KEP-4793: Revise APF Default Configuration

[linxiulei]

• One-line PR description: Revise APF Default Configuration

• Issue link: Revise APF default configuration #4793

• Other comments:

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: linxiulei
Once this PR has been reviewed and has the lgtm label, please assign fedebongio for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-api-machinery/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[linxiulei]

/cc @MikeSpreitzer

[wojtek-t]

Just briefly skimmed through the proposal (without looking into PRR, upgrades, etc.)

[wojtek-t]

The KEP would benefit from a high-level description of how borrowing works. Basically to show that the nominal shares serve a bit like "starting values", but the system is not necessary trying to get to those values, but rather is accommodating to the incoming traffic.

Maybe even some simple example would be useful (that's probably true also for the generic APF documentation - many people are making false assumptions about how borrowing works... - @MikeSpreitzer )

[MikeSpreitzer]

@wojtek-t: I could submit an update to https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/1040-priority-and-fairness/README.md; is that what you are suggesting? Or would it go somewhere in the website (https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ , or a new page?)?

[linxiulei]

Added description for APF and borrowing

[wojtek-t]

@MikeSpreitzer - I was thinking about the website - keps are for devs only and it would be useful for cluster administrators.
The example I was thinking about (although feel free to suggest other examples) was the following:

• let's say we have a default cluster configuration, no requests
• suddenly we start getting infinite (for some definitely of infinite :) ) number of requests in one of the PLs
• how the nominal shares for each PLs will be changing
• then those requests stop coming
• what will happen now?

@linxiulei - this description is generic enough that I don't think it brings much value currently...

[MikeSpreitzer]

https://github.com/kubernetes/api/blob/v0.31.0/flowcontrol/v1/types.go#L207 is the recommended way to say "match regardless of subject".

[linxiulei]

Thanks, I think only system:authenticated is needed here. Let catch-all handle system:unauthenticated

[MikeSpreitzer]

Maybe we want to put only Event creations in this jail? I am thinking of an admin who wants to debug something while the cluster is under extreme duress. Maybe also some kind(s) of monitoring?

[linxiulei]

Make sense to me. But I feel we need put all modification verbs here (i.e. create/update/delete), which should not be actions for an admin during extreme stress.

[linxiulei]

Why only those verbs?

@wojtek-t pls see comments here. I also added explanation to make it clear.

[wojtek-t]

@MikeSpreitzer - I was thinking about the website - keps are for devs only and it would be useful for cluster administrators.
The example I was thinking about (although feel free to suggest other examples) was the following:

• let's say we have a default cluster configuration, no requests
• suddenly we start getting infinite (for some definitely of infinite :) ) number of requests in one of the PLs
• how the nominal shares for each PLs will be changing
• then those requests stop coming
• what will happen now?

@linxiulei - this description is generic enough that I don't think it brings much value currently...

[wojtek-t]

Given that proposed borrowing limit is always "none" - I suggest removing this column completely.

Also, I suggest adding one more column being "guaranteed shares" (how many shares we will always have) [well, modulo exempt borrowing from others] so that we can see how that changes.

Also - provide a sum - whether it changes.

[linxiulei]

Done with merging and more columns.

Borrowing Limit is not none for Event because I want to avoid it borrowing too many and result in other PLs borrowing little. But a better solution is to have weighted borrowing.

[wojtek-t]

Most of components are still using core events.

[linxiulei]

Added, didn't know that. Should we just specify "*" here since the resource is "Event" already?

[wojtek-t]

I'm wondering if we shouldn't adjust things in a way that SUM remains the same as it was exactly.
In other words if we provide some shares for this PL, subtract it from somewhere else.

[wojtek-t]

Also - why these shares are guaranteed? You wrote explicitly that events are best-effort, so I would expect these shares to be fully lendable.

[linxiulei]

There are two things we can remain the same:

1. the guaranteed shares
2. the nominal shares

But we can't keep both the same. In current version, I tend to keep the guaranteed shares the same as suggested by @MikeSpreitzer because it's really difficult to not change nominal shares when we want to increase shares for more critical PLs while minimizing wastes. For example, we have to significant increase nominal shares for leader-election, to compensate this and keep the same SUM of all nominal shares, we have to more significantly reduce the nominal shares of less critical PLs such as workload-high/low (in current KEP they are already reduced significantly so little room to further reduce).

re: events, I simply copied catch-all as I think events should have minimal guarantee at least. But I don't have strong opinion on it.

[wojtek-t]

My main question that is not touched on in this KEP is: how are we going to test it/validate that we will not visibly break someone.

I can easily buy that there are cases where this configuration helps a lot.
But I don't know how we mitigate a negative impact on some other setups.

[linxiulei]

Good callout and this is very difficult as this KEP increases the SUM of nominal shares so it will definite dilute any custom APF configuration therefore visible user impacts.

I'm thinking out loud -- we can be only certain that it won't break k8s-promised scalability and performance characteristic (e.g. https://github.com/kubernetes/community/blob/master/sig-scalability/slos/slos.md) since there are tests to verify. Then we will be precautious on graduating this KEP to have user feedback to evaluate the risk of breaking existing configuration and provide mitigations. Though I admit that this is not ideal.

[wojtek-t]

since there are tests to verify.

Tests are never perfect.

Then we will be precautious on graduating this KEP to have user feedback to evaluate the risk of breaking existing configuration and provide mitigations. Though I admit that this is not ideal.

Up until this is enabled by default, noone uses it. If we enable it by default, it's too late, because we already break someone.
This is not a valid mitigation strategy....

[k8s-ci-robot]

@linxiulei: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-enhancements-verify	a927005	link	true	/test pull-enhancements-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.