[release-1.9] Revert PR #2206 as it's not needed anymore (#2341) (#2347)

Remove the support of the kubevirt.io/cpu-limit-to-request-ratio and the kubevirt.io/memory-limit-to-request-ratio annotations, as this workaround does now work as expected. Revert PR #2206 as it's not needed anymore This is a manual cherry-pick of: #2341 Signed-off-by: Nahshon Unna Tsameret <[email protected]> Co-authored-by: Nahshon Unna Tsameret <[email protected]>
kubevirt · May 19, 2023 · 407576a · 407576a
1 parent 1a8b93a
commit 407576a
Show file tree

Hide file tree

Showing 10 changed files with 13 additions and 764 deletions.
diff --git a/deploy/cluster_role.yaml b/deploy/cluster_role.yaml
@@ -521,7 +521,6 @@ rules:
   - ""
   resources:
   - pods
-  - resourcequotas
   verbs:
   - get
   - list

diff --git a/...verged/1.9.0/manifests/kubevirt-hyperconverged-operator.v1.9.0.clusterserviceversion.yaml b/...verged/1.9.0/manifests/kubevirt-hyperconverged-operator.v1.9.0.clusterserviceversion.yaml
@@ -295,7 +295,6 @@ spec:
           - ""
           resources:
           - pods
-          - resourcequotas
           verbs:
           - get
           - list
@@ -3928,29 +3927,6 @@ spec:
     timeoutSeconds: 10
     type: MutatingAdmissionWebhook
     webhookPath: /mutate-ns-hco-kubevirt-io
-  - admissionReviewVersions:
-    - v1beta1
-    - v1
-    containerPort: 4343
-    deploymentName: hco-webhook
-    failurePolicy: Fail
-    generateName: mutate-virt-launcher-hco.kubevirt.io
-    objectSelector:
-      matchLabels:
-        kubevirt.io: virt-launcher
-    rules:
-    - apiGroups:
-      - ""
-      apiVersions:
-      - v1
-      operations:
-      - CREATE
-      resources:
-      - pods
-    sideEffects: NoneOnDryRun
-    timeoutSeconds: 10
-    type: MutatingAdmissionWebhook
-    webhookPath: /mutate-virt-launcher-hco-kubevirt-io
   - admissionReviewVersions:
     - v1beta1
     - v1

diff --git a/...verged/1.9.0/manifests/kubevirt-hyperconverged-operator.v1.9.0.clusterserviceversion.yaml b/...verged/1.9.0/manifests/kubevirt-hyperconverged-operator.v1.9.0.clusterserviceversion.yaml
@@ -9,7 +9,7 @@ metadata:
     certified: "false"
     console.openshift.io/disable-operand-delete: "true"
     containerImage: quay.io/kubevirt/hyperconverged-cluster-operator:1.9.0-unstable
-    createdAt: "2023-04-29 05:12:12"
+    createdAt: "2023-05-18 15:22:36"
     description: A unified operator deploying and controlling KubeVirt and its supporting
       operators with opinionated defaults
     operatorframework.io/initialization-resource: '{"apiVersion":"hco.kubevirt.io/v1beta1","kind":"HyperConverged","metadata":{"annotations":{"deployOVS":"false"},"name":"kubevirt-hyperconverged","namespace":"kubevirt-hyperconverged"},"spec":{}}'
@@ -295,7 +295,6 @@ spec:
           - ""
           resources:
           - pods
-          - resourcequotas
           verbs:
           - get
           - list
@@ -3928,29 +3927,6 @@ spec:
     timeoutSeconds: 10
     type: MutatingAdmissionWebhook
     webhookPath: /mutate-ns-hco-kubevirt-io
-  - admissionReviewVersions:
-    - v1beta1
-    - v1
-    containerPort: 4343
-    deploymentName: hco-webhook
-    failurePolicy: Fail
-    generateName: mutate-virt-launcher-hco.kubevirt.io
-    objectSelector:
-      matchLabels:
-        kubevirt.io: virt-launcher
-    rules:
-    - apiGroups:
-      - ""
-      apiVersions:
-      - v1
-      operations:
-      - CREATE
-      resources:
-      - pods
-    sideEffects: NoneOnDryRun
-    timeoutSeconds: 10
-    type: MutatingAdmissionWebhook
-    webhookPath: /mutate-virt-launcher-hco-kubevirt-io
   - admissionReviewVersions:
     - v1beta1
     - v1

diff --git a/deploy/webhooks.yaml b/deploy/webhooks.yaml
@@ -213,34 +213,6 @@ metadata:
   labels:
     name: hyperconverged-cluster-webhook
 webhooks:
-- name: mutate-virt-launcher-hco.kubevirt.io
-  admissionReviewVersions:
-  - v1beta1
-  - v1
-  clientConfig:
-    # caBundle: WILL BE INJECTED BY CERT-MANAGER BECAUSE OF THE ANNOTATION
-    service:
-      name: hyperconverged-cluster-webhook-service
-      namespace: kubevirt-hyperconverged
-      path: /mutate-virt-launcher-hco-kubevirt-io
-      port: 4343
-  failurePolicy: Fail
-  matchPolicy: Equivalent
-  objectSelector:
-    matchLabels:
-      kubevirt.io: virt-launcher
-  rules:
-  - apiGroups:
-    - ""
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    resources:
-    - pods
-    scope: '*'
-  sideEffects: None
-  timeoutSeconds: 30
 - name: mutate-hyperconverged-hco.kubevirt.io
   admissionReviewVersions:
   - v1beta1

diff --git a/docs/cluster-configuration.md b/docs/cluster-configuration.md
@@ -1094,76 +1094,3 @@ The `tuningPolicy` feature can be enabled using the following patch:
 ```bash
 kubectl patch -n kubevirt-hyperconverged hco kubevirt-hyperconverged --type=json -p='[{"op": "add", "path": "/spec/tuningPolicy", "value": "annotation"}]'
 ```
-
-## Enforce CPU/memory limits on namespaces with ResourceQuotas
-This mechanism allows to align Kubevirt `virt-launcher` Pods with ResourceQuotas that are applied to the
-namespace.
-
-As an example, let's say that we are creating Kubevirt's `examples/vmi-fedora.yaml`.
-
-When this VMI is created, the following `virt-launcher` pod is created (some details are omitted for simplicity):
-```yaml
-kind: Pod
-metadata:
-  name: virt-launcher-vmi-fedora-lzzn6
-  namespace: kubevirt-hyperconverged
-spec:
-  containers:
-    name: compute
-    resources:
-      limits:
-        devices.kubevirt.io/kvm: "1"
-        devices.kubevirt.io/tun: "1"
-        devices.kubevirt.io/vhost-net: "1"
-      requests:
-        cpu: 100m
-        devices.kubevirt.io/kvm: "1"
-        devices.kubevirt.io/tun: "1"
-        devices.kubevirt.io/vhost-net: "1"
-        ephemeral-storage: 50M
-        memory: "1279755392"
-```
-
-As can be seen, this `virt-launcher` has only CPU and memory requests - but not limits. This means that if this VMI is being created in a namespace that has a ResourceQuota defined in it - the virt-launcher Pod won't be able to start. This now can be solved using this feature.
-
-To enable this mechanism, first a ratio between memory/CPU limits to request needs to be defined as an annotation in HCO object:
-```yaml
-kind: HyperConverged
-metadata:
-  annotations:
-    kubevirt.io/cpu-limit-to-request-ratio: "2"
-    kubevirt.io/memory-limit-to-request-ratio: "1.5"
-```
-
-In addition, a ResourceQuota needs to exist on the relevant namespace. As an example, it's possible to create the following object:
-```yaml
-apiVersion: v1
-kind: ResourceQuota
-metadata:
-  name: test-rq 
-spec:
-  hard:
-    limits.cpu: "200"
-    limits.memory: "2000G"
-```
-Please take into account that if a ResourceQuota only sets a limit on `limits.cpu` or `limits.memory`, then CPU/memory limits will be set accordingly. If multiple ResourceQuota exist within the relevant namespace, it takes only one of then to limit CPU/memory limits in order to enforce these limits.
-
-When these annotations are enabled along with a ResourceQuota object, a mutating webhook that's targeted to virt-launcher pods will enforce limits on the pod. It would now look like the following:
-```yaml
-    resources:
-      limits:
-        cpu: 200m
-        devices.kubevirt.io/kvm: "1"
-        devices.kubevirt.io/tun: "1"
-        devices.kubevirt.io/vhost-net: "1"
-        memory: "1919633088"
-      requests:
-        cpu: 100m
-        devices.kubevirt.io/kvm: "1"
-        devices.kubevirt.io/tun: "1"
-        devices.kubevirt.io/vhost-net: "1"
-        ephemeral-storage: 50M
-        memory: "1279755392"
-```
-
-Bear in mind that if the limit is already set, HCO will not fix it according to the annotations.
diff --git a/pkg/components/components.go b/pkg/components/components.go
@@ -471,7 +471,7 @@ func GetClusterPermissions() []rbacv1.PolicyRule {
 		roleWithAllPermissions("", stringListToSlice("services")),
 		{
 			APIGroups: emptyAPIGroup,
-			Resources: stringListToSlice("pods", "resourcequotas"),
+			Resources: stringListToSlice("pods"),
 			Verbs:     stringListToSlice("get", "list", "watch"),
 		},
 		{
@@ -809,33 +809,6 @@ func GetCSVBase(params *CSVBaseParams) *csvv1alpha1.ClusterServiceVersion {
 		WebhookPath: pointer.String(util.HCONSWebhookPath),
 	}
 
