Set vpa webhook reinvocationPolicy: IfNeeded
#9191
Conversation
gardener-prow
bot
added
area/auto-scaling
gardener-prow
bot
added
the
size/XS
gardener-prow
bot
added
size/S
adjusted the PR description to contain this additional sentence
|
|
/retest |
|
/retest |
|
LGTM label has been added. Git tree hash: a517e99d8a7a8ec45fcb362a8431cd1409a6e7a8
|
voelzmo
force-pushed
the
fix/vpa-webhook-reinvocation
branch
from
ac967af
to
1dccede
Compare
gardener-prow
bot
added
size/M
|
LGTM label has been added. Git tree hash: 5d9d9a1c51f7fb7260a7ad4142f2d4f5beff55ac
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rfranzke The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
gardener-prow
bot
added
the
approved
voelzmo
force-pushed
the
fix/vpa-webhook-reinvocation
branch
from
1dccede
to
0256d25
Compare
|
/lgtm |
|
LGTM label has been added. Git tree hash: b61caf2b8f721f7ae2130fcf880c49804231686c
|
How to categorize this PR?
/area auto-scaling
/kind enhancement
What this PR does / why we need it:
Under normal circumstances, VPA is ignoring injected sidecar Containers. This is achieved by ensuring that the VPA admission-controller MutatingWebhook is called before all other webhooks which inject containers. The VPA admission-controller will add an annotation
vpaObservedContainerswith a list of all Containers found in a Pod and later on only apply recommendations to the Containers found in this annotation. This feature was introduced specifically to avoid endless eviction loops in the case where controllers injecting sidecar Containers are overwriting resources set by the VPA admission-controller.In gardener, however, we need the VPA admission-controller to be called after other webhooks inject containers, as we're e.g. putting containers injected by the provider extensions under control of VPA.
In this scenario, problems can arise if the injecting webhook specifies
reinvocationPolicy: IfNeededand unconditionally reconciles theresourcessection of the injected container. This way, it will overwrite the resources set by VPA, resulting in an endless eviction loop. This became visible after we introduced theapp-oidc-controller, which injects additional sidecar Containers and also adjusts theirresources.By setting vpa webhook
reinvocationPolicy: IfNeededfor the VPA admission-controller webhook, we ensure that the VPA admission-controller is invoked last, making sure that the requests are set correctly also for injected Containers.Release note: