non-preempting-priorityclass

Co-authored-by: Vallery Lancey <vallery@zeitgeistlabs.io> Co-authored-by: Tan shanshan <tan.shanshan@zte.com.cn>
2025-09-26 04:36:00 +00:00 · 2019-04-03 01:34:51 +08:00
parent cf76868b34
commit 5c9438c691
77 changed files with 1541 additions and 896 deletions
--- a/plugin/pkg/admission/priority/admission.go
+++ b/plugin/pkg/admission/priority/admission.go
@@ -179,6 +179,7 @@ func (p *priorityPlugin) admitPod(a admission.Attributes) error {

 	if operation == admission.Create {
 		var priority int32
+		var preempting *bool
 		// TODO: @ravig - This is for backwards compatibility to ensure that critical pods with annotations just work fine.
 		// Remove when no longer needed.
 		if len(pod.Spec.PriorityClassName) == 0 &&
@@ -189,7 +190,7 @@ func (p *priorityPlugin) admitPod(a admission.Attributes) error {
 		if len(pod.Spec.PriorityClassName) == 0 {
 			var err error
 			var pcName string
-			pcName, priority, err = p.getDefaultPriority()
+			pcName, priority, preempting, err = p.getDefaultPriority()
 			if err != nil {
 				return fmt.Errorf("failed to get default priority class: %v", err)
 			}
@@ -211,12 +212,14 @@ func (p *priorityPlugin) admitPod(a admission.Attributes) error {
 			}

 			priority = pc.Value
+			preempting = pc.Preempting
 		}
 		// if the pod contained a priority that differs from the one computed from the priority class, error
 		if pod.Spec.Priority != nil && *pod.Spec.Priority != priority {
 			return admission.NewForbidden(a, fmt.Errorf("the integer value of priority (%d) must not be provided in pod spec; priority admission controller computed %d from the given PriorityClass name", *pod.Spec.Priority, priority))
 		}
 		pod.Spec.Priority = &priority
+		pod.Spec.Preempting = preempting
 	}
 	return nil
 }
@@ -262,14 +265,15 @@ func (p *priorityPlugin) getDefaultPriorityClass() (*schedulingv1.PriorityClass,
 	return defaultPC, nil
 }

-func (p *priorityPlugin) getDefaultPriority() (string, int32, error) {
+func (p *priorityPlugin) getDefaultPriority() (string, int32, *bool, error) {
 	dpc, err := p.getDefaultPriorityClass()
 	if err != nil {
-		return "", 0, err
+		return "", 0, nil, err
 	}
 	if dpc != nil {
-		return dpc.Name, dpc.Value, nil
+		return dpc.Name, dpc.Value, dpc.Preempting, nil
 	}
+	preempting := true

-	return "", int32(scheduling.DefaultPriorityWhenNoDefaultClassExists), nil
+	return "", int32(scheduling.DefaultPriorityWhenNoDefaultClassExists), &preempting, nil
 }
--- a/plugin/pkg/admission/priority/admission_test.go
+++ b/plugin/pkg/admission/priority/admission_test.go
@@ -246,7 +246,7 @@ func TestDefaultPriority(t *testing.T) {
 		if err := addPriorityClasses(ctrl, test.classesBefore); err != nil {
 			t.Errorf("Test %q: unable to add object to informer: %v", test.name, err)
 		}
-		pcName, defaultPriority, err := ctrl.getDefaultPriority()
+		pcName, defaultPriority, _, err := ctrl.getDefaultPriority()
 		if err != nil {
 			t.Errorf("Test %q: unexpected error while getting default priority: %v", test.name, err)
 		}
@@ -264,7 +264,7 @@ func TestDefaultPriority(t *testing.T) {
 		if err := addPriorityClasses(ctrl, test.classesAfter); err != nil {
 			t.Errorf("Test %q: unable to add object to informer: %v", test.name, err)
 		}
-		pcName, defaultPriority, err = ctrl.getDefaultPriority()
+		pcName, defaultPriority, _, err = ctrl.getDefaultPriority()
 		if err != nil {
 			t.Errorf("Test %q: unexpected error while getting default priority: %v", test.name, err)
 		}
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -48,6 +48,7 @@ const (
 	extensionsGroup     = "extensions"
 	policyGroup         = "policy"
 	rbacGroup           = "rbac.authorization.k8s.io"
+	schedulingGroup     = "scheduling.k8s.io"
 	storageGroup        = "storage.k8s.io"
 	resMetricsGroup     = "metrics.k8s.io"
 	customMetricsGroup  = "custom.metrics.k8s.io"
@@ -442,6 +443,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 				// Needed to check API access.  These creates are non-mutating
 				rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
 				rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
+				rbacv1helpers.NewRule(Read...).Groups(schedulingGroup).Resources("priorityclasses").RuleOrDie(),
 			},
 		},
 		{
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -801,6 +801,14 @@ items:
    - subjectaccessreviews
    verbs:
    - create
+  - apiGroups:
+    - scheduling.k8s.io
+    resources:
+    - priorityclasses
+    verbs:
+    - get
+    - list
+    - watch
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata: