mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00

Production-Grade Container Scheduling and Management

Go to file

Kubernetes Submit Queue 4558e419bc Merge pull request #62892 from liggitt/node-authorizer-index Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. add index to node-authorizer for high cardinality vertices follow-up to https://github.com/kubernetes/kubernetes/pull/62856#issuecomment-382788780 explores adding an index to high-cardinality vertices in the node authorizer to reduce CPU usage for high density namespaces * first commit is a refactor only - cc @mtaufen * second commit adds an optional per-vertex index we can maintain when there are sufficient outgoing edges. benchmark results: * shared_secret_via_pod cases are ~1000x faster * throughput on processing of graph modifications is 50% higher * there is more variance on graph modifications requiring index updates (though the 100 index-impacting graph modifications per second might be a higher-than-realistic write rate) data profile (5000 pods per namespace, assigned to 5000 nodes, shared service account and secret): ``` opts := sampleDataOpts{ // To simulate high replication in a small number of namespaces: nodes: 5000, namespaces: 10, podsPerNode: 10, ... ``` command: ``` $ go test ./plugin/pkg/auth/authorizer/node/ -bench Authorization -benchmem -v ``` before ``` BenchmarkAuthorization/allowed_node_configmap-8 557 ns/op 530 B/op 11 allocs/op 3000000 BenchmarkAuthorization/allowed_configmap-8 539 ns/op 530 B/op 11 allocs/op 3000000 BenchmarkAuthorization/allowed_secret_via_pod-8 605 ns/op 529 B/op 11 allocs/op 3000000 BenchmarkAuthorization/allowed_shared_secret_via_pod-8 215974 ns/op 792 B/op 19 allocs/op 5000 BenchmarkAuthorization/disallowed_node_configmap-8 823 ns/op 694 B/op 17 allocs/op 2000000 BenchmarkAuthorization/disallowed_configmap-8 888 ns/op 691 B/op 17 allocs/op 2000000 BenchmarkAuthorization/disallowed_secret_via_pod-8 868 ns/op 694 B/op 17 allocs/op 2000000 BenchmarkAuthorization/disallowed_shared_secret_via_pvc-8 1216 ns/op 948 B/op 22 allocs/op 1000000 BenchmarkAuthorization/disallowed_pvc-8 918 ns/op 691 B/op 17 allocs/op 2000000 BenchmarkAuthorization/disallowed_pv-8 1095 ns/op 839 B/op 19 allocs/op 2000000 BenchmarkAuthorization/disallowed_attachment_-_no_relationship-8 867 ns/op 677 B/op 16 allocs/op 2000000 BenchmarkAuthorization/disallowed_attachment_-_feature_disabled-8 220 ns/op 208 B/op 2 allocs/op 10000000 BenchmarkAuthorization/allowed_attachment_-_feature_enabled-8 687 ns/op 594 B/op 12 allocs/op 2000000 BenchmarkAuthorization/contentious_allowed_node_configmap-8 656 ns/op 530 B/op 11 allocs/op 3000000 BenchmarkAuthorization/contentious_allowed_configmap-8 659 ns/op 529 B/op 11 allocs/op 2000000 BenchmarkAuthorization/contentious_allowed_secret_via_pod-8 654 ns/op 529 B/op 11 allocs/op 2000000 BenchmarkAuthorization/contentious_allowed_shared_secret_via_pod-8 234308 ns/op 1022 B/op 22 allocs/op 5000 BenchmarkAuthorization/contentious_disallowed_node_configmap-8 1118 ns/op 692 B/op 17 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_configmap-8 1054 ns/op 692 B/op 17 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_secret_via_pod-8 1059 ns/op 691 B/op 17 allocs/op 2000000 BenchmarkAuthorization/contentious_disallowed_shared_secret_via_pvc-8 1403 ns/op 949 B/op 22 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_pvc-8 1058 ns/op 692 B/op 17 allocs/op 2000000 BenchmarkAuthorization/contentious_disallowed_pv-8 1237 ns/op 838 B/op 19 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_attachment_-_no_relationship-8 1022 ns/op 676 B/op 16 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_attachment_-_feature_disabled-8 260 ns/op 209 B/op 2 allocs/op 5000000 BenchmarkAuthorization/contentious_allowed_attachment_-_feature_enabled-8 793 ns/op 594 B/op 12 allocs/op 2000000 --- BENCH: BenchmarkAuthorization node_authorizer_test.go:596: graph modifications during non-contention test: 0 node_authorizer_test.go:593: graph modifications during contention test: 961 node_authorizer_test.go:594: <1ms=774, <10ms=32, <25ms=14, <50ms=29, <100ms=62, <250ms=46, <500ms=2, <1000ms=1, >1000ms=1 ``` after ``` BenchmarkAuthorization/allowed_node_configmap-8 629 ns/op 530 B/op 11 allocs/op 3000000 BenchmarkAuthorization/allowed_configmap-8 641 ns/op 530 B/op 11 allocs/op 3000000 BenchmarkAuthorization/allowed_secret_via_pod-8 591 ns/op 530 B/op 11 allocs/op 3000000 BenchmarkAuthorization/allowed_shared_secret_via_pod-8 217 ns/op 160 B/op 1 allocs/op 10000000 BenchmarkAuthorization/disallowed_node_configmap-8 912 ns/op 693 B/op 17 allocs/op 2000000 BenchmarkAuthorization/disallowed_configmap-8 913 ns/op 694 B/op 17 allocs/op 2000000 BenchmarkAuthorization/disallowed_secret_via_pod-8 881 ns/op 691 B/op 17 allocs/op 2000000 BenchmarkAuthorization/disallowed_shared_secret_via_pvc-8 1271 ns/op 952 B/op 22 allocs/op 1000000 BenchmarkAuthorization/disallowed_pvc-8 903 ns/op 694 B/op 17 allocs/op 2000000 BenchmarkAuthorization/disallowed_pv-8 1024 ns/op 836 B/op 19 allocs/op 1000000 BenchmarkAuthorization/disallowed_attachment_-_no_relationship-8 1187 ns/op 678 B/op 16 allocs/op 2000000 BenchmarkAuthorization/disallowed_attachment_-_feature_disabled-8 250 ns/op 209 B/op 2 allocs/op 10000000 BenchmarkAuthorization/allowed_attachment_-_feature_enabled-8 694 ns/op 594 B/op 12 allocs/op 2000000 BenchmarkAuthorization/contentious_allowed_node_configmap-8 732 ns/op 530 B/op 11 allocs/op 2000000 BenchmarkAuthorization/contentious_allowed_configmap-8 820 ns/op 530 B/op 11 allocs/op 2000000 BenchmarkAuthorization/contentious_allowed_secret_via_pod-8 1082 ns/op 531 B/op 11 allocs/op 1000000 BenchmarkAuthorization/contentious_allowed_shared_secret_via_pod-8 274 ns/op 160 B/op 1 allocs/op 5000000 BenchmarkAuthorization/contentious_disallowed_node_configmap-8 1332 ns/op 693 B/op 17 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_configmap-8 1534 ns/op 693 B/op 17 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_secret_via_pod-8 1077 ns/op 692 B/op 17 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_shared_secret_via_pvc-8 1976 ns/op 949 B/op 22 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_pvc-8 1297 ns/op 694 B/op 17 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_pv-8 1632 ns/op 837 B/op 19 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_attachment_-_no_relationship-8 1394 ns/op 677 B/op 16 allocs/op 1000000 BenchmarkAuthorization/contentious_disallowed_attachment_-_feature_disabled-8 320 ns/op 209 B/op 2 allocs/op 5000000 BenchmarkAuthorization/contentious_allowed_attachment_-_feature_enabled-8 1055 ns/op 595 B/op 12 allocs/op 2000000 --- BENCH: BenchmarkAuthorization node_authorizer_test.go:629: graph modifications during non-contention test: 0 node_authorizer_test.go:626: graph modifications during contention test: 1424 node_authorizer_test.go:627: <1ms=0, <10ms=569, <25ms=340, <50ms=145, <100ms=101, <250ms=160, <500ms=61, <1000ms=42, >1000ms=6 ``` ```release-note NONE ```		2018-05-02 18:54:46 -07:00
.github	Merge pull request #62745 from cblecker/github-template-owners	2018-04-25 00:17:53 -07:00
api	Merge pull request #62893 from hzxuzhonghu/mark-APIServiceSpec.CABundle-optional	2018-05-01 14:05:42 -07:00
build	Merge pull request #63152 from mikedanese/break	2018-05-01 07:36:09 -07:00
cluster	Merge pull request #63341 from wwwtyro/rye/arm64-microbot	2018-05-01 16:00:18 -07:00
cmd	Revert "apiserver: change default reconciler to LeaseEndpoint"	2018-05-02 18:46:18 -04:00
