Design-proposal: KubeVirt DRA design proposal #293
Conversation
Signed-off-by: Ryan Hallisey <[email protected]>
kubevirt-bot
added
the
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
cc @varunrsekar |
|
/label sig-api |
|
@alaypatel07: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/sig api |
kubevirt-bot
added
the
sig/api
| ## Definition of Users | ||
| A user is a person that wants to attach a device to a VM | ||
|
|
||
| ## User Stories |
There was a problem hiding this comment.
Additional usecase:
- As a user, I would like to use the dra driver for certain devices and device-plugins for others.
| to exist in Kubernetes, but DRA will offer vendors more control over the device topology. | ||
|
|
||
| ## Motivation | ||
| DRA adoption is important for KubeVirt so that vendors can expect the same |
There was a problem hiding this comment.
Currently, DRA vendors design their drivers using CDI with the idea in mind that the requesting pod is going to consume the device (say, GPU) directly. In existing KubeVirt atchitecture, virt-launcher pod has kept a minimal security profile where even though it is requesting the devices from device-plugins, it only gets partial access to the devices, just enough to be able to pass it along to the libvirt domain.
I'm wondering if it will break the security posture of KubeVirt if we introduce DRA drivers that allows full access to the devices from the virt-launcher pod.
| spec: | ||
| resourceClaims: | ||
| - name: a100-40C | ||
| source: | ||
| resourceClaimTemplateName: a100-40C-claim-template |
There was a problem hiding this comment.
Specifically for GPUs, this is the spec I had in mind to keep in-sync with the existing architecture and to address an usecase such as:
As a user, I would like to use the dra driver for certain devices and device-plugins for others.
---
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
labels:
kubevirt.io/vm: vm-cirros
name: vm-cirros
spec:
running: false
template:
metadata:
labels:
kubevirt.io/vm: vm-cirros
spec:
domain:
devices:
gpus:
- name: gpu0
resourceClaim:
name: a100-40C
source:
resourceClaimTemplateName: a100-40C-claim-template
–--
apiVersion: v1
kind: Pod
metadata:
name: virt-launcher-cirros
spec:
containers:
- name: virt-launcher
image: virt-launcher
resources:
claims:
- name: a100-40C
resourceClaims:
- name: a100-40C
source:
resourceClaimTemplateName: a100-40C-claim-template
The idea is that, for a gpu device, if the resourceClaim field is set, then kubevirt will know its to be provisioned by a dra driver and applies it to the virt-launcher pod spec. If instead, the deviceName is set, then kubevirt will know it is to be provisioned by a device-plugin and will set resources.requests[<deviceName>].
The same rationale can be applied to the other device types from https://pkg.go.dev/kubevirt.io/api/core/v1#DomainSpec that would need DRