Skip to content

Commit 2170c11

Browse files
iholder101iholder101
committed
Risks and Mitigations - Memory-backed volumes
Signed-off-by: Itamar Holder <[email protected]>
1 parent 87083f7 commit 2170c11

File tree

1 file changed

+20
-0
lines changed

1 file changed

+20
-0
lines changed

keps/sig-node/2400-node-swap/README.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
- [Exhausting swap resource](#exhausting-swap-resource)
3232
- [Security risk](#security-risk)
3333
- [Cgroupv1 support](#cgroupv1-support)
34+
- [Memory-backed volumes](#memory-backed-volumes)
3435
- [Design Details](#design-details)
3536
- [Enabling swap as an end user](#enabling-swap-as-an-end-user)
3637
- [API Changes](#api-changes)
@@ -478,6 +479,25 @@ Additionally, end user may decide to disable swap completely for a Pod or a cont
478479
In the early release of this feature, there was a goal to support cgroup v1. As the feature progressed, sig-node realized that supporting swap with cgroup v1 would be very difficult.
479480
Therefore, this feature is limited to cgroupv2 only. The main goal is to deprecate cgroupv1 eventually so this should not be a major inconvience.
480481

482+
#### Memory-backed volumes
483+
484+
Kubernetes guarantees that some volumes' memory would never reside on disk, e.g. Secrets, memory-backed emptyDirs, etc.
485+
Behind the scenes, Kubelet mounts such volumes as tmpfs volumes on the host.
486+
487+
To address this risk, if `--fail-swap-on=false`, the [tmpfs noswap option](https://www.kernel.org/doc/html/latest/filesystems/tmpfs.html)
488+
will be used in order to prevent the volumes' pages from swapping to disk.
489+
490+
Bear in mind that the tmpfs noswap option is fairly new and is supported in kernel versions >= 6.4. However, different
491+
Linux distributions can decide to backport this options to older versions of the kernel. Therefore, when
492+
`--fail-swap-on=false` is being provided on a node:
493+
* If the kernel version equals or is above 6.4, the tmpfs noswap option is being used when necessary.
494+
* Else, kubelet would try to mount a dummy volume with the tmpfs noswap option to understand whether the option is
495+
backported. If the mount succeeds, the tmpfs noswap option is being used when necessary.
496+
* Else, kubelet would raise a warning about the option not being supported and the possible risk.
497+
498+
In the longer term, when this option would be very widely supported, this would no longer be a concern, hence this logic
499+
could be dropped.
500+
481501
## Design Details
482502

483503
We summarize the implementation plan as following:

0 commit comments

Comments
 (0)