Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1914005

Summary: OpenShift 4 : Limit ranges are being applied with cpu-cfs-quota set to false
Product: OpenShift Container Platform Reporter: Novonil Choudhuri <nchoudhu>
Component: DocumentationAssignee: Michael Burke <mburke>
Status: CLOSED CURRENTRELEASE QA Contact: Weinan Liu <weinliu>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 4.5CC: aos-bugs, bsmitley, harpatil, jokerman, mburke, pehunt, rphillips, tmanor, tsweeney, weinliu
Target Milestone: ---Keywords: UpcomingSprint
Target Release: 4.8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-01 21:30:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Novonil Choudhuri 2021-01-07 23:36:59 UTC 
Description of problem: Even after applying cpu-cfs-quota limit ranges are getting applied in OpenShift 4.5

Version-Release number of selected component (if applicable): OpenShift 4.5

Kernel : 4.18.0-193.14.3.el8_2.x86_64  
cri-o://1.18.3-9.rhaos4.5.gitd047b0a.el8


How reproducible: Disable cpu-cfs-quota by following https://docs.openshift.com/container-platform/4.5/nodes/clusters/nodes-cluster-overcommit.html#nodes-cluster-overcommit-node-enforcing_nodes-cluster-overcommit


Steps to Reproduce: 
1. Disable cpu-cfs-quota and Create a POD which bursts cpu while spinning up. 

Machine config logs :

2021-01-06T16:48:14.292325934Z I0106 16:48:14.292272       1 kubelet_config_controller.go:517] Applied KubeletConfig disable-cpu-units on MachineConfigPool worker
2021-01-06T16:48:14.300602Z E0106 16:48:14.299798       1 render_controller.go:202] machineconfig has changed controller, not allowed.
2021-01-06T17:04:45.033452792Z I0106 17:04:45.033365       1 container_runtime_config_controller.go:731] Applied ImageConfig cluster on MachineConfigPool master
2021-01-06T17:04:46.554185218Z I0106 17:04:46.554093       1 container_runtime_config_controller.go:731] Applied ImageConfig cluster on MachineConfigPool worker
2021-01-06T17:06:54.711709748Z I0106 17:06:54.711648       1 container_runtime_config_controller.go:731] Applied ImageConfig cluster on MachineConfigPool worker
2021-01-06T17:06:57.507448131Z I0106 17:06:57.507387       1 container_runtime_config_controller.go:731] Applied ImageConfig cluster on MachineConfigPool master
2021-01-06T17:09:52.043473817Z I0106 17:09:52.040884       1 render_controller.go:497] Generated machineconfig rendered-worker-a482d1e22cbbe081bd267a4bf37b5a9f from 7 configs: [{MachineConfig  00-worker  machineconfiguration.openshift.io/v1  } {MachineConfig  01-worker-container-runtime  machineconfiguration.openshift.io/v1  } {MachineConfig  01-worker-kubelet  machineconfiguration.openshift.io/v1  } {MachineConfig  99-worker-f277a632-893e-4155-92c3-51227eddea61-kubelet  machineconfiguration.openshift.io/v1  } {MachineConfig  99-worker-f277a632-893e-4155-92c3-51227eddea61-registries  machineconfiguration.openshift.io/v1  } {MachineConfig  99-worker-ssh  machineconfiguration.openshift.io/v1  } {MachineConfig  workers-chrony-configuration  machineconfiguration.openshift.io/v1  }]
2021-01-06T17:09:52.053869731Z I0106 17:09:52.053237       1 render_controller.go:516] Pool worker: now targeting: rendered-worker-a482d1e22cbbe081bd267a4bf37b5a9f
2021-01-06T17:09:57.054694672Z I0106 17:09:57.054637       1 node_controller.go:759] Setting node worker1.example.com to desired config rendered-worker-a482d1e22cbbe081bd267a4bf37b5a9f
2021-01-06T17:09:57.091384394Z I0106 17:09:57.090667       1 node_controller.go:453] Pool worker: node worker1.example.com changed machineconfiguration.openshift.io/desiredConfig = rendered-worker-a482d1e22cbbe081bd267a4bf37b5a9f
2021-01-06T17:09:58.130438995Z I0106 17:09:58.130365       1 node_controller.go:453] Pool worker: node worker1.example.com changed machineconfiguration.openshift.io/state = Working


2. Limits getting applied as verified below

[nchoudhu@supportshell kubepods-burstable.slice]$ cat kubepods-burstable-podecf0ac0f_d764_4bd1_be9b_5aae7e0625a0.slice/cpu.cfs_quota_us 
100000
[supportshell.prod.useraccess-us-west-2.redhat.com] [23:14:30+0000]
[nchoudhu@supportshell kubepods-burstable.slice]$ for I in *slice; do cat $I/cpu.cfs_quota_us; done
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
-1
100000
-1
-1
-1

