Webhook¶
By default CRI Resource Manager does not see the original container resource
requirements specified in the Pod Spec. It tries to calculate these for cpu
and memory compute resources using the related parameters present in the
CRI container creation request. The resulting estimates are normally accurate
for cpu, and also for memory limits. However, it is not possible to use
these parameters to estimate memory requests or any extended resources.
If you want to make sure that CRI Resource Manager uses the origin Pod Spec resource requirements, you need to duplicate these as annotations on the Pod. This is necessary if you plan using or writing a policy which needs extended resources.
This process can be fully automated using the CRI Resource Manager Annotating Webhook. Once you built the docker image for it using the provided Dockerfile and published it, you can set up the webhook as follows:
Fill in the
IMAGE_PLACEHOLDERin webhook-deployment.yaml to match the image.Create a
cri-resmgr-webhook-secretthat carries a key and a certificate tocri-resmgr-webhook. You can create a key, a self-signed certificate and the secret that holds them with commands:SVC=cri-resmgr-webhook NS=cri-resmgr openssl req -x509 -newkey rsa:2048 -sha256 -days 365 -nodes \ -keyout cmd/cri-resmgr-webhook/server-key.pem \ -out cmd/cri-resmgr-webhook/server-crt.pem \ -subj "/CN=$SVC.$NS.svc" \ -addext "subjectAltName=DNS:$SVC,DNS:$SVC.$NS,DNS:$SVC.$NS.svc" cat >cmd/cri-resmgr-webhook/webhook-secret.yaml <<EOF apiVersion: v1 kind: Secret metadata: name: cri-resmgr-webhook-secret namespace: $NS data: svc.crt: $(base64 -w0 < cmd/cri-resmgr-webhook/server-crt.pem) svc.key: $(base64 -w0 < cmd/cri-resmgr-webhook/server-key.pem) type: Opaque EOF kubectl create namespace $NS kubectl create -f cmd/cri-resmgr-webhook/webhook-secret.yaml
Fill in the
CA_BUNDLE_PLACEHOLDERin mutating-webhook-config.yaml. If you created the key and the certificate with the commands above, you can do this with command:sed -e "s/CA_BUNDLE_PLACEHOLDER/$(base64 -w0 < cmd/cri-resmgr-webhook/server-crt.pem)/" \ -i cmd/cri-resmgr-webhook/mutating-webhook-config.yaml
Finally set up the webhook with these commands:
kubectl apply -f cmd/cri-resmgr-webhook/webhook-deployment.yaml kubectl wait --for=condition=Available -n cri-resmgr deployments/cri-resmgr-webhook kubectl apply -f cmd/cri-resmgr-webhook/mutating-webhook-config.yaml