Page MenuHomePhabricator
Create Task
Maniphest T310618

Define priorityClassName for istio and cert-manager deployments
Closed, ResolvedPublic
Actions

Description

Starting from k8s 1.17 critical pods can now be created in namespaces other than kube-system. To limit critical pods to the kube-system namespace, cluster admins should create an admission configuration file limiting critical pods by default, and a matching quota object in the kube-system namespace permitting critical pods in that namespace. See https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default for details. (#76310)

This should have been possible already with 1.16 and we're prepared to just switch it on in:

  • custom_deploy.d/istio/main/config.yaml
  • custom_deploy.d/istio/ml-serve/config.yaml
  • charts/cert-manager/values.yaml

It would probably make sense to add support into the cfss-issuer chart as well and set the same class as for cert-manager

Details

SubjectRepoBranchLines +/-
cfssl-issuer: Set priorityClassName system-cluster-criticaloperations/deployment-chartsmaster+6 -1
custom_deploy: Set priorityClass for istio in ml and dseoperations/deployment-chartsmaster+3 -0
admin_ng: Remove warning comment about allowCriticalPodsoperations/deployment-chartsmaster+0 -3
cert-manager: Set priorityClassName by defaultoperations/deployment-chartsmaster+2 -2
Add istio config for main/wikikube clusters on k8s 1.23operations/deployment-chartsmaster+99 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

JMeybohm created this task.Jun 14 2022, 2:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 14 2022, 2:05 PM
JMeybohm mentioned this in T307943: Update Kubernetes clusters to v1.23.Jun 14 2022, 2:18 PM
jijiki moved this task from Incoming 🐫 to 🙈🙉🙊Backlog on the serviceops board.Sep 28 2022, 2:18 PM
JMeybohm moved this task from 🙈🙉🙊Backlog to ⎈Kubernetes on the serviceops board.Oct 10 2022, 7:27 AM
jijiki moved this task from ⎈Kubernetes to Backlog FY23-24 🚜 on the serviceops board.Nov 8 2022, 6:12 PM
JMeybohm triaged this task as Low priority.Nov 10 2022, 10:22 AM
gerritbot added a comment.Jan 10 2023, 8:17 PM

Change 878190 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Add istio config for main/wikikube clusters on k8s 1.23

https://gerrit.wikimedia.org/r/878190

gerritbot added a project: Patch-For-Review.Jan 10 2023, 8:17 PM
gerritbot added a comment.Jan 11 2023, 4:47 PM

Change 878190 merged by jenkins-bot:

[operations/deployment-charts@master] Add istio config for main/wikikube clusters on k8s 1.23

https://gerrit.wikimedia.org/r/878190

gerritbot added a comment.Mar 7 2023, 11:15 AM

Change 895169 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] cert-manager: Set priorityClassName by default

https://gerrit.wikimedia.org/r/895169

gerritbot added a comment.Mar 7 2023, 11:16 AM

Change 895170 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] admin_ng: Remove warning comment about allowCriticalPods

https://gerrit.wikimedia.org/r/895170

gerritbot added a comment.Mar 7 2023, 11:16 AM

Change 895171 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] custom_deploy: Set priorityClass for istio in ml and dse

https://gerrit.wikimedia.org/r/895171

JMeybohm claimed this task.Mar 7 2023, 11:18 AM
JMeybohm moved this task from Backlog FY23-24 🚜 to Doing 😎 on the serviceops board.
gerritbot added a comment.Mar 7 2023, 11:35 AM

Change 895169 merged by jenkins-bot:

[operations/deployment-charts@master] cert-manager: Set priorityClassName by default

https://gerrit.wikimedia.org/r/895169

gerritbot added a comment.Mar 7 2023, 11:37 AM

Change 895170 merged by jenkins-bot:

[operations/deployment-charts@master] admin_ng: Remove warning comment about allowCriticalPods

https://gerrit.wikimedia.org/r/895170

gerritbot added a comment.Mar 7 2023, 11:37 AM

Change 895171 merged by jenkins-bot:

[operations/deployment-charts@master] custom_deploy: Set priorityClass for istio in ml and dse

https://gerrit.wikimedia.org/r/895171

gerritbot added a comment.Mar 7 2023, 11:51 AM

Change 895179 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] cfssl-issuer: Set priorityClassName system-cluster-critical

https://gerrit.wikimedia.org/r/895179

gerritbot added a comment.Mar 7 2023, 12:06 PM

Change 895179 merged by jenkins-bot:

[operations/deployment-charts@master] cfssl-issuer: Set priorityClassName system-cluster-critical

https://gerrit.wikimedia.org/r/895179

JMeybohm closed this task as Resolved.Mar 7 2023, 12:24 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL