Check OS for PodLevelResources in kubelet

Reject pods with PodLevelResources running on Windows nodes
at kubelet admission phase

Author: annasong20

pkg/kubelet/kubelet.go

@@ -1009,6 +1009,9 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 		// AppArmor is a Linux kernel security module and it does not support other operating systems.
 		klet.appArmorValidator = apparmor.NewValidator()
 		handlers = append(handlers, lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator))
+	} else if goos == "windows" {
+		// PodLevelResources feature is not supported for Windows
+		handlers = append(handlers, lifecycle.NewPodLevelResourcesHandler())
 	}
 
 	leaseDuration := time.Duration(kubeCfg.NodeLeaseDurationSeconds) * time.Second

pkg/kubelet/kubelet_test.go

@@ -3373,6 +3373,15 @@ func TestRecordAdmissionRejection(t *testing.T) {
                 kubelet_admission_rejections_total{reason="OutOfExtendedResources"} 1
             `,
 		},
+		{
+			name:   "PodLevelResources",
+			reason: lifecycle.PodLevelResourcesNotAdmittedReason,
+			wants: `
+				# HELP kubelet_admission_rejections_total [ALPHA] Cumulative number pod admission rejections by the Kubelet.
+				# TYPE kubelet_admission_rejections_total counter
+				kubelet_admission_rejections_total{reason="PodLevelResourcesNotSupported"} 1
+			`,
+		},
 		{
 			name:   "OtherReason",
 			reason: "OtherReason",

pkg/kubelet/lifecycle/handlers.go

@@ -32,6 +32,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/component-helpers/resource"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
@@ -45,7 +46,8 @@ import (
 const (
 	maxRespBodyLength = 10 * 1 << 10 // 10KB
 
-	AppArmorNotAdmittedReason = "AppArmor"
+	AppArmorNotAdmittedReason          = "AppArmor"
+	PodLevelResourcesNotAdmittedReason = "PodLevelResourcesNotSupported"
 )
 
 type handlerRunner struct {
@@ -241,3 +243,23 @@ func isHTTPResponseError(err error) bool {
 	}
 	return strings.Contains(urlErr.Err.Error(), "server gave HTTP response to HTTPS client")
 }
+
+// NewPodLevelResourcesHandler returns a PodAdmitHandler which is used to evaluate
+// if a pod can be admitted from the perspective of PodLevelResources.
+func NewPodLevelResourcesHandler() PodAdmitHandler {
+	return &podLevelResourcesHandler{}
+}
+
+type podLevelResourcesHandler struct{}
+
+func (ph *podLevelResourcesHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
+	podLevelResourcesEnabled := utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources)
+	if podLevelResourcesEnabled && resource.IsPodLevelResourcesSet(attrs.Pod) {
+		return PodAdmitResult{
+			Admit:   false,
+			Reason:  PodLevelResourcesNotAdmittedReason,
+			Message: "Pod level resources are not supported on Windows",
+		}
+	}
+	return PodAdmitResult{Admit: true}
+}

pkg/kubelet/lifecycle/handlers_test.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -876,3 +877,73 @@ func TestRunSleepHandler(t *testing.T) {
 		})
 	}
 }
+
+func TestPodLevelResourcesOnWindowsHandler(t *testing.T) {
+	handlerRunner := NewPodLevelResourcesHandler()
+	pod := v1.Pod{}
+	pod.ObjectMeta.Name = "windowsPod"
+
+	deniedPodAdmitResult := PodAdmitResult{
+		Admit:   false,
+		Reason:  PodLevelResourcesNotAdmittedReason,
+		Message: "Pod level resources are not supported on Windows",
+	}
+
+	tests := []struct {
+		name                 string
+		podLevelResources    *v1.ResourceRequirements
+		expectPodAdmitResult PodAdmitResult
+	}{
+		{
+			name:                 "no pod level resources",
+			expectPodAdmitResult: PodAdmitResult{Admit: true},
+		},
+		{
+			name: "pod level resources",
+			podLevelResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("100m"),
+					v1.ResourceMemory: resource.MustParse("100Mi"),
+				},
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("200m"),
+					v1.ResourceMemory: resource.MustParse("200Mi"),
+				},
+			},
+			expectPodAdmitResult: deniedPodAdmitResult,
+		},
+		{
+			name: "pod level resources with no limits",
+			podLevelResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("100m"),
+					v1.ResourceMemory: resource.MustParse("100Mi"),
+				},
+			},
+			expectPodAdmitResult: deniedPodAdmitResult,
+		},
+		{
+			name: "pod level resources with no requests",
+			podLevelResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("200m"),
+					v1.ResourceMemory: resource.MustParse("200Mi"),
+				},
+			},
+			expectPodAdmitResult: deniedPodAdmitResult,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodLevelResources, true)
+			pod.Spec.Resources = nil
+			if tt.podLevelResources != nil {
+				pod.Spec.Resources = tt.podLevelResources
+			}
+			if got := handlerRunner.Admit(&PodAdmitAttributes{Pod: &pod}); !reflect.DeepEqual(got, tt.expectPodAdmitResult) {
+				t.Errorf("Pod admitted: expected %v, got %v", tt.expectPodAdmitResult, got)
+			}
+		})
+	}
+}