docs	Merge pull request #60741 from zlabjp/optional-subjects	2018-04-27 17:43:11 -07:00
Godeps	Upgrade Azure Go SDK to v14.6.0	2018-04-26 09:38:48 +08:00
hack	Merge pull request #62060 from WanLinghao/namespace_miss_fix	2018-05-02 18:04:06 -07:00
logo
pkg	Merge pull request #62516 from nicksardo/expand-id	2018-05-02 18:12:06 -07:00
plugin	Maintain index of high-cardinality edges in node authorizer graph	2018-05-02 16:05:28 -04:00
staging	Decorator for Create should be called on out, not obj	2018-05-02 12:13:19 -04:00
test	update restmapping to indicate fully qualified resource	2018-05-01 16:34:49 -04:00
third_party	kazel: skip third_party/etcd.*	2018-04-11 16:46:36 -07:00
translations	bazel: generate pkg/generated/bindata.go at build time	2018-04-25 09:44:22 -07:00
vendor	Upgrade Azure Go SDK to v14.6.0	2018-04-26 09:38:48 +08:00
.bazelrc
.generated_files
.gitattributes	Hide generated files only on github	2018-01-22 10:58:48 +01:00
.gitignore	Remove pkg/generated/bindata.go from the repo	2018-04-25 09:44:22 -07:00
.kazelcfg.json
BUILD.bazel
CHANGELOG-1.2.md
CHANGELOG-1.3.md	fix the format for github error	2018-01-31 14:49:29 +08:00
CHANGELOG-1.4.md	fix the format for github error	2018-02-02 18:44:27 +08:00
CHANGELOG-1.5.md	fix typo in kubeadm	2018-02-06 13:48:18 +08:00
CHANGELOG-1.6.md	Fix typo	2018-02-01 19:11:19 +08:00
CHANGELOG-1.7.md	Update CHANGELOG-1.7.md for v1.7.16.	2018-04-04 13:07:30 +00:00
CHANGELOG-1.8.md	Update CHANGELOG-1.8.md for v1.8.12.	2018-04-23 21:14:13 -07:00
CHANGELOG-1.9.md	Update CHANGELOG-1.9.md for v1.9.7.	2018-04-19 12:19:02 -04:00
CHANGELOG-1.10.md	Merge pull request #61874 from Pingan2017/changelog1-10	2018-04-29 07:45:43 -07:00
CHANGELOG-1.11.md	Update CHANGELOG-1.11.md for v1.11.0-alpha.2.	2018-05-02 15:47:30 +00:00
CHANGELOG.md	Marks 1.10 as the current release	2018-03-26 17:08:54 -07:00
code-of-conduct.md
CONTRIBUTING.md
labels.yaml
LICENSE
Makefile
Makefile.generated_files
OWNERS	root OWNERS: escape backslashes	2018-04-13 10:42:22 -07:00
OWNERS_ALIASES	Add myself to sig-scheduling maintainers/approvers list.	2018-04-26 14:15:14 -04:00
README.md	Update README.md	2018-02-11 04:34:01 +00:00
SUPPORT.md
WORKSPACE

README.md

Kubernetes

Kubernetes is an open source system for managing containerized applications across multiple hosts; providing basic mechanisms for deployment, maintenance, and scaling of applications.

Kubernetes builds upon a decade and a half of experience at Google running production workloads at scale using a system called Borg, combined with best-of-breed ideas and practices from the community.

Kubernetes is hosted by the Cloud Native Computing Foundation (CNCF). If you are a company that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details about who's involved and how Kubernetes plays a role, read the CNCF announcement.

To start using Kubernetes

See our documentation on kubernetes.io.

Try our interactive tutorial.

Take a free course on Scalable Microservices with Kubernetes.

To start developing Kubernetes

The community repository hosts all information about building Kubernetes from source, how to contribute code and documentation, who to contact about what, etc.

If you want to build Kubernetes right away there are two options:

You have a working Go environment.

$ go get -d k8s.io/kubernetes
$ cd $GOPATH/src/k8s.io/kubernetes
$ make

You have a working Docker environment.

$ git clone https://github.com/kubernetes/kubernetes
$ cd kubernetes
$ make quick-release

For the full story, head over to the developer's documentation.

Support

If you need support, start with the troubleshooting guide, and work your way through the process that we've outlined.

That said, if you have questions, reach out to us one way or another.