Add namespace label selector

[W1seKappa]

Description

Added namespace label selector for filtering pods in the DefaultEvictor plugin.
This pull request was created to finalize the initiative from that pr1501

Checklist

Please ensure your pull request meets the following criteria before submitting
for review, these items will be used by reviewers to assess the quality and
completeness of your changes:

• Code Readability: Is the code easy to understand, well-structured, and consistent with project conventions?
• Naming Conventions: Are variable, function, and structs descriptive and consistent?
• Code Duplication: Is there any repeated code that should be refactored?
• Function/Method Size: Are functions/methods short and focused on a single task?
• Comments & Documentation: Are comments clear, useful, and not excessive? Were comments updated where necessary?
• Error Handling: Are errors handled appropriately ?
• Testing: Are there sufficient unit/integration tests?
• Performance: Are there any obvious performance issues or unnecessary computations?
• Dependencies: Are new dependencies justified ?
• Logging & Monitoring: Is logging used appropriately (not too verbose, not too silent)?
• Backward Compatibility: Does this change break any existing functionality or APIs?
• Resource Management: Are resources (files, connections, memory) managed and released properly?
• PR Description: Is the PR description clear, providing enough context and explaining the motivation for the change?
• Documentation & Changelog: Are README and docs updated if necessary?

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: W1seKappa / name: Danila Bobkov (37d0977, 4f37822, 66c86f8, 78df9cc)

[k8s-ci-robot]

Welcome @W1seKappa!

It looks like this is your first PR to kubernetes-sigs/descheduler 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/descheduler has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign damemi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @W1seKappa. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[W1seKappa]

@ingvagabund Hi, I'm happy to continue the discussion based on the initiative from this pr1501.

[ingvagabund]

I understand the idea here. If a namespace is matched by the label selector it's returned. If it is not an empty list is returned. I.e.:

• indexer.ByIndex(indexName, NSmatched) -> {NSmatched} // list with a single ns
• indexer.ByIndex(indexName, NSNotmatched) -> {} // empty list

On the other hand getNamespacesListByLabelSelector gives the belief all namespaces matching a label selector are returned. I.e. a label selector is the key, not a namespace. I.e.

• indexer.ByIndex(indexName, LS1) -> list of namespaces matching LS1
• ...
• indexer.ByIndex(indexName, LSN) -> list of namespaces matching LSN

Given each profile can have its own DefaultEvictor configuration with a different label selector the current global "namespaceWithLabelSelector" indexer will not work correctly as once the first indexer gets registered, any second attempt returns the first indexer. So the second label selector will get ignored and all DefaultEvictors will share the first label selector.

[ingvagabund]

@W1seKappa thank you for taking over. As the next step I suggest to create another unit test that have two profiles configured. Each with a different label selector and to make sure both evictors evict distinct set of namespaces to correctly validate the functionality. There's no need to create actual profiles. Just mimicking it through creating two default evictors over the same namespace informer.

[W1seKappa]

@ingvagabund Hello, I manually tested the functionality you mentioned. Indeed, it is currently not working correctly. I see two ways to solve this problem:

1. Create a separate index for each set of mathLabels.

namespaceLabelSelector:
    matchLabels:
            env: prod
            animal: cat

It will create its own index namespaceWithLabelSelector-animal=cat,env=prod.

namespaceLabelSelector:
    matchLabels:
         env: prod 

It will create its own index namespaceWithLabelSelector-env=prod.
This solution is currently implemented in the code. I understand the need for some optimizations, but I wanted to develop the core idea first.
2. Create an index for each pair in matchLabels.
These same configuration files will generate 3 indexes instead of 2:
namespaceWithLabelSelector-env=prod
namespaceWithLabelSelector-env=dev
namespaceWithLabelSelector-animal=cat

[ingvagabund]

One drawback of creating indexer for each defaultplugin/nslabelselector is the number of indexers will grow with each profile. In addition, #1499 is asking for the same. So each plugin will have its own indexer in general. With #1758 getting later extended as another increase.

In the worst case all ns label selectors will be different. Allowing each plugin to choose the indexer name may lead to name collisions. Luckily, the label selector plays no role in the naming as each plugin has a unique position in the configuration. To make the ns indexer registration collision free the framework itself can expose a new method for the registration.

E.g.

type Handle interface {
	...
	RegisterNSIndexer(indexer func(obj interface{}) ([]string, error)) error
	GetNSIndexer() (cache.Indexer, error)
	...
}

or similar construct. Each plugin is injected with a Handle instance. So the indexer name can get generated based on the profile/plugin configuration indices. E.g. "profile_idx_pluginname_idx_nslabelselector".

In the best case all the ns label selectors can be identical. So the framework could do some smart indexing of the label selectors. With a match expression as another way. Leaving admins to take the responsibility of making the label selectors/match expressions properly chosen. E.g. avoiding "env=prod,animal=cat" and "animal=cat,env=prod" case.

[ingvagabund]

An indexer is a nice way to quickly detect whether a namespace matches a label selector. With the current approach the indexer creates an optimal distribution of keys in a hash table. Either a namespace is matched (the ns has a hash key) or is not matched (the ns does not have a hash key). Trying to combine multiple label selectors into the same indexer would make the searching and updating less efficient.

[ingvagabund]

Note: right now the configuration offers only a global node selector. Yet, it's also a valid case to have two different profiles targeting two distinct node pools. So the concept of growing the number of indexers with the number of profiles spans beyond the namespace label selector.

[W1seKappa]

@ingvagabund, Hello!
If I understood correctly, at this stage it was necessary to add tests to this solution. I've done that.
Next, the indexing framework needs to be refactored. Right?
I would be happy to participate.

[ingvagabund]

/ok-to-test

[k8s-ci-robot]

@W1seKappa: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-descheduler-verify-master	78df9cc	link	true	/test pull-descheduler-verify-master

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[k8s-ci-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.