/* Copyright 2015 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package scheduling import ( "context" "encoding/json" "fmt" "reflect" "strconv" "time" v1 "k8s.io/api/core/v1" apiequality "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" utilrand "k8s.io/apimachinery/pkg/util/rand" "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/tools/cache" watchtools "k8s.io/client-go/tools/watch" "k8s.io/kubernetes/test/e2e/framework" e2eservice "k8s.io/kubernetes/test/e2e/framework/service" imageutils "k8s.io/kubernetes/test/utils/image" admissionapi "k8s.io/pod-security-admission/api" "github.com/onsi/ginkgo/v2" "github.com/onsi/gomega" ) const ( podName = "pfpod" ) var _ = SIGDescribe("LimitRange", func() { f := framework.NewDefaultFramework("limitrange") f.NamespacePodSecurityLevel = admissionapi.LevelBaseline /* Release: v1.18 Testname: LimitRange, resources Description: Creating a Limitrange and verifying the creation of Limitrange, updating the Limitrange and validating the Limitrange. Creating Pods with resources and validate the pod resources are applied to the Limitrange */ framework.ConformanceIt("should create a LimitRange with defaults and ensure pod has those defaults applied.", func(ctx context.Context) { ginkgo.By("Creating a LimitRange") min := getResourceList("50m", "100Mi", "100Gi") max := getResourceList("500m", "500Mi", "500Gi") defaultLimit := getResourceList("500m", "500Mi", "500Gi") defaultRequest := getResourceList("100m", "200Mi", "200Gi") maxLimitRequestRatio := v1.ResourceList{} value := strconv.Itoa(time.Now().Nanosecond()) + string(uuid.NewUUID()) limitRange := newLimitRange("limit-range", value, v1.LimitTypeContainer, min, max, defaultLimit, defaultRequest, maxLimitRequestRatio) ginkgo.By("Setting up watch") selector := labels.SelectorFromSet(labels.Set(map[string]string{"time": value})) options := metav1.ListOptions{LabelSelector: selector.String()} limitRanges, err := f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).List(ctx, options) framework.ExpectNoError(err, "failed to query for limitRanges") gomega.Expect(limitRanges.Items).To(gomega.BeEmpty()) lw := &cache.ListWatch{ ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { options.LabelSelector = selector.String() limitRanges, err := f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).List(ctx, options) return limitRanges, err }, WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { options.LabelSelector = selector.String() return f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).Watch(ctx, options) }, } _, informer, w, _ := watchtools.NewIndexerInformerWatcher(lw, &v1.LimitRange{}) defer w.Stop() timeoutCtx, cancel := context.WithTimeout(ctx, wait.ForeverTestTimeout) defer cancel() if !cache.WaitForCacheSync(timeoutCtx.Done(), informer.HasSynced) { framework.Failf("Timeout while waiting for LimitRange informer to sync") } ginkgo.By("Submitting a LimitRange") limitRange, err = f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).Create(ctx, limitRange, metav1.CreateOptions{}) framework.ExpectNoError(err) ginkgo.By("Verifying LimitRange creation was observed") select { case event, _ := <-w.ResultChan(): if event.Type != watch.Added { framework.Failf("Failed to observe limitRange creation : %v", event) } case <-time.After(e2eservice.RespondingTimeout): framework.Failf("Timeout while waiting for LimitRange creation") } ginkgo.By("Fetching the LimitRange to ensure it has proper values") limitRange, err = f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).Get(ctx, limitRange.Name, metav1.GetOptions{}) framework.ExpectNoError(err) expected := v1.ResourceRequirements{Requests: defaultRequest, Limits: defaultLimit} actual := v1.ResourceRequirements{Requests: limitRange.Spec.Limits[0].DefaultRequest, Limits: limitRange.Spec.Limits[0].Default} err = equalResourceRequirement(expected, actual) framework.ExpectNoError(err) ginkgo.By("Creating a Pod with no resource requirements") pod := newTestPod("pod-no-resources", v1.ResourceList{}, v1.ResourceList{}) pod, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) framework.ExpectNoError(err) ginkgo.By("Ensuring Pod has resource requirements applied from LimitRange") pod, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(ctx, pod.Name, metav1.GetOptions{}) framework.ExpectNoError(err) for i := range pod.Spec.Containers { err = equalResourceRequirement(expected, pod.Spec.Containers[i].Resources) if err != nil { // Print the pod to help in debugging. framework.Logf("Pod %+v does not have the expected requirements", pod) framework.ExpectNoError(err) } } ginkgo.By("Creating a Pod with partial resource requirements") pod = newTestPod("pod-partial-resources", getResourceList("", "150Mi", "150Gi"), getResourceList("300m", "", "")) pod, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) framework.ExpectNoError(err) ginkgo.By("Ensuring Pod has merged resource requirements applied from LimitRange") pod, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(ctx, pod.Name, metav1.GetOptions{}) framework.ExpectNoError(err) // This is an interesting case, so it's worth a comment // If you specify a Limit, and no Request, the Limit will default to the Request // This means that the LimitRange.DefaultRequest will ONLY take affect if a container.resources.limit is not supplied expected = v1.ResourceRequirements{Requests: getResourceList("300m", "150Mi", "150Gi"), Limits: getResourceList("300m", "500Mi", "500Gi")} for i := range pod.Spec.Containers { err = equalResourceRequirement(expected, pod.Spec.Containers[i].Resources) if err != nil { // Print the pod to help in debugging. framework.Logf("Pod %+v does not have the expected requirements", pod) framework.ExpectNoError(err) } } ginkgo.By("Failing to create a Pod with less than min resources") pod = newTestPod(podName, getResourceList("10m", "50Mi", "50Gi"), v1.ResourceList{}) _, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) gomega.Expect(err).To(gomega.HaveOccurred()) ginkgo.By("Failing to create a Pod with more than max resources") pod = newTestPod(podName, getResourceList("600m", "600Mi", "600Gi"), v1.ResourceList{}) _, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) gomega.Expect(err).To(gomega.HaveOccurred()) ginkgo.By("Updating a LimitRange") newMin := getResourceList("9m", "49Mi", "49Gi") limitRange.Spec.Limits[0].Min = newMin limitRange, err = f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).Update(ctx, limitRange, metav1.UpdateOptions{}) framework.ExpectNoError(err) ginkgo.By("Verifying LimitRange updating is effective") err = wait.PollUntilContextTimeout(ctx, time.Second*2, time.Second*20, false, func(ctx context.Context) (bool, error) { limitRange, err = f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).Get(ctx, limitRange.Name, metav1.GetOptions{}) framework.ExpectNoError(err) return reflect.DeepEqual(limitRange.Spec.Limits[0].Min, newMin), nil }) framework.ExpectNoError(err) ginkgo.By("Creating a Pod with less than former min resources") pod = newTestPod(podName, getResourceList("10m", "50Mi", "50Gi"), v1.ResourceList{}) _, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) framework.ExpectNoError(err) ginkgo.By("Failing to create a Pod with more than max resources") pod = newTestPod(podName, getResourceList("600m", "600Mi", "600Gi"), v1.ResourceList{}) _, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) gomega.Expect(err).To(gomega.HaveOccurred()) ginkgo.By("Deleting a LimitRange") err = f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).Delete(ctx, limitRange.Name, *metav1.NewDeleteOptions(30)) framework.ExpectNoError(err) ginkgo.By("Verifying the LimitRange was deleted") err = wait.PollUntilContextTimeout(ctx, time.Second*5, e2eservice.RespondingTimeout, false, func(ctx context.Context) (bool, error) { limitRanges, err := f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).List(ctx, metav1.ListOptions{}) if err != nil { framework.Logf("Unable to retrieve LimitRanges: %v", err) return false, nil } if len(limitRanges.Items) == 0 { framework.Logf("limitRange is already deleted") return true, nil } for i := range limitRanges.Items { lr := limitRanges.Items[i] framework.Logf("LimitRange %v/%v has not yet been deleted", lr.Namespace, lr.Name) } return false, nil }) framework.ExpectNoError(err) ginkgo.By("Creating a Pod with more than former max resources") pod = newTestPod(podName+"2", getResourceList("600m", "600Mi", "600Gi"), v1.ResourceList{}) // When the LimitRanger admission plugin find 0 items from the LimitRange informer cache, // it will try to lookup LimitRanges from the local LiveLookupCache which liveTTL is 30s. // If a LimitRange was deleted from the apiserver, informer watch the delete event and then // handle it lead to the informer cache doesn't have any other items, but the local LiveLookupCache // has it and not expired at the same time, the LimitRanger admission plugin will use the // deleted LimitRange to validate the request. So the request will be rejected by the plugin // till the item is expired. // // With the following retry, we can make sure the item is expired and the request will be // validated as expected. err = framework.Gomega().Eventually(ctx, func(ctx context.Context) error { _, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{}) return err }).WithPolling(5 * time.Second).WithTimeout(30 * time.Second).ShouldNot(gomega.HaveOccurred()) framework.ExpectNoError(err) }) /* Release: v1.26 Testname: LimitRange, list, patch and delete a LimitRange by collection Description: When two limitRanges are created in different namespaces, both MUST succeed. Listing limitRanges across all namespaces with a labelSelector MUST find both limitRanges. When patching the first limitRange it MUST succeed and the fields MUST equal the new values. When deleting the limitRange by collection with a labelSelector it MUST delete only one limitRange. */ framework.ConformanceIt("should list, patch and delete a LimitRange by collection", ginkgo.NodeTimeout(wait.ForeverTestTimeout), func(ctx context.Context) { ns := f.Namespace.Name lrClient := f.ClientSet.CoreV1().LimitRanges(ns) lrName := "e2e-limitrange-" + utilrand.String(5) e2eLabelSelector := "e2e-test=" + lrName patchedLabelSelector := lrName + "=patched" min := getResourceList("50m", "100Mi", "100Gi") max := getResourceList("500m", "500Mi", "500Gi") defaultLimit := getResourceList("500m", "500Mi", "500Gi") defaultRequest := getResourceList("100m", "200Mi", "200Gi") maxLimitRequestRatio := v1.ResourceList{} limitRange := &v1.LimitRange{ ObjectMeta: metav1.ObjectMeta{ Name: lrName, Labels: map[string]string{ "e2e-test": lrName, lrName: "created", }, }, Spec: v1.LimitRangeSpec{ Limits: []v1.LimitRangeItem{ { Type: v1.LimitTypeContainer, Min: min, Max: max, Default: defaultLimit, DefaultRequest: defaultRequest, MaxLimitRequestRatio: maxLimitRequestRatio, }, }, }, } // Create a copy to be used in a second namespace limitRange2 := &v1.LimitRange{} *limitRange2 = *limitRange ginkgo.By(fmt.Sprintf("Creating LimitRange %q in namespace %q", lrName, f.Namespace.Name)) limitRange, err := lrClient.Create(ctx, limitRange, metav1.CreateOptions{}) framework.ExpectNoError(err, "Failed to create limitRange %q", lrName) ginkgo.By("Creating another limitRange in another namespace") lrNamespace, err := f.CreateNamespace(ctx, lrName, nil) framework.ExpectNoError(err, "failed creating Namespace") framework.Logf("Namespace %q created", lrNamespace.ObjectMeta.Name) framework.Logf(fmt.Sprintf("Creating LimitRange %q in namespace %q", lrName, lrNamespace.Name)) _, err = f.ClientSet.CoreV1().LimitRanges(lrNamespace.ObjectMeta.Name).Create(ctx, limitRange2, metav1.CreateOptions{}) framework.ExpectNoError(err, "Failed to create limitRange %q in %q namespace", lrName, lrNamespace.ObjectMeta.Name) // Listing across all namespaces to verify api endpoint: listCoreV1LimitRangeForAllNamespaces ginkgo.By(fmt.Sprintf("Listing all LimitRanges with label %q", e2eLabelSelector)) limitRangeList, err := f.ClientSet.CoreV1().LimitRanges("").List(ctx, metav1.ListOptions{LabelSelector: e2eLabelSelector}) framework.ExpectNoError(err, "Failed to list any limitRanges: %v", err) gomega.Expect(limitRangeList.Items).To(gomega.HaveLen(2), "Failed to find the correct limitRange count") framework.Logf("Found %d limitRanges", len(limitRangeList.Items)) ginkgo.By(fmt.Sprintf("Patching LimitRange %q in %q namespace", lrName, ns)) newMin := getResourceList("9m", "49Mi", "49Gi") limitRange.Spec.Limits[0].Min = newMin limitRangePayload, err := json.Marshal(v1.LimitRange{ ObjectMeta: metav1.ObjectMeta{ CreationTimestamp: limitRange.CreationTimestamp, Labels: map[string]string{ lrName: "patched", }, }, Spec: v1.LimitRangeSpec{ Limits: limitRange.Spec.Limits, }, }) framework.ExpectNoError(err, "Failed to marshal limitRange JSON") patchedLimitRange, err := lrClient.Patch(ctx, lrName, types.StrategicMergePatchType, []byte(limitRangePayload), metav1.PatchOptions{}) framework.ExpectNoError(err, "Failed to patch limitRange %q", lrName) gomega.Expect(patchedLimitRange.Labels[lrName]).To(gomega.Equal("patched"), "%q