The machineconfig kubelet.conf file do not have the KubeletArgument :

[novo@nchoudhu rendered-worker-a482d1e22cbbe081bd267a4bf37b5a9f-2021-01-06T17:09:51Z]$ cat kubelet-cgroups.conf 
# Turning on Accounting helps track down performance issues.
[Manager]
DefaultCPUAccounting=yes
DefaultMemoryAccounting=yes
DefaultBlockIOAccounting=yes
[novo@nchoudhu rendered-worker-a482d1e22cbbe081bd267a4bf37b5a9f-2021-01-06T17:09:51Z]$ cat kubelet.conf 
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  x509:
    clientCAFile: /etc/kubernetes/kubelet-ca.crt
  anonymous:
    enabled: false
cgroupDriver: systemd
cgroupRoot: /
clusterDNS:
  - 172.30.0.10
clusterDomain: cluster.local
containerLogMaxSize: 50Mi
maxPods: 250
kubeAPIQPS: 50
kubeAPIBurst: 100
rotateCertificates: true
serializeImagePulls: false
staticPodPath: /etc/kubernetes/manifests
systemCgroups: /system.slice
systemReserved:
  cpu: 500m
  memory: 1Gi
  ephemeral-storage: 1Gi
featureGates:
  LegacyNodeRoleBehavior: false
  NodeDisruptionExclusion: true
  RotateKubeletServerCertificate: true
  SCTPSupport: true
  ServiceNodeExclusion: true
  SupportPodPidsLimit: true
serverTLSBootstrap: true
"
"data:text/plain,{
  "kind": "KubeletConfiguration",
  "apiVersion": "kubelet.config.k8s.io/v1beta1",
  "staticPodPath": "/etc/kubernetes/manifests",
  "syncFrequency": "0s",
  "fileCheckFrequency": "0s",
  "httpCheckFrequency": "0s",
  "rotateCertificates": true,
  "serverTLSBootstrap": true,
  "authentication": {
    "x509": {
      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
    },
    "webhook": {
      "cacheTTL": "0s"
    },
    "anonymous": {
      "enabled": false
    }
  },
  "authorization": {
    "webhook": {
      "cacheAuthorizedTTL": "0s",
      "cacheUnauthorizedTTL": "0s"
    }
  },
  "clusterDomain": "cluster.local",
  "clusterDNS": [
    "172.30.0.10"
  ],
  "streamingConnectionIdleTimeout": "0s",
  "nodeStatusUpdateFrequency": "0s",
  "nodeStatusReportFrequency": "0s",
  "imageMinimumGCAge": "0s",
  "volumeStatsAggPeriod": "0s",
  "systemCgroups": "/system.slice",
  "cgroupRoot": "/",
  "cgroupDriver": "systemd",
  "cpuManagerReconcilePeriod": "0s",
  "runtimeRequestTimeout": "0s",
  "maxPods": 250,
  "kubeAPIQPS": 50,
  "kubeAPIBurst": 100,
  "serializeImagePulls": false,
  "evictionPressureTransitionPeriod": "0s",
  "featureGates": {
    "LegacyNodeRoleBehavior": false,
    "NodeDisruptionExclusion": true,
    "RotateKubeletServerCertificate": true,
    "SCTPSupport": true,
    "ServiceNodeExclusion": true,
    "SupportPodPidsLimit": true
  },
  "containerLogMaxSize": "50Mi",
  "systemReserved": {
    "cpu": "500m",
    "ephemeral-storage": "1Gi",
    "memory": "1Gi"
  }
}


Actual results: Pods have limits enforced when `cpu-cfs-quota` is disabled.


Expected results: Pods should not have limits enforced when `cpu-cfs-quota` is disabled.
Comment 10 Michael Burke 2021-02-08 16:22:03 UTC 
Weinan -- Please take a look: https://github.com/openshift/openshift-docs/pull/29250
Comment 23 Weinan Liu 2021-02-18 03:08:13 UTC 
The updates LGTM
Comment 25 Michael Burke 2021-02-19 14:52:22 UTC 
Novonil --

I have a docs PR in process that recently was passed by QE. I will get the PR merged as soon as I can. We have a procedural ban on merging until 4.7 GA.

https://github.com/openshift/openshift-docs/pull/29250

Michael
Comment 26 Michael Burke 2021-03-01 21:30:34 UTC 
Changes are live: https://docs.openshift.com/container-platform/4.7/nodes/clusters/nodes-cluster-overcommit.html#nodes-cluster-overcommit-node-enforcing_nodes-cluster-overcommit