-	mutatingVirtLauncherWebhook := csvv1alpha1.WebhookDescription{
-		GenerateName:            util.HcoMutatingWebhookVirtLauncher,
-		Type:                    csvv1alpha1.MutatingAdmissionWebhook,
-		DeploymentName:          hcoWhDeploymentName,
-		ContainerPort:           util.WebhookPort,
-		AdmissionReviewVersions: stringListToSlice("v1beta1", "v1"),
-		SideEffects:             &mutatingWebhookSideEffects,
-		FailurePolicy:           &failurePolicy,
-		TimeoutSeconds:          &webhookTimeout,
-		ObjectSelector: &metav1.LabelSelector{
-			MatchLabels: map[string]string{"kubevirt.io": "virt-launcher"},
-		},
-		Rules: []admissionregistrationv1.RuleWithOperations{
-			{
-				Operations: []admissionregistrationv1.OperationType{
-					admissionregistrationv1.Create,
-				},
-				Rule: admissionregistrationv1.Rule{
-					APIGroups:   []string{""},
-					APIVersions: stringListToSlice("v1"),
-					Resources:   stringListToSlice("pods"),
-				},
-			},
-		},
-		WebhookPath: pointer.String(util.HCOVirtLauncherWebhookPath),
-	}
-
 	mutatingHyperConvergedWebhook := csvv1alpha1.WebhookDescription{
 		GenerateName:            util.HcoMutatingWebhookHyperConverged,
 		Type:                    csvv1alpha1.MutatingAdmissionWebhook,
@@ -953,7 +926,6 @@ func GetCSVBase(params *CSVBaseParams) *csvv1alpha1.ClusterServiceVersion {
 			WebhookDefinitions: []csvv1alpha1.WebhookDescription{
 				validatingWebhook,
 				mutatingNamespaceWebhook,
-				mutatingVirtLauncherWebhook,
 				mutatingHyperConvergedWebhook,
 			},
 			CustomResourceDefinitions: csvv1alpha1.CustomResourceDefinitions{

diff --git a/pkg/util/consts.go b/pkg/util/consts.go
@@ -17,7 +17,6 @@ const (
 	KvUiPluginImageEnvV              = "KV_CONSOLE_PLUGIN_IMAGE"
 	HcoValidatingWebhook             = "validate-hco.kubevirt.io"
 	HcoMutatingWebhookNS             = "mutate-ns-hco.kubevirt.io"
-	HcoMutatingWebhookVirtLauncher   = "mutate-virt-launcher-hco.kubevirt.io"
 	HcoMutatingWebhookHyperConverged = "mutate-hyperconverged-hco.kubevirt.io"
 	AppLabel                         = "app"
 	UndefinedNamespace               = ""
@@ -48,18 +47,17 @@ const (
 	PrometheusNSLabel = "openshift.io/cluster-monitoring"
 
 	// HyperConvergedName is the name of the HyperConverged resource that will be reconciled
-	HyperConvergedName               = "kubevirt-hyperconverged"
-	MetricsHost                      = "0.0.0.0"
-	MetricsPort                int32 = 8383
-	HealthProbeHost                  = "0.0.0.0"
-	HealthProbePort            int32 = 6060
-	ReadinessEndpointName            = "/readyz"
-	LivenessEndpointName             = "/livez"
-	HCOWebhookPath                   = "/validate-hco-kubevirt-io-v1beta1-hyperconverged"
-	HCOMutatingWebhookPath           = "/mutate-hco-kubevirt-io-v1beta1-hyperconverged"
-	HCONSWebhookPath                 = "/mutate-ns-hco-kubevirt-io"
-	HCOVirtLauncherWebhookPath       = "/mutate-virt-launcher-hco-kubevirt-io"
-	WebhookPort                      = 4343
+	HyperConvergedName           = "kubevirt-hyperconverged"
+	MetricsHost                  = "0.0.0.0"
+	MetricsPort            int32 = 8383
+	HealthProbeHost              = "0.0.0.0"
+	HealthProbePort        int32 = 6060
+	ReadinessEndpointName        = "/readyz"
+	LivenessEndpointName         = "/livez"
+	HCOWebhookPath               = "/validate-hco-kubevirt-io-v1beta1-hyperconverged"
+	HCOMutatingWebhookPath       = "/mutate-hco-kubevirt-io-v1beta1-hyperconverged"
+	HCONSWebhookPath             = "/mutate-ns-hco-kubevirt-io"
+	WebhookPort                  = 4343
 
 	WebhookCertName       = "apiserver.crt"
 	WebhookKeyName        = "apiserver.key"
-Original file line number
+Diff line change
@@ Expand Up / @@ -521,7 +521,6 @@ rules: @@
       - ""
       resources:
       - pods
-      - resourcequotas
       verbs:
       - get
       - list
@@ Expand Down @@