Page MenuHomePhabricator
Create Task
Maniphest T245230

Investigate cpu/ram requests and limits for DaemonSets pods
Closed, DeclinedPublic
Actions

Description

While adding the new nodes for T244791: Scale up 2020 Kubernetes cluster for final migration of legacy cluster workloads I noticed that an "empty" worker has about 10% of available CPU and 13% of available RAM consumed by the calico, kube-proxy, and cadvisor pods. This feels like a lot of overhead on each worker for an "idle" state.

  • Calico pods are requesting 250m CPU with no explicit RAM request and no explicit limit on CPU or RAM.
  • Kube-proxy pods have no explicit Request or Limit values in the Pod template.
  • Cadvisor pods request 150m CPU and 200Mi RAM with 300m CPU and 2000Mi RAM limits.

Can any of these Request values be tuned downward? Can reasonable Limit values be set for everything?

Related Objects
Search...

StatusSubtypeAssignedTask
 DeclinedNoneT245230 Investigate cpu/ram requests and limits for DaemonSets pods
 Resolved BstormT214513 Deploy and migrate tools to a Kubernetes v1.15 or newer cluster
 Resolved BstormT111914 Setup DNS for kubernetes services
 ResolvedaborreroT142862 Setup Kubernetes Masters in a HA setup
 ResolvedaborreroT215663 Stand up upgraded Toolforge etcd clusters
 ResolvedaborreroT215530 Sort out the best method of spinning up multiple toolforge kubernetes masters
 ResolvedaborreroT215679 Sort out and test deploying the worker nodes in a sane fashion
 ResolvedaborreroT215975 Package/copy kubeadm, kubelet, docker-ce and kubectl to Toolforge Aptly or Reprepro
 ResolvedJproramaT172855 Create visual diagram of documented components of Toolforge Kubernetes cluster
 ResolvedaborreroT215531 Deploy upgraded Kubernetes to toolsbeta
 Resolved BstormT215529 Puppetize/stand up a load balancer for K8s API servers
 ResolvedaborreroT226098 Toolforge: modernize deployment for etcd in k8s
 ResolvedaborreroT228267 Toolforge: iptables flavor for Debian Buster-based k8s cluster
 ResolvedaborreroT228500 Toolforge: evaluate ingress mechanism
 ResolvedaborreroT234032 Toolforge ingress: create a default landing page for unknown/default URLs
 ResolvedaborreroT234037 Toolforge ingress: decide on final layout of north-south proxy setup
 ResolvedaborreroT235059 Toolforge: refresh puppet code for proxy (dynamicproxy) to support Debian Buster
 Resolved BstormT234231 Toolforge ingress: decide on how ingress configuration objects will be managed
 Resolved dduvallT236203 Add CI checks for golang admission controllers
 Resolved BstormT254293 Change to admission controller readme.md failed to pass gate-and-submit jobs
 ResolvedaborreroT228660 Toolforge: new k8s: issues with the initial coredns setup
 Resolved BstormT228887 Update pause container in our internal registry
 Resolved BstormT229009 Proposal: ditching the master name in kubernetes servers
 Resolved BstormT234702 Review and establish configurable quotas for users in the new Kubernetes cluster
 ResolvedaborreroT236074 Toolforge: rebuild the new k8s toolsbeta deployment and write final docs
 ResolvedaborreroT236249 Toolforge: new k8s: upload internal docker images to our registry
 ResolvedaborreroT236824 Toolforge: new k8s: get new deb packages for 1.15.4 or 1.15.5
 ResolvedaborreroT237443 toolsbeta: new k8s: deploy a front proxy (dynamicproxy)
 Resolved BstormT237541 CoreDNS in the new k8s cluster cannot talk to the Cloud recursors
 DeclinedNoneT238641 toolforge: some additional testing before final migration
 ResolvedaborreroT239403 toolforge: new k8s: scale up a bit the cluster before final tests and initial migrations
 OpenNoneT239404 toolforge: new k8s: evaluate DNS (coredns) autoscale options
 ResolvedaborreroT239405 toolforge: new k8s: evaluate ingress controller reload behaviour
 StalledNoneT239406 toolforge: new k8s: evalute and test firewalling via calico
 ResolvedaborreroT238655 toolforge: new k8s: issues with the apiserver and etcd
