Add new tooling to cri.py to support modifying kubelet using a daemonset with predefined custom kubelet flags#1034
Add new tooling to cri.py to support modifying kubelet using a daemonset with predefined custom kubelet flags#1034pdamianov-dev wants to merge 33 commits intomainfrom
Conversation
pdamianov-dev
requested review from
sumanthreddy29,
vittoriasalim,
wonderyl and
xinWeiWei24
as code owners
There was a problem hiding this comment.
Pull request overview
Adds a new “CRI pressure” execution path that can modify kubelet flags via a privileged DaemonSet before running ClusterLoader2, enabling node pressure testing for node hardening work.
Changes:
- Switches the k8s-resource-pressure topology to use a new
cri-pressureengine template. - Adds a new pipeline step template that applies a kubelet-modifying DaemonSet before running the benchmark.
- Extends
cri.pywith amodify-kubeletsubcommand and adds DaemonSet-manifest generation inclusterloader2/utils.py.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| steps/topology/k8s-resource-pressure/execute-clusterloader2.yml | Routes the topology to the new cri-pressure execution template. |
| steps/engine/clusterloader2/cri-pressure/execute.yml | Adds a pre-benchmark step to apply a kubelet config updater DaemonSet, then runs CL2. |
| modules/python/clusterloader2/utils.py | Adds DaemonSet YAML generation for updating kubelet flags (but also modifies imports/initialization). |
| modules/python/clusterloader2/cri/cri.py | Adds modify-kubelet CLI command and wires it to the DaemonSet generator. |
| parser_modify_kubelet.add_argument( | ||
| "--custom_kubelet_config", type=str, help="Custom kubelet flags in string format" | ||
| ) |
There was a problem hiding this comment.
--custom_kubelet_config is optional, but modify-kubelet depends on it to generate the DaemonSet. Make this argument required (or validate non-empty and exit with a clear error) to avoid applying a manifest with an empty/None flags string.
| # Sub-command for modify-kubelet | ||
| parser_modify_kubelet = subparsers.add_parser( | ||
| "modify-kubelet", help="Add custom flags to kubelet and apply via daemonset" | ||
| ) | ||
| parser_modify_kubelet.add_argument( |
There was a problem hiding this comment.
There are existing unit tests covering main() subcommands in modules/python/tests/test_cri.py, but the new modify-kubelet subcommand isn’t covered. Add a test that exercises arg parsing and verifies it invokes the right handler (and ideally validates the manifest output path).
| from xml.dom import minidom | ||
| import json | ||
| import os | ||
| import docker | ||
| from clients.docker_client import DockerClient | ||
| from utils.logger_config import get_logger, setup_logging | ||
|
|
||
| setup_logging() | ||
| logger = get_logger(__name__) | ||
|
|
There was a problem hiding this comment.
The imports / module-level initialization for Docker + logging were removed, but this module still references DockerClient, docker.errors.ContainerError, and logger (e.g., in run_cl2_command and process_cl2_reports). This will raise NameError at runtime when running clusterloader2. Re-introduce the needed imports and define logger (or switch these functions to use logging.getLogger(__name__) and ensure docker/DockerClient are imported).
| labels: | ||
| app: kubelet-config-updater | ||
| spec: | ||
| hostPID: true | ||
| containers: |
There was a problem hiding this comment.
This DaemonSet is privileged with host mounts but has no node scoping. As written it can run on every node and modify kubelet configuration cluster-wide. Add a nodeSelector/affinity (e.g., cri-resource-consume=true) and at minimum constrain to Linux nodes to reduce blast radius.
…/telescope into pdamianov-dev/k8s-pressure
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
| "--registry_info", type=str, help="Container registry information scraped", | ||
| ) | ||
|
|
||
| # Sub-command for modify-kubelet |
There was a problem hiding this comment.
if you need to apply daemonset before benchmarking start, you can apply it at validation stage rather than in the engine e.g : https://github.com/Azure/telescope/pull/1045/changes
https://github.com/Azure/telescope/blob/main/steps/topology/karpenter/validate-resources.yml
I am not exactly sure what is this for
if you need to modify the node image, can do something like this https://github.com/Azure/telescope/pull/1044/changes
| kind: DaemonSet | ||
| metadata: | ||
| name: kubelet-config-updater | ||
| namespace: kube-system |
There was a problem hiding this comment.
can we move this to validation stage , e.g: https://github.com/Azure/telescope/pull/1045/changes
There was a problem hiding this comment.
Yea I can take a look at this, my only real concern is how to pass the parameters in as the yaml itself, and will let you know if I can have the same effect
There was a problem hiding this comment.
We have this example where it patch the VM_SIZE to yaml template
…/telescope into pdamianov-dev/k8s-pressure
…/telescope into pdamianov-dev/k8s-pressure
Removed the modify_kubelet_clusterloader2 function and its associated functionality.
| @@ -1,8 +1,34 @@ | |||
| trigger: none | |||
|
|
|||
| parameters: | |||
There was a problem hiding this comment.
We do not need parameters , simply enable them in your test
n1-p60-memory-managed:
node_count: 1
max_pods: 60
repeats: 1
operation_timeout: 3m
load_type: memory
pod_startup_latency_threshold: 23s
kubernetes_version: "1.34"
k8s_os_disk_type: Managed
scrape_kubelets: True
enable_custom_kubelet: false
kubelet_config_type: "eviction-hard" # eviction-soft, eviction-soft-grace-period
in validate-resources
can call
$KUBELET_CONFIG_TYPE
if KUBELET_CONFIG_TYPE == ëviction-hard :
- override the memory, nodefs and pid
else if
else if
so on and so on
There was a problem hiding this comment.
What if we want to pass in different flags with each run without changing the pipeline definition?
There was a problem hiding this comment.
Our intention may not be to schedule this pipeline, we will most likely do it manually or have a separate pipeline trigger
There was a problem hiding this comment.
what if i set a queue time variable instead?
2 participants
This is related to the creation of a suitable framework to run pressure tests against node images as part of Node Hardening efforts.
Supporting documents: