support pod topology spread constraints

also replace preferred affinity with topology spread constraint

Author: flavianmissi

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/gophercloud/gophercloud v0.17.0
 	github.com/gophercloud/utils v0.0.0-20210323225332-7b186010c04f
 	github.com/goware/urlx v0.3.1
-	github.com/openshift/api v0.0.0-20220203140920-bfe251c51d2d
+	github.com/openshift/api v0.0.0-20220421141645-441fe135b2fc
 	github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3
 	github.com/openshift/client-go v0.0.0-20211209144617-7385dd6338e3
 	github.com/openshift/library-go v0.0.0-20211220195323-eca2c467c492

go.sum

@@ -627,8 +627,8 @@ github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDs
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/openshift/api v0.0.0-20211209135129-c58d9f695577/go.mod h1:DoslCwtqUpr3d/gsbq4ZlkaMEdYqKxuypsDjorcHhME=
-github.com/openshift/api v0.0.0-20220203140920-bfe251c51d2d h1:WuD14VS4SFKKH5hKeYiHTswlEByICzMNvaZrDXUjZiY=
-github.com/openshift/api v0.0.0-20220203140920-bfe251c51d2d/go.mod h1:F/eU6jgr6Q2VhMu1mSpMmygxAELd7+BUxs3NHZ25jV4=
+github.com/openshift/api v0.0.0-20220421141645-441fe135b2fc h1:snZcb7+9+Hnb2VIp4QbUpClqK/4R3CK/lTyeDoGhefA=
+github.com/openshift/api v0.0.0-20220421141645-441fe135b2fc/go.mod h1:F/eU6jgr6Q2VhMu1mSpMmygxAELd7+BUxs3NHZ25jV4=
 github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3 h1:65oBhJYHzYK5VL0gF1eiYY37lLzyLZ47b9y5Kib1nf8=
 github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=

manifests/02-rbac.yaml

@@ -64,6 +64,7 @@ rules:
   resources:
   - limitranges
   - resourcequotas
+  - nodes
   verbs:
   - list
 - apiGroups:

pkg/client/fake/fixtures.go

@@ -34,6 +34,7 @@ type FixturesBuilder struct {
 	registryConfigsIndexer     cache.Indexer
 	proxyConfigsIndexer        cache.Indexer
 	infraIndexer               cache.Indexer
+	nodeIndexer                cache.Indexer
 
 	kClientSet []runtime.Object
 }
@@ -59,11 +60,24 @@ func NewFixturesBuilder() *FixturesBuilder {
 		registryConfigsIndexer:     cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}),
 		proxyConfigsIndexer:        cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}),
 		infraIndexer:               cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}),
+		nodeIndexer:                cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}),
 		kClientSet:                 []runtime.Object{},
 	}
 	return factory
 }
 
+// AddNodes adds corev1.Nodes to the lister cache
+func (f *FixturesBuilder) AddNodes(objs ...*corev1.Node) *FixturesBuilder {
+	for _, v := range objs {
+		err := f.nodeIndexer.Add(v)
+		if err != nil {
+			panic(err)
+		}
+		f.kClientSet = append(f.kClientSet, v)
+	}
+	return f
+}
+
 // AddDeployments adds appsv1.Deployments to the lister cache
 func (f *FixturesBuilder) AddDeployments(objs ...*appsv1.Deployment) *FixturesBuilder {
 	for _, v := range objs {

pkg/resource/podtemplatespec.go

@@ -380,45 +380,83 @@ func makePodTemplateSpec(coreClient coreset.CoreV1Interface, proxyLister configl
 		resources = *cr.Spec.Resources
 	}
 