label didn't have value 'patched' for this limitRange. Current labels: %v", lrName, patchedLimitRange.Labels) checkMinLimitRange := apiequality.Semantic.DeepEqual(patchedLimitRange.Spec.Limits[0].Min, newMin) if !checkMinLimitRange { framework.Failf("LimitRange does not have the correct min limitRange. Currently is %#v ", patchedLimitRange.Spec.Limits[0].Min) } framework.Logf("LimitRange %q has been patched", lrName) ginkgo.By(fmt.Sprintf("Delete LimitRange %q by Collection with labelSelector: %q", lrName, patchedLabelSelector)) err = lrClient.DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{LabelSelector: patchedLabelSelector}) framework.ExpectNoError(err, "failed to delete the LimitRange by Collection") ginkgo.By(fmt.Sprintf("Confirm that the limitRange %q has been deleted", lrName)) err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 10*time.Second, true, checkLimitRangeListQuantity(f, patchedLabelSelector, 0)) framework.ExpectNoError(err, "failed to count the required limitRanges") framework.Logf("LimitRange %q has been deleted.", lrName) ginkgo.By(fmt.Sprintf("Confirm that a single LimitRange still exists with label %q", e2eLabelSelector)) limitRangeList, err = f.ClientSet.CoreV1().LimitRanges("").List(ctx, metav1.ListOptions{LabelSelector: e2eLabelSelector}) framework.ExpectNoError(err, "Failed to list any limitRanges: %v", err) gomega.Expect(limitRangeList.Items).To(gomega.HaveLen(1), "Failed to find the correct limitRange count") framework.Logf("Found %d limitRange", len(limitRangeList.Items)) }) }) func equalResourceRequirement(expected v1.ResourceRequirements, actual v1.ResourceRequirements) error { framework.Logf("Verifying requests: expected %v with actual %v", expected.Requests, actual.Requests) err := equalResourceList(expected.Requests, actual.Requests) if err != nil { return err } framework.Logf("Verifying limits: expected %v with actual %v", expected.Limits, actual.Limits) err = equalResourceList(expected.Limits, actual.Limits) return err } func equalResourceList(expected v1.ResourceList, actual v1.ResourceList) error { for k, v := range expected { if actualValue, found := actual[k]; !found || (v.Cmp(actualValue) != 0) { return fmt.Errorf("resource %v expected %v actual %v", k, v.String(), actualValue.String()) } } for k, v := range actual { if expectedValue, found := expected[k]; !found || (v.Cmp(expectedValue) != 0) { return fmt.Errorf("resource %v expected %v actual %v", k, expectedValue.String(), v.String()) } } return nil } func getResourceList(cpu, memory string, ephemeralStorage string) v1.ResourceList { res := v1.ResourceList{} if cpu != "" { res[v1.ResourceCPU] = resource.MustParse(cpu) } if memory != "" { res[v1.ResourceMemory] = resource.MustParse(memory) } if ephemeralStorage != "" { res[v1.ResourceEphemeralStorage] = resource.MustParse(ephemeralStorage) } return res } // newLimitRange returns a limit range with specified data func newLimitRange(name, value string, limitType v1.LimitType, min, max, defaultLimit, defaultRequest, maxLimitRequestRatio v1.ResourceList) *v1.LimitRange { return &v1.LimitRange{ ObjectMeta: metav1.ObjectMeta{ Name: name, Labels: map[string]string{ "time": value, }, }, Spec: v1.LimitRangeSpec{ Limits: []v1.LimitRangeItem{ { Type: limitType, Min: min, Max: max, Default: defaultLimit, DefaultRequest: defaultRequest, MaxLimitRequestRatio: maxLimitRequestRatio, }, }, }, } } // newTestPod returns a pod that has the specified requests and limits func newTestPod(name string, requests v1.ResourceList, limits v1.ResourceList) *v1.Pod { return &v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: name, }, Spec: v1.PodSpec{ Containers: []v1.Container{ { Name: "pause", Image: imageutils.GetPauseImageName(), Resources: v1.ResourceRequirements{ Requests: requests, Limits: limits, }, }, }, }, } } func checkLimitRangeListQuantity(f *framework.Framework, label string, quantity int) func(ctx context.Context) (bool, error) { return func(ctx context.Context) (bool, error) { framework.Logf("Requesting list of LimitRange to confirm quantity") list, err := f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).List(ctx, metav1.ListOptions{LabelSelector: label}) if err != nil { return false, err } if len(list.Items) != quantity { return false, nil } framework.Logf("Found %d LimitRange with label %q", quantity, label) return true, nil } }