Merge pull request #241 from skyerus/issue-222_flagd-resource-limits

feat: introduce configurable resource limits for flagd sidecar

Author: skyerus

chart/templates/rendered.yaml

@@ -812,6 +812,8 @@ spec:
         - --health-probe-bind-address=:8081
         - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
+        - --flagd-cpu-limit=0.5
+        - --flagd-ram-limit=64M
         command:
         - /manager
         env:

config/default/manager_auth_proxy_patch.yaml

@@ -32,3 +32,5 @@ spec:
         - "--health-probe-bind-address=:8081"
         - "--metrics-bind-address=127.0.0.1:8080"
         - "--leader-elect"
+        - "--flagd-cpu-limit=0.5" # cores
+        - "--flagd-ram-limit=64M"

config/manager/manager.yaml

@@ -31,6 +31,8 @@ spec:
         - /manager
         args:
         - --leader-elect
+        - --flagd-cpu-limit=0.5
+        - --flagd-ram-limit=64M
         imagePullPolicy: IfNotPresent
         image: controller:main
         name: manager

main.go

@@ -18,6 +18,8 @@ package main
 
 import (
 	"flag"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"os"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
@@ -40,12 +42,13 @@ import (
 )
 
 var (
-	scheme               = runtime.NewScheme()
-	setupLog             = ctrl.Log.WithName("setup")
-	metricsAddr          string
-	enableLeaderElection bool
-	probeAddr            string
-	verbose              bool
+	scheme                                                         = runtime.NewScheme()
+	setupLog                                                       = ctrl.Log.WithName("setup")
+	metricsAddr                                                    string
+	enableLeaderElection                                           bool
+	probeAddr                                                      string
+	verbose                                                        bool
+	flagDCpuLimit, flagDRamLimit, flagDCpuRequest, flagDRamRequest string
 )
 
 func init() {
@@ -60,11 +63,17 @@ func main() {
 
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	flag.BoolVar(&verbose, "verbose", true, "Disable verbose logging (default: true)")
+	flag.BoolVar(&verbose, "verbose", true, "Disable verbose logging")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
 
+	// the following default values are chosen as a result of load testing: https://github.com/open-feature/flagd/blob/main/tests/loadtest/README.MD#performance-observations
+	flag.StringVar(&flagDCpuLimit, "flagd-cpu-limit", "0.5", "flagd CPU limit, in cores. (500m = .5 cores)")
+	flag.StringVar(&flagDRamLimit, "flagd-ram-limit", "64M", "flagd memory limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)")
+	flag.StringVar(&flagDCpuRequest, "flagd-cpu-request", "0.2", "flagd CPU minimum, in cores. (500m = .5 cores)")
+	flag.StringVar(&flagDRamRequest, "flagd-ram-request", "32M", "flagd memory minimum, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)")
+
 	level := zapcore.InfoLevel
 	if verbose {
 		level = zapcore.DebugLevel
@@ -78,6 +87,36 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
+	flagDCpuLimitResource, err := resource.ParseQuantity(flagDCpuLimit)
+	if err != nil {
+		setupLog.Error(err, "parse flagd cpu limit", "flagd-cpu-limit", flagDCpuLimit)
+		os.Exit(1)
+	}
+
+	flagDRamLimitResource, err := resource.ParseQuantity(flagDRamLimit)
+	if err != nil {
+		setupLog.Error(err, "parse flagd ram limit", "flagd-ram-limit", flagDRamLimit)
+		os.Exit(1)
+	}
+
+	flagDCpuRequestResource, err := resource.ParseQuantity(flagDCpuRequest)
+	if err != nil {
+		setupLog.Error(err, "parse flagd cpu request", "flagd-cpu-request", flagDCpuRequest)
+		os.Exit(1)
+	}
+
+	flagDRamRequestResource, err := resource.ParseQuantity(flagDRamRequest)
+	if err != nil {
+		setupLog.Error(err, "parse flagd ram request", "flagd-ram-request", flagDRamRequest)
+		os.Exit(1)
+	}
+
+	if flagDCpuRequestResource.Value() > flagDCpuLimitResource.Value() ||
+		flagDRamRequestResource.Value() > flagDRamLimitResource.Value() {
+		setupLog.Error(err, "flagd resource request is higher than the resource maximum")
+		os.Exit(1)
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
 		MetricsBindAddress:     metricsAddr,
@@ -111,6 +150,16 @@ func main() {
 	//+kubebuilder:scaffold:builder
 	hookServer := mgr.GetWebhookServer()
 	hookServer.Register("/mutate-v1-pod", &webhook.Admission{Handler: &webhooks.PodMutator{
+		FlagDResourceRequirements: corev1.ResourceRequirements{
+			Limits: map[corev1.ResourceName]resource.Quantity{
+				corev1.ResourceCPU:    flagDCpuLimitResource,
+				corev1.ResourceMemory: flagDRamLimitResource,
+			},
+			Requests: map[corev1.ResourceName]resource.Quantity{
+				corev1.ResourceCPU:    flagDCpuRequestResource,
+				corev1.ResourceMemory: flagDRamRequestResource,
+			},
+		},
 		Client: mgr.GetClient(),
 		Log:    ctrl.Log.WithName("mutating-pod-webhook"),
 	}})

webhooks/pod_webhook.go

@@ -41,9 +41,10 @@ var flagdMetricsPort int32 = 8014
 
 // PodMutator annotates Pods
 type PodMutator struct {
-	Client  client.Client
-	decoder *admission.Decoder
-	Log     logr.Logger
+	Client                    client.Client
+	FlagDResourceRequirements corev1.ResourceRequirements
+	decoder                   *admission.Decoder
+	Log                       logr.Logger
 }
 
 // Handle injects the flagd sidecar (if the prerequisites are all met)
@@ -352,6 +353,7 @@ func (m *PodMutator) injectSidecar(pod *corev1.Pod, featureFlags []*corev1alpha1
 			},
 		},
 		SecurityContext: setSecurityContext(),
+		Resources:       m.FlagDResourceRequirements,
 	})
 	return json.Marshal(pod)
 }