Merge pull request #14 from appuio/feat/request-ratio-events

Add RatioController for detecting resource ratio violations

Author: glrf

.github/workflows/fuzz.yml

@@ -0,0 +1,32 @@
+name: Fuzz
+
+on:
+  pull_request:
+    branches:
+      - master
+  push:
+    branches:
+      - master
+
+jobs:
+  fuzz:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Determine Go version from go.mod
+        run: echo "GO_VERSION=$(grep "go 1." go.mod | cut -d " " -f 2)" >> $GITHUB_ENV
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Run fuzz tests
+        run: make fuzz

.gitignore

@@ -16,3 +16,6 @@ node_modules/
 
 # tem cert
 webhook-certs/
+
+# fuzz testcases
+*/testdata/fuzz/

Makefile

@@ -37,6 +37,10 @@ run:
 .PHONY: test
 test: test-go ## All-in-one test
 
+.PHONY: fuzz
+fuzz:
+	go test ./ratio -fuzztime 1m -fuzz .
+
 .PHONY: test-go
 test-go: ## Run unit tests against code
 	go test -race -coverprofile cover.out -covermode atomic ./...

PROJECT

@@ -3,4 +3,8 @@ layout:
 - go.kubebuilder.io/v3
 projectName: appuio-cloud-agent
 repo: github.com/appuio/appuio-cloud-agent
+resources:
+- controller: true
+  kind: Pod
+  version: v1
 version: "3"

config/rbac/role.yaml

@@ -5,6 +5,13 @@ metadata:
   creationTimestamp: null
   name: appuio-cloud-agent
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
   - ""
   resources:

controllers/ratio_controller.go

@@ -0,0 +1,94 @@
+package controllers
+
+import (
+	"context"
+	"errors"
+
+	"github.com/appuio/appuio-cloud-agent/ratio"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/record"
+
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// RatioReconciler reconciles a Pod object
+type RatioReconciler struct {
+	client.Client
+	Recorder record.EventRecorder
+	Scheme   *runtime.Scheme
+
+	Ratio      ratioFetcher
+	RatioLimit *resource.Quantity
+}
+
+type ratioFetcher interface {
+	FetchRatio(ctx context.Context, ns string) (*ratio.Ratio, error)
+}
+
+//+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=events,verbs=create;patch
+
+var eventReason = "TooMuchCPURequest"
+
+// Reconcile reacts to pod updates and emits events if the fair use request ratio is violated
+func (r *RatioReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	l := log.FromContext(ctx).WithValues("namespace", req.Namespace, "name", req.Name)
+
+	nsRatio, err := r.Ratio.FetchRatio(ctx, req.Namespace)
+	if err != nil {
+		if errors.Is(err, ratio.ErrorDisabled) {
+			l.V(1).Info("namespace disabled")
+			return ctrl.Result{}, nil
+		}
+		l.Error(err, "failed to get ratio")
+		return ctrl.Result{}, err
+	}
+
+	if nsRatio.Below(*r.RatioLimit) {
+		l.Info("recording warn event: ratio too low")
+
+		if err := r.warnPod(ctx, req.Name, req.Namespace, nsRatio); err != nil {
+			l.Error(err, "failed to record event on pod")
+		}
+		if err := r.warnNamespace(ctx, req.Namespace, nsRatio); err != nil {
+			l.Error(err, "failed to record event on namespace")
+		}
+	}
+
+	return ctrl.Result{}, nil
+}
+
+func (r *RatioReconciler) warnPod(ctx context.Context, name, namespace string, nsRatio *ratio.Ratio) error {
+	pod := corev1.Pod{}
+	err := r.Get(ctx, client.ObjectKey{
+		Namespace: namespace,
+		Name:      name,
+	}, &pod)
+	if err != nil {
+		return err
+	}
+	r.Recorder.Event(&pod, "Warning", eventReason, nsRatio.Warn(r.RatioLimit))
+	return nil
+}
+func (r *RatioReconciler) warnNamespace(ctx context.Context, name string, nsRatio *ratio.Ratio) error {
+	ns := corev1.Namespace{}
+	err := r.Get(ctx, client.ObjectKey{
+		Name: name,
+	}, &ns)
+	if err != nil {
+		return err
+	}
+	r.Recorder.Event(&ns, "Warning", eventReason, nsRatio.Warn(r.RatioLimit))
+	return nil
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *RatioReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&corev1.Pod{}).
+		Complete(r)
+}