 Resolved BstormT215553 Figure out cert management for Toolforge kubernetes and make it clear in documents, etc. for the upgrade
 Resolved BstormT169287 etcd config depends on puppet certs, but puppet doesn't know
 ResolvedyuvipandaT119814 Figure out how to deal with SSL cert issues for kubernetes masters
 DuplicateNoneT144153 Move kubernetes authentication to using X.509 client certs
 Resolved BstormT215678 Replace each of the custom controllers with something in a new Toolforge Kubernetes setup
 Resolved BstormT227290 Design and document how to integrate the new Toolforge k8s cluster with PodSecurityPolicy
 Resolved BstormT238162 Establish a process for renewing TLS certs for the 2 webhook controllers
 DuplicateNoneT224273 Toolforge: develop new k8s cluster in toolsbeta
 Resolved BstormT233372 Create a "novaobserver" equivalent for Toolforge Kubernetes cluster inspection
Restricted Task
 ResolvedaborreroT235627 Toolforge: upgrade main proxy servers to Debian Buster
 DuplicateNoneT235756 Toolforge: webservice utility: add support for thew new k8s setup
 Resolved BstormT236202 Modify webservice and maintain-kubeusers to allow switching to the new cluster
 Resolved BstormT228499 Toolforge: changes to maintain-kubeusers
 Resolved BstormT229058 Replace the nslcd mount in containers from the old Toolforge cluster with something that will work with sssd in the new one
 Resolved BstormT237836 `webservice restart` regression with backend=kubernetes in webservice 0.51
 ResolvedaborreroT236826 Toolforge: new k8s: initial build of the new kubernetes cluster
 ResolvedaborreroT237633 Request increased quota for tools Cloud VPS project
 ResolvedaborreroT237643 toolforge: new k8s: figure out metrics / observability
 ResolvedaborreroT237557 new proxy and etcd nodes unreachable by ssh for tools-prometheus
 ResolvedaborreroT238058 toolforge: prometheus-node-exporter not working on tools-proxy-06
 ResolvedaborreroT238096 Toolforge: prometheus: refresh setup
 ResolvedaborreroT245180 Document and test failing over prometheus
 ResolvedaborreroT240402 Deploy or consciously decide not to deploy metrics-server in toolforge kubernetes
 ResolvedaborreroT241853 Move metrics-server and kube-state-metrics into the new metrics namespace
 Resolved BstormT237784 Document migration plans and timelines
 Resolved BstormT237789 Document (and execute) the upgrade process for the new Toolforge K8s cluster
 Resolved BstormT238654 toolforge: new k8s: issues with routing interfering with DNS in the cluster as well as the webhook controllers
 DuplicateNoneT239407 toolforge: new k8s: package newer/more convenient python3 k8s client libs
 ResolvedaborreroT239409 toolforge: new k8s: introduce more robust controls for deb pkg versions
Restricted Task
 OpenNoneT272905 Reduce privs of metrics pods where we can
 Resolved BstormT240922 Change name of commons_describer tool or provide some workaround for Kubernetes/DNS
 Resolvedbd808T240923 Fix toolschecker's insistence that a kubeconfig is json
 InvalidaborreroT240925 `kubectl get pods` fails after switching to new k8s cluster
 Resolvedbd808T241008 New k8s cluster routing behaving strangely for bd808-test tool
 Resolvedbd808T241310 Kubernetes ingress passes it's port & proto to apps rather than the port & proto from the front proxy
Restricted Task
 ResolvedSecurity BstormT242067 Error joining new worker node to Toolforge Kubernetes cluster
 ResolvedaborreroT242719 https://tools.wmflabs.org/{toolname} no longer redirects to https://tools.wmflabs.org/{toolname}/ on new k8s cluster
 Resolvedbd808T242824 Tool account cannot list all namespaced objects in its Kubernetes namespace
 DuplicateNoneT243468 Add smarter resourcing logic to kubernetes backend of webservice
 Resolved BstormT244289 Improve limit range management in webservice for Kubernetes
 Resolvedbd808T244293 Add a function to webservice called "migrate" that will push a tool from the old cluster on Kubernetes to the new one
 Resolvedbd808T244791 Scale up 2020 Kubernetes cluster for final migration of legacy cluster workloads

