feat: support new topologySpread scheduling constraints

[jmdeal]

Fixes #430

Description
This PR adds support for the following topology spread constraint fields:

• matchLabelKeys
• nodeAffinityPolicy
• nodeTaintsPolicy

How was this change tested?
make test

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[coveralls]

Pull Request Test Coverage Report for Build 13139823506

Details

• 128 of 132 (96.97%) changed or added relevant lines in 10 files are covered.
• 4 unchanged lines in 2 files lost coverage.
• Overall coverage increased (+0.08%) to 81.331%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
pkg/controllers/provisioning/provisioner.go	13	15	86.67%
pkg/controllers/provisioning/scheduling/topology.go	28	30	93.33%

Files with Coverage Reduction	New Missed Lines	%
pkg/utils/termination/termination.go	2	92.31%
pkg/test/expectations/expectations.go	2	94.81%

Totals
Change from base Build 13127485405:	0.08%
Covered Lines:	9175
Relevant Lines:	11281

---

💛 - Coveralls

[jmdeal]

Holding to include matchLabelKeys for pod affinity with k8s v1.29.

[hamishforbes]

Hi @jmdeal is there anything blocking this or any way I can help to move this on (testing a custom build or something)?

[engedaam]

/assign @njtran

[k8s-ci-robot]

@engedaam: GitHub didn't allow me to assign the following users: njtarn.

Note that only kubernetes-sigs members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @njtarn

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[engedaam]

/assign @njtran

[jonathan-innis]

/unassign njtran

[jonathan-innis]

/assign jonathan-innis

[jonathan-innis]

Ran this comparison a few times, this was the set of results with the largest difference. Marginally faster overall surprisingly, with a slight decrease in first round scheduled pods (though I noticed this stat varied wildly between runs).

And I think I figured out why! Turns out that we really haven't been doing our scheduling benchmarking correctly in a while! See #1930

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jmdeal
Once this PR has been reviewed and has the lgtm label, please ask for approval from jonathan-innis. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jonathan-innis]

Suggested change

	func NewTopologyGroup(topologyType TopologyType, topologyKey string, pod *v1.Pod, namespaces sets.Set[string], labelSelector *metav1.LabelSelector, maxSkew int32, minDomains *int32, taintPolicy *v1.NodeInclusionPolicy, affinityPolicy *v1.NodeInclusionPolicy, domainGroup TopologyDomainGroup) *TopologyGroup {
	func NewTopologyGroup(topologyType TopologyType, topologyKey string, pod *v1.Pod, namespaces sets.Set[string], labelSelector *metav1.LabelSelector, maxSkew int32, minDomains *int32, taintPolicy, affinityPolicy *v1.NodeInclusionPolicy, domainGroup TopologyDomainGroup) *TopologyGroup {

the tiniest nit known to man

[jmdeal]

I've reformatted to put each argument on it's own line, since this is beginning to wrap off of my screen. Given that, I think leaving both types in is more readable, but let me know what you think. Personally, I prefer always including the types as I find it a little more readable, but I don't feel to strongly.

[jonathan-innis]

First pass -- I didn't look at everything and have some starting questions

[rschalo]

/remove-label blocked

[k8s-ci-robot]

@rschalo: The label(s) /remove-label blocked cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor, ci-short, ci-extended, ci-full. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/remove-label blocked

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jonathan-innis]

We don't attach tolerations in this codepath? Seems wrong that we wouldn't attach tolerations here -- also, since there isn't a test failing for this scenario seems like we need to add one

[jonathan-innis]

This doesn't look right -- I think we are still using karpenter.sh/disrupted:NoSchedule

[jonathan-innis]

It just tracks the eligible domains, right?

[jonathan-innis]

It still took me a second to parse this -- it might be worth pushing that comment down below up here or maybe add a second one -- just because I didn't get it until I saw the comment down below

[jonathan-innis]

Consider marking down that we could potentially improve this code by just storing the domains that map to certain cached tolerations -- small improvement but maybe worth doing eventually

[jonathan-innis]

Noting down that we have plans to move this over into domainGroups since domainGroups should really capture all of the domains that are eligible across the cluster (including NodePools) rather than just the NodePools (which is what they are doing right now)

[jonathan-innis]

After some discussion with @jmdeal, we should consider passing state nodes directly into this function rather than using the t.cluster.ForEach and holding a read lock throughout the time

[jonathan-innis]

nit: Since this is more standard

Suggested change

	if _, countExists := tg.domains[domain]; !countExists {
	if _, ok := tg.domains[domain]; !ok {

[jonathan-innis]

Suggested change

	if value, ok := p.ObjectMeta.Labels[key]; ok {
	if value, ok := p.Labels[key]; ok {

super super minor nit

[jonathan-innis]

Suggested change

	for _, cs := range p.Spec.TopologySpreadConstraints {
	for _, tsc := range p.Spec.TopologySpreadConstraints {

this is also minor but why not?

[jonathan-innis]

For the tests that are validating schedulability of a pod against a nodepool or node, it might be worth it to add taints and tolerations for the nodepool/node that we are able to schedule to as well so that we ensure that we are exercising the tolerates checks that we have in the topology code

[jonathan-innis]

I could also see an argument that this is tested below but it probably doesn't hurt -- I could go either way

[jonathan-innis]

Suggested change

	It("should balance pods across a label when discovered from the provisioner (NodeTaintsPolicy=honor)", func() {
	It("should balance pods across a label when discovered from the NodePool (NodeTaintsPolicy=honor)", func() {

consider replacing the use of the word provisioner throughout this file with NodePool :P we got some legacy wording that got kept around due to how long this has been open

[jonathan-innis]

nit: consider adding a bit more to this comment (1 pod that tolerated the nodepool-1 taint on fot, 1 that tolerated the nodepool-1 taint on bar, etc.

[jonathan-innis]

What about a test for a set of pods that have two different tolerations and two different NodePools with mutually exclusive taints?

[jonathan-innis]

nit: This naming is wrong from the copy

[jonathan-innis]

This is awesome work! This is definitely getting close! I think mostly a few small things -- we should write-down things that we want to refactor here since there were some ideas thrown out about how we could move existing nodes into topologyGroups and avoid iterating through stateNodes in countDomains -- also some things around naming of functions -- also also capturing nodeAffinities in eligible domains for topologyDomainGroups