+	nodes, err := coreClient.Nodes().List(context.TODO(), metav1.ListOptions{LabelSelector: "topology.kubernetes.io/zone"})
+	if err != nil {
+		return corev1.PodTemplateSpec{}, deps, fmt.Errorf("could not check nodes for zone failure domain: %s", err)
+	}
+	hasZoneFailureDomain := len(nodes.Items) >= 1
+
+	// defaults topology spread constraints to both zone, node and workers.
+	// on SNO environments, these constraints will always work, since the
+	// skew will always be 0.
+	// some bare metal cluster nodes will not include the zone labels, in
+	// which case we just omit the related constraint.
+	// we constraint scheduling to workers because we want to reduce the
+	// scope of scheduling to workers only. we need this constraint
+	// because tainted nodes (such as control plane nodes) are not excluded
+	// from skew calculations, so if we don't limit scheduling to workers
+	// the maxSkew won't allow more than one pod to be scheduled per node.
+	// see https://k8s.io/docs/concepts/workloads/pods/pod-topology-spread-constraints
+	// and https://github.com/kubernetes/kubernetes/issues/80921 for details.
+	topologySpreadConstraints := []corev1.TopologySpreadConstraint{
+		{
+			MaxSkew:           1,
+			TopologyKey:       "kubernetes.io/hostname",
+			WhenUnsatisfiable: corev1.DoNotSchedule,
+			LabelSelector: &metav1.LabelSelector{
+				MatchLabels: defaults.DeploymentLabels,
+			},
+		},
+		{
+			MaxSkew:           1,
+			TopologyKey:       "node-role.kubernetes.io/worker",
+			WhenUnsatisfiable: corev1.DoNotSchedule,
+			LabelSelector: &metav1.LabelSelector{
+				MatchLabels: defaults.DeploymentLabels,
+			},
+		},
+	}
+	if hasZoneFailureDomain {
+		zoneConstraint := corev1.TopologySpreadConstraint{
+			MaxSkew:           1,
+			TopologyKey:       "topology.kubernetes.io/zone",
+			WhenUnsatisfiable: corev1.DoNotSchedule,
+			LabelSelector: &metav1.LabelSelector{
+				MatchLabels: defaults.DeploymentLabels,
+			},
+		}
+		topologySpreadConstraints = append(topologySpreadConstraints, zoneConstraint)
+	}
+
+	// topology spread constraints might conflict with node selectors, so we
+	// do not set defaults when they're specified.
+	if cr.Spec.NodeSelector != nil {
+		topologySpreadConstraints = nil
+	}
+
+	if cr.Spec.TopologySpreadConstraints != nil {
+		topologySpreadConstraints = cr.Spec.TopologySpreadConstraints
+	}
+
 	// if user has provided an affinity through config spec we use it here, if not
 	// then we fallback to a preferred affinity configuration. we only require a
 	// certain affinity during schedule if the number of replicas is defined to two.
 	affinity := cr.Spec.Affinity
-	if affinity == nil {
+	if affinity == nil && cr.Spec.Replicas == 2 {
 		affinity = &corev1.Affinity{
 			PodAntiAffinity: &corev1.PodAntiAffinity{
-				PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{
+				RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{
 					{
-						Weight: 100,
-						PodAffinityTerm: corev1.PodAffinityTerm{
-							TopologyKey: "kubernetes.io/hostname",
-							Namespaces: []string{
-								defaults.ImageRegistryOperatorNamespace,
-							},
-							LabelSelector: &metav1.LabelSelector{
-								MatchLabels: defaults.DeploymentLabels,
-							},
+						TopologyKey: "kubernetes.io/hostname",
+						Namespaces: []string{
+							defaults.ImageRegistryOperatorNamespace,
 						},
-					},
-				},
-			},
-		}
-		if cr.Spec.Replicas == 2 {
-			affinity = &corev1.Affinity{
-				PodAntiAffinity: &corev1.PodAntiAffinity{
-					RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{
-						{
-							TopologyKey: "kubernetes.io/hostname",
-							Namespaces: []string{
-								defaults.ImageRegistryOperatorNamespace,
-							},
-							LabelSelector: &metav1.LabelSelector{
-								MatchLabels: defaults.DeploymentLabels,
-							},
+						LabelSelector: &metav1.LabelSelector{
+							MatchLabels: defaults.DeploymentLabels,
 						},
 					},
 				},
-			}
+			},
 		}
 	}
 
@@ -478,6 +516,7 @@ func makePodTemplateSpec(coreClient coreset.CoreV1Interface, proxyLister configl
 			ServiceAccountName:            defaults.ServiceAccountName,
 			SecurityContext:               securityContext,
 			Affinity:                      affinity,
+			TopologySpreadConstraints:     topologySpreadConstraints,
 			TerminationGracePeriodSeconds: &gracePeriod,
 		},
 	}