Event Timeline

bd808 created this task.Feb 14 2020, 12:54 AM
Reedy renamed this task from Invesitgate cpu/ram requests and limits for DaemonSets pods to Investigate cpu/ram requests and limits for DaemonSets pods.Feb 14 2020, 6:24 AM
Bstorm added a comment.Feb 14 2020, 3:35 PM

I absolutely do not want to tune down the request values on cluster-critical pods, regarding Calico and kube-proxy. That's one of the design problems in the old cluster is that the kernel will sacrifice workloads that aren't in the cluster (like flannel) to save things that are in the cluster (nearly all user workloads). The ingress controllers are requested at 1GB RAM, for instance and, I think, 1 CPU. Without that they were scheduled terribly and caused early cluster failures. I kind of want to go the other way and reserve some ram for it as well.

All that said, kube-proxy having a lack of limits doesn't seem like a problem to me because the limits will be enforced by basically having the node commit suicide, if they are enforced at all. Kube-proxy is generally pretty light since it is just a firewall manager, but if it starts consuming all the resources, we may as well let it. The node will be hosed either way. It will be hosed harder if calico collapses than kube-proxy, but either way, webservices will stop working there.

Cadvisor on the other hand, we can do things with. That's just there for monitoring, not some critical function that keeps it moving. 150m is an extremely small request, though.

Question: is that CPU and RAM measuring with metrics-server (kubectl top)? If so, that's what these things need. If we restrict it, they just fall into a kill loop.

bd808 added a comment.Feb 14 2020, 6:31 PM
In T245230#5885092, @Bstorm wrote:

I absolutely do not want to tune down the request values on cluster-critical pods, regarding Calico and kube-proxy.

Fair. This is why I phrased the task as investigate and not some direct call for remediation action.

Cadvisor on the other hand, we can do things with.

The 2000Mi RAM hard limit was the more concerning number to me for this one. With only 8G of total RAM per node including space for the kernel, 2G for metrics collection feels excessive. I know hard limits and requests are not the same thing, but limits are there to help us tune what gets evicted first when misbehaving to some extent.

Question: is that CPU and RAM measuring with metrics-server (kubectl top)? If so, that's what these things need. If we restrict it, they just fall into a kill loop.

It is measuring with the metrics.k8s.io/v1beta1 API which I think is functionally equivalent to kubectl top. See https://tools.wmflabs.org/k8s-status/nodes/ and its drill-down pages for where I was reading values from.

Bstorm added a comment.Feb 14 2020, 6:39 PM
In T245230#5885549, @bd808 wrote:
In T245230#5885092, @Bstorm wrote:

I absolutely do not want to tune down the request values on cluster-critical pods, regarding Calico and kube-proxy.

Fair. This is why I phrased the task as investigate and not some direct call for remediation action.

Legit. My initial reply was more like "EEP!" And this was the toned down version 😉

The 2000Mi RAM hard limit was the more concerning number to me for this one. With only 8G of total RAM per node including space for the kernel, 2G for metrics collection feels excessive. I know hard limits and requests are not the same thing, but limits are there to help us tune what gets evicted first when misbehaving to some extent.

Yeah, that seems high. I also wonder if we shouldn't be building bigger nodes with smaller disks for Kubernetes in Toolforge. 1G seems like it should be more than enough, no? I wonder what they consume under load? I also am now curious if that's default from upstream or if that's just a value selected when we deployed it. All worth checking.

It is measuring with the metrics.k8s.io/v1beta1 API which I think is functionally equivalent to kubectl top. See https://tools.wmflabs.org/k8s-status/nodes/ and its drill-down pages for where I was reading values from.

Ah, so that unfortunately would represent what these things actually consume at rest. 😬

bd808 triaged this task as Low priority.Feb 25 2020, 5:06 PM
bd808 moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.
bd808 removed a parent task: T214513: Deploy and migrate tools to a Kubernetes v1.15 or newer cluster.Mar 2 2020, 6:06 PM
bd808 added a subtask: T214513: Deploy and migrate tools to a Kubernetes v1.15 or newer cluster.
bd808 closed subtask T214513: Deploy and migrate tools to a Kubernetes v1.15 or newer cluster as Resolved.Apr 11 2020, 8:47 PM
aborrero closed this task as Declined.Feb 11 2021, 5:42 PM

We decided to decline this task in the backlog grooming meeting.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL