sig-node/1029-ephemeral-storage-quotas/*:

[PannagaRao]

Modifications to push the changes to beta 1.31

KEP-1029: adding beta graduation criteria

• One-line PR description: Adding Implementation Details

• Issue link: Quotas for Ephemeral Storage #1029

• Other comments:

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: PannagaRao / name: Pannaga Rao Bhoja Ramamanohara (2e6b66b)

[k8s-ci-robot]

Welcome @PannagaRao!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @PannagaRao. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[haircommander]

/ok-to-test

[haircommander]

per our slack convo

/cc @soltysh for PRR review

[k8s-ci-robot]

@haircommander: GitHub didn't allow me to request PR reviews from the following users: for, PRR, review.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

per our slack convo

/cc @soltysh for PRR review

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[haircommander]

Note to a reviewer: the approach described here means the kubelet may enforce du quotas and xfs quotas simultaneously, if pods without a user namespace have a limit

[mrunalp]

Not sure what we mean by xfs-quota in Kubelet check.

[PannagaRao]

It is to check whether or not LocalStorageCapacityIsolationFSQuotaMonitoring flag is enabled. Modified the description to add the same.

[mrunalp]

Can we describe in more detail why we need to enable user namespaces?

[PannagaRao]

Added the description. Please let me know if it sounds good

[mrunalp]

Logs are written by a container monitor process to a directory which should't be under a quota so we need to clarify here.

[haircommander]

FYI this piece was just copy pasted from below. we can iterate here but just noting this isn't new

[PannagaRao]

Enforcement of quota on log directory is the existing behavior
https://discuss.kubernetes.io/t/why-stdout-logs-are-accounted-in-ephemeral-storage-usage/27815

[mrunalp]

Can you describe where the toggle is and the entity responsible for setting/unsetting it?

[soltysh]

I might have missed, but I'm missing an explanation how a user can be notified if the functionality is not working for them, ideally that will be part of ###### How can someone using this feature know that it is working for their instance? question that's missing. I'm mostly interested in how you report back to a user that the requested quota won't work, due to unsupported filesystem, or others like that.

[soltysh]

Since we're re-doing the beta PRR review, I'd update https://github.com/kubernetes/enhancements/blob/master/keps/prod-readiness/sig-node/1029.yaml#L5 as well with my name.

[soltysh]

The template has changed significantly between then and now can you update to match https://github.com/kubernetes/enhancements/blob/master/keps/NNNN-kep-template/README.md It looks like some of the current headers will need to be changed, some examples are:

• ### Implementation Details/Notes/Constraints [optional] -> ### Notes/Constraints/Caveats (Optional)
• the section ## Design Details seems empty, I'd probably move the bits from under #### Notes on Implementation which has all those details.

[PannagaRao]

Done

[soltysh]

Probably worth updating the unit test coverage, they are 2 years old.

[soltysh]

Any particular reason why we no integration tests are planned?

[haircommander]

kubelet doesn't really define many integration tests, going for unit and then node e2e instead

[soltysh]

Before the PRR section you're missing these 2:

• ### Upgrade / Downgrade Strategy
• ### Version Skew Strategy

Also in the ### Monitoring Requirements section can you update the questions to match the new template? Mostly it's just changing from * **<question... to ##### <question... and you're missing the following question:

• ###### How can someone using this feature know that it is working for their instance?

Same problem with ### Scalability section, and missing question:

• ###### Can enabling / using this feature result in resource exhaustion of some node resources (PIDs, sockets, inodes, etc.)?

Missing answer for ###### How does this feature react if the API server and/or etcd is unavailable?.

[PannagaRao]

Done

[soltysh]

A few more nits.

[soltysh]

Nit: this entire section seems best suited in the testing section, I'd just move all of that after ##### e2e tests.

[soltysh]

This document also needs update with the latest template https://github.com/kubernetes/enhancements/blob/master/keps/NNNN-kep-template/kep.yaml it's way out of date 😅

[PannagaRao]

Done

[soltysh]

In question ###### How can this feature be enabled / disabled in a live cluster? you only mentioned kubelet with LocalStorageCapacityIsolationFSQuotaMonitoring flag. But earlier in the #### Kubelet and API Server Skew: section you're talking about both kubelet and apiserver. So I'd expect this question to explicitly point out both feature gates. The same applies to the kep.yaml, I've pointed out it's out of date, and there's a separate section describing feature gates and components.

[soltysh]

In ###### How can a rollout or rollback fail? Can it impact already running workloads? you're saying that it won't affect already running workloads. What about the ones which enabled this functionality?

[soltysh]

In ###### Is the rollout accompanied by any deprecations and/or removals of features, APIs, fields of API types, flags, etc.? you probably want to just say No, since you're not removing any fields, features, flags, or anything like that.

[soltysh]

Nit, this question should be a bit higher in the doc, right after ###### How can an operator determine if the feature is in use by workloads? 😉

[PannagaRao]

Done

[soltysh]

Suggested change

	Yes, the feature depneds on project quotas. Once quotas are enabled, the xfs_quota tool can be used to
	Yes, the feature depends on project quotas. Once quotas are enabled, the xfs_quota tool can be used to

[haircommander]

@soltysh : @PannagaRao and I chatted about this and it feels more right just to include this one as it's net new for this feature. above in the enablement section we do mention UserNamespacesSupport as it's required, but I think it's more correct to just have this feature gate here. WDYT?

[soltysh]

Fair, let's keep it that way.

[soltysh]

/approve
for PRR

[haircommander]

/lgtm

[mrunalp]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mrunalp, PannagaRao, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS [soltysh]
• keps/sig-node/OWNERS [mrunalp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment