KubernetesExecutor multi_namespace_mode can use namespace list to avoid requiring cluster role #28047
Conversation
boring-cyborg
bot
added
provider:cncf-kubernetes
|
Hi @potiuk and @ferruzzi tagging you both, to follow up our earlier discussion in the mail list. |
XD-DENG
force-pushed
the
external_k8s-executor-for-enterprise-k8s-env
branch
2 times, most recently
from
ae1a487 to
ef75732
Compare
XD-DENG
force-pushed
the
external_k8s-executor-for-enterprise-k8s-env
branch
2 times, most recently
from
d75171b to
1c1f25d
Compare
|
Hi @dstandish , clarified/addressed your earlier comments. Pls help take another look when you get time? Thanks a lot! |
dstandish
changed the title
|
i just noticed something coincidentally... you may want to look at file task handler. when reading logs from k8s task, seems to assume single namespace |
Thanks @dstandish , yes, I have already noticed that earlier. I plan to address that separately later though if by then other folks haven't taken it up. That part was totally missed when this |
sounds good |
|
Hi @dstandish , I tried to address your earlier comments (very nice inputs!), either changes have been made or I have clarified why I would prefer to do differently. Please let me know your thoughts. (Sorry for getting back to you a bit slowly. Only have some time after work for this) |
|
there is nothing slow about it at all... lemme look |
There was a problem hiding this comment.
looks good to me. maybe worth getting second set of eyes e.g. from @jedcunningham or @uranusjr
| resource_version = "0" | ||
| resource_version: dict[str, str] = {} |
There was a problem hiding this comment.
We can probably improve this class further, but that can be a separate PR.
|
Thanks both @dstandish @uranusjr ! The whole PR has improved a lot through the review. May I also get some inputs from you about the failing test? The log isn't helping much. |
|
This looks like it's coming from one of your changes @XD-DENG - it's hard to say what precisely it is - because one of your tests is likely exhausting all 64 GB of memory that the builders have (that's what error 137 is) and it happens very consistently on all your tests - and it does not seem to be happening on others. You can easily reproduce those builds locally with Breeze and see what happens https://github.com/apache/airflow/blob/main/TESTING.rst#running-tests-using-breeze-from-the-host - seems like "Core" test type is failing. The main reason for having breeze is that you should be able to reproduce it locally. If not the memory exhaution you'd also get the instrunctions how to do it - but basically looks like some of the core tests fail and you could easily attempt to reproduce it the hash is in the CI logs: This will get you to the shell of the image that was used in the last CI build here: And you should be able to run the tests there. |
|
Yep @XD-DENG - exactly as I expected: At some point in time those tests start eating memory at the rate of > 1GB / 10 seconds. Just before the crash we have just 800 MB left, Something spins out of control and causes that - this only happens on your change, not all the other PRs nor main - so it MUST be something here that triggers it. Now we just need to find out what it might be:
|
|
My guess is - this is problem with cleanup. You have a LOT of parameterized tests and they are not cleaned up after each test and some of the left-overs (threads, processes etc. keep on running after each test). |
|
Thanks a lot @potiuk for helping check and sharing the Breeze/CI tips! |
|
Thanks again @potiuk . The hint you pointed out was very useful. After adding cf8ce59, the CI is finally running successfully! (we just need to end the executor explicitly in the tests). There are three items we would like to further check later:
But for now I believe we are good to go ahead and merge this PR itself. I would like to have @dstandish and @potiuk as co-authors for your significant contribution to this PR, if you have no objection :-) |
XD-DENG
changed the title
|
Actually I think we need a bit more protection, otherwise the same situation happens if for any reason those asserts will start to raise exceptions. try/finally and making sure that we always .end() after we .start() acrosss all the k8s tests is a much more robust solution. |
As a follow up after apache#28047, this PR will make the test cleanup more robust and resilient to any errors that might have caused kubernetes_executors left behind. wrapping start()/end() in try/finally will make the tests completely resilient to cases where the asserts start to fail - without those, any failure in tests would cause the same resource leakage as we initially had when #28407 was iterated on.
As a follow up after #28047, this PR will make the test cleanup more robust and resilient to any errors that might have caused kubernetes_executors left behind. wrapping start()/end() in try/finally will make the tests completely resilient to cases where the asserts start to fail - without those, any failure in tests would cause the same resource leakage as we initially had when #28407 was iterated on.
|
Hi @dstandish , for the File Task Handler issue we discussed earlier, I'm preparing the fix and should be ready within this week. FYI |
After apache#28047 the test_recover_from_resource_too_old started to fail in a flaky way. Turned out that - depend on some other test run the Singleton ResourceVersion could containt not one but two namespaces (including default namespace). Also while fixing the tests it's been noticed that the test missed an assert - it did not assert that the Exception was in fact thrown, so the test could have succeeded even if the exception was not really thrown (there was assert in "except" clause but if the exception was not thrown, it would not have been called at all).
After #28047 the test_recover_from_resource_too_old started to fail in a flaky way. Turned out that - depend on some other test run the Singleton ResourceVersion could containt not one but two namespaces (including default namespace). Also while fixing the tests it's been noticed that the test missed an assert - it did not assert that the Exception was in fact thrown, so the test could have succeeded even if the exception was not really thrown (there was assert in "except" clause but if the exception was not thrown, it would not have been called at all).
As a follow up after #28047, this PR will make the test cleanup more robust and resilient to any errors that might have caused kubernetes_executors left behind. wrapping start()/end() in try/finally will make the tests completely resilient to cases where the asserts start to fail - without those, any failure in tests would cause the same resource leakage as we initially had when #28407 was iterated on. (cherry picked from commit 3b203bc)
As a follow up after #28047, this PR will make the test cleanup more robust and resilient to any errors that might have caused kubernetes_executors left behind. wrapping start()/end() in try/finally will make the tests completely resilient to cases where the asserts start to fail - without those, any failure in tests would cause the same resource leakage as we initially had when #28407 was iterated on. (cherry picked from commit 3b203bc)
Currently
KubernetesExecutor'smulti_namespace_moderequires the Scheduler to have cluster-scope role on the Kubernetes Cluster, because it's using functionlist_pod_for_all_namespaces().However, in certain enterprise environments, it's not possible for users to have cluster-scope role. For example, they may only get permissions in a namespace, rather on the whole cluster. Always allowing the Scheduler pod to have cluster-scope role is not a good from security aspect either.
This change aims to make
KubernetesExecutor'smulti_namespace_modework without cluster-scope role.(This was discussed at the mail list at https://lists.apache.org/thread/xxsppw7qwvky78l6nx41vlz593gj4zqb)
I'm sure folks would have suggestions and we need to future refine this change, but I would like to bring up the discussion by creating this PR first.
UPDATE:
Advantages this change brings:
multi_namespace_mode)