory_available_grace_period}" unless @_eviction_soft_memory_available_grace_period.nil? or @_eviction_soft_memory_available_grace_period == 'nil'
+    @eviction_soft_grace_period << "nodefs.available=#{@_eviction_soft_nodefs_available_grace_period}" unless @_eviction_soft_nodefs_available_grace_period.nil? or @_eviction_soft_nodefs_available_grace_period == 'nil'
+    @eviction_soft_grace_period << "nodefs.inodesFree=#{@_eviction_soft_nodefs_inodes_free_grace_period}" unless @_eviction_soft_nodefs_inodes_free_grace_period.nil? or @_eviction_soft_nodefs_inodes_free_grace_period == 'nil'
+    if @eviction_soft_grace_period.length > 0
+-%>
+  --eviction-soft=<%= @eviction_soft.join(',') %> \
+  --eviction-soft-grace-period=<%= @eviction_soft_grace_period.join(',') %> \
+  --eviction-max-pod-grace-period=<%= @eviction_max_pod_grace_period %> \
+  --eviction-pressure-transition-period=<%= @eviction_pressure_transition_period %> \
+<% end -%>
+<% end -%>
+<% end -%>
+<%
+  # build minumum reclaim command line
+  @eviction_minimum_reclaim = []
+
+  @eviction_minimum_reclaim << "memory.available=#{@eviction_minimum_reclaim_memory_available}" unless @eviction_minimum_reclaim_memory_available.nil? or @eviction_minimum_reclaim_memory_available == 'nil'
+  @eviction_minimum_reclaim << "nodefs.available=#{@eviction_minimum_reclaim_nodefs_available}" unless @eviction_minimum_reclaim_nodefs_available.nil? or @eviction_minimum_reclaim_nodefs_available == 'nil'
+  @eviction_minimum_reclaim << "nodefs.inodesFree=#{@eviction_minimum_reclaim_nodefs_inodes_free}" unless @eviction_minimum_reclaim_nodefs_inodes_free.nil? or @eviction_minimum_reclaim_nodefs_inodes_free == 'nil'
+  if @eviction_minimum_reclaim.length > 0
+-%>
+  "--eviction-minimum-reclaim=<%= @eviction_minimum_reclaim.join(',') %>" \
+<% end -%>
   --logtostderr=true
 
 Restart=on-failure

puppet/modules/site_module/files/20-cgroupfs.conf

@@ -0,0 +1,16 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd-current \
+          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
+          --default-runtime=docker-runc \
+          --exec-opt native.cgroupdriver=cgroupfs \
+          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
+          --init-path=/usr/libexec/docker/docker-init-current \
+          --seccomp-profile=/etc/docker/seccomp.json \
+          $OPTIONS \
+          $DOCKER_STORAGE_OPTIONS \
+          $DOCKER_NETWORK_OPTIONS \
+          $ADD_REGISTRY \
+          $BLOCK_REGISTRY \
+          $INSECURE_REGISTRY \
+          $REGISTRIES

puppet/modules/site_module/manifests/docker_config.pp

@@ -3,10 +3,15 @@
     ensure  => file,
     content => template('site_module/docker.erb'),
   }
+
   file { '/etc/systemd/system/docker.service.d':
     ensure  => directory,
   } -> file { '/etc/systemd/system/docker.service.d/10-slice.conf':
-    ensure  => directory,
-    content => '[Service]\nSlice=podruntime.slice\n',
+    ensure  => file,
+    content => "[Service]\nSlice=podruntime.slice\n",
+  } -> file { '/etc/systemd/system/docker.service.d/20-cgroupfs.conf':
+    ensure  => file,
+    content => file('site_module/20-cgroupfs.conf'),
   }
+
 }