Webhook
By default, CRI Resource Manager does not see the original container
resource requirements specified in the Pod Spec. It tries to calculate
these for cpu and memory compute resources using the related parameters
present in the CRI container creation request. The resulting estimates are
normally accurate for cpu, and also for memory limits. However, it is
not possible to use these parameters to estimate memory requests or any
extended resources.
If you want to make sure that CRI Resource Manager uses the origin Pod Spec resource requirements, you need to duplicate these as annotations on the Pod. This is necessary if you plan using or writing a policy which needs extended resources.
This process can be fully automated using the CRI Resource Manager Annotating Webhook. Once you built the Docker* image for it using the provided Dockerfile and published it, you can set up the webhook as follows:
Fill in the
IMAGE_PLACEHOLDERin webhook-deployment.yaml to match the image.Create a
cri-resmgr-webhook-secretthat carries a key and a certificate tocri-resmgr-webhook. You can create a key, a self-signed certificate and the secret that holds them with the following commands:SVC=cri-resmgr-webhook NS=cri-resmgr openssl req -x509 -newkey rsa:2048 -sha256 -days 365 -nodes \ -keyout cmd/cri-resmgr-webhook/server-key.pem \ -out cmd/cri-resmgr-webhook/server-crt.pem \ -subj "/CN=$SVC.$NS.svc" \ -addext "subjectAltName=DNS:$SVC,DNS:$SVC.$NS,DNS:$SVC.$NS.svc" cat >cmd/cri-resmgr-webhook/webhook-secret.yaml <<EOF apiVersion: v1 kind: Secret metadata: name: cri-resmgr-webhook-secret namespace: $NS data: svc.crt: $(base64 -w0 < cmd/cri-resmgr-webhook/server-crt.pem) svc.key: $(base64 -w0 < cmd/cri-resmgr-webhook/server-key.pem) type: Opaque EOF kubectl create namespace $NS kubectl create -f cmd/cri-resmgr-webhook/webhook-secret.yaml
Fill in the
CA_BUNDLE_PLACEHOLDERin mutating-webhook-config.yaml. If you created the key and the certificate with the commands above, you can do this with the following command:sed -e "s/CA_BUNDLE_PLACEHOLDER/$(base64 -w0 < cmd/cri-resmgr-webhook/server-crt.pem)/" \ -i cmd/cri-resmgr-webhook/mutating-webhook-config.yaml
Finally set up the webhook with these commands:
kubectl apply -f cmd/cri-resmgr-webhook/webhook-deployment.yaml kubectl wait --for=condition=Available -n cri-resmgr deployments/cri-resmgr-webhook kubectl apply -f cmd/cri-resmgr-webhook/mutating-webhook-config.yaml