controllers/ratio_controller_test.go

@@ -0,0 +1,195 @@
+package controllers
+
+import (
+	"context"
+	"errors"
+
+	"github.com/appuio/appuio-cloud-agent/ratio"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"testing"
+
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func TestRatioReconciler_Warn(t *testing.T) {
+	recorder := record.NewFakeRecorder(4)
+	_, err := prepareTest(t, testCfg{
+		limit:       resource.MustParse("4G"),
+		fetchMemory: resource.MustParse("4G"),
+		fetchCPU:    resource.MustParse("1100m"),
+		recorder:    recorder,
+		obj: []client.Object{
+			testNs,
+			testPod,
+		},
+	}).Reconcile(context.TODO(), ctrl.Request{
+		NamespacedName: types.NamespacedName{
+			Namespace: testNs.Name,
+			Name:      testPod.Name,
+		},
+	})
+	assert.NoError(t, err)
+	require.Len(t, recorder.Events, 2)
+}
+
+func TestRatioReconciler_Ok(t *testing.T) {
+	recorder := record.NewFakeRecorder(4)
+	_, err := prepareTest(t, testCfg{
+		limit:       resource.MustParse("4G"),
+		fetchMemory: resource.MustParse("4G"),
+		fetchCPU:    resource.MustParse("900m"),
+		recorder:    recorder,
+		obj: []client.Object{
+			testNs,
+			testPod,
+		},
+	}).Reconcile(context.TODO(), ctrl.Request{
+		NamespacedName: types.NamespacedName{
+			Namespace: testNs.Name,
+			Name:      testPod.Name,
+		},
+	})
+	assert.NoError(t, err)
+	require.Len(t, recorder.Events, 0)
+}
+
+func TestRatioReconciler_Disabled(t *testing.T) {
+	recorder := record.NewFakeRecorder(4)
+	_, err := prepareTest(t, testCfg{
+		limit:    resource.MustParse("4G"),
+		fetchErr: ratio.ErrorDisabled,
+		recorder: recorder,
+		obj: []client.Object{
+			testNs,
+			testPod,
+		},
+	}).Reconcile(context.TODO(), ctrl.Request{
+		NamespacedName: types.NamespacedName{
+			Namespace: testNs.Name,
+			Name:      testPod.Name,
+		},
+	})
+	assert.NoError(t, err)
+	require.Len(t, recorder.Events, 0)
+}
+
+func TestRatioReconciler_Failed(t *testing.T) {
+	recorder := record.NewFakeRecorder(4)
+	_, err := prepareTest(t, testCfg{
+		limit:    resource.MustParse("4G"),
+		fetchErr: errors.New("internal"),
+		recorder: recorder,
+		obj: []client.Object{
+			testNs,
+			testPod,
+		},
+	}).Reconcile(context.TODO(), ctrl.Request{
+		NamespacedName: types.NamespacedName{
+			Namespace: testNs.Name,
+			Name:      testPod.Name,
+		},
+	})
+	assert.Error(t, err)
+	require.Len(t, recorder.Events, 0)
+}
+
+func TestRatioReconciler_RecordFailed(t *testing.T) {
+	wrongNs := *testNs
+	wrongNs.Name = "bar"
+	wrongPod := *testPod
+	wrongPod.Name = "asf"
+	wrongPod.Namespace = "asf"
+	recorder := record.NewFakeRecorder(4)
+	_, err := prepareTest(t, testCfg{
+		limit:       resource.MustParse("4G"),
+		fetchMemory: resource.MustParse("4G"),
+		fetchCPU:    resource.MustParse("1100m"),
+		recorder:    recorder,
+		obj: []client.Object{
+			&wrongNs,
+			&wrongPod,
+		},
+	}).Reconcile(context.TODO(), ctrl.Request{
+		NamespacedName: types.NamespacedName{
+			Namespace: testNs.Name,
+			Name:      testPod.Name,
+		},
+	})
+	assert.NoError(t, err)
+	if !assert.Len(t, recorder.Events, 0) {
+		for i := 0; i < len(recorder.Events); i++ {
+			e := <-recorder.Events
+			t.Log(e)
+		}
+	}
+}
+
+type testCfg struct {
+	limit       resource.Quantity
+	fetchErr    error
+	fetchCPU    resource.Quantity
+	fetchMemory resource.Quantity
+	obj         []client.Object
+	recorder    record.EventRecorder
+}
+
+func prepareTest(t *testing.T, cfg testCfg) *RatioReconciler {
+	scheme := runtime.NewScheme()
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	client := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(cfg.obj...).
+		Build()
+
+	if cfg.recorder == nil {
+		cfg.recorder = &record.FakeRecorder{}
+	}
+
+	return &RatioReconciler{
+		Client:   client,
+		Recorder: cfg.recorder,
+		Scheme:   scheme,
+		Ratio: fakeFetcher{
+			err: cfg.fetchErr,
+			ratio: &ratio.Ratio{
+				CPU:    cfg.fetchCPU.AsDec(),
+				Memory: cfg.fetchMemory.AsDec(),
+			},
+		},
+		RatioLimit: &cfg.limit,
+	}
+}
+
+type fakeFetcher struct {
+	err   error
+	ratio *ratio.Ratio
+}
+
+func (f fakeFetcher) FetchRatio(ctx context.Context, ns string) (*ratio.Ratio, error) {
+	return f.ratio, f.err
+}
+
+var testNs = &corev1.Namespace{
+	ObjectMeta: metav1.ObjectMeta{
+		Name: "foo",
+	},
+}
+var testPod = &corev1.Pod{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "pod",
+		Namespace: "foo",
+	},
+}

go.mod

@@ -4,6 +4,7 @@ go 1.18
 
 require (
 	github.com/stretchr/testify v1.7.1
+	gopkg.in/inf.v0 v0.9.1
 	k8s.io/api v0.23.5
 	k8s.io/apimachinery v0.23.5
 	k8s.io/client-go v0.23.5
@@ -64,7 +65,6 @@ require (
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/apiextensions-apiserver v0.23.5 // indirect