@@ -538,7 +538,24 @@ connection to the apiserver. Access control through a validating admission
538
538
policy can ensure that the drivers running on one node are not allowed to
539
539
create or modify ` ResourceSlices ` belonging to another node. The ` nodeName `
540
540
and ` driverName ` fields in each ` ResourceSlice ` object are used to determine which objects are
541
- managed by which driver instance.
541
+ managed by which driver instance. The owner reference ensures that objects
542
+ beloging to a node get cleaned up when the node gets removed.
543
+
544
+ In addition, whenever kubelet starts, it first deletes all ` ResourceSlices `
545
+ belonging to the node with a ` DeleteCollection ` call that uses the node name in
546
+ a field filter. This ensures that no pods depending in DRA get scheduled to the
547
+ node until the required DRA drivers have started up again (node reboot) and
548
+ reconnected to kubelet (kubelet restart). It also ensures that drivers which
549
+ don't get started up again at all don't leave stale ` ResourceSlices `
550
+ behind. Garbage collection does not help in this case because the node object
551
+ still exists. For the same reasons, the ResourceSlices belonging to a driver
552
+ get removed when the driver unregisters, this time with a field filter for node
553
+ name and driver name.
554
+
555
+ Deleting ` ResourceSlices ` is possible because all information in them can be
556
+ reconstructed by the driver. This has no effect on already allocated claims
557
+ because the allocation result is tracked in those claims, not the
558
+ ` ResourceSlice ` objects (see [ below] ( #state-and-communication ) ).
542
559
543
560
Embedded inside each ` ResourceSlice ` is the representation of the resources
544
561
managed by a driver according to a specific "structured model". In the example
@@ -2068,16 +2085,12 @@ kubelet wouldn't know about a new version anyway.
2068
2085
2069
2086
Keeping kubelet at some old release while upgrading the control and DRA drivers
2070
2087
is desirable and officially supported by Kubernetes. To support the same when
2071
- using DRA, the kubelet now leaves ResourceSlice handling (almost) entirely to
2072
- the plugins. The one exception is that it deletes all ResourceSlices on
2073
- startup. This ensures that no pods depending in DRA get scheduled to the node
2074
- until the required DRA drivers have started up again. It also ensures that
2075
- drivers which don't get started up again at all don't leave stale
2076
- ResourceSlices behind. For the same reasons, the ResourceSlices belonging to a
2077
- driver get removed when the driver unregisters. This access is done with
2078
- whatever resource.k8s.io API version is the latest known to the kubelet. To
2079
- support version skew, support for older API versions must be preserved as far
2080
- back as support for older kubelet releases is desired.
2088
+ using DRA, the kubelet now leaves [ ResourceSlice
2089
+ handling] ( #publishing-node-resources ) almost entirely to the plugins. The
2090
+ remaining calls are done with whatever resource.k8s.io API version is the
2091
+ latest known to the kubelet. To support version skew, support for older API
2092
+ versions must be preserved as far back as support for older kubelet releases is
2093
+ desired.
2081
2094
2082
2095
#### Security
2083
2096
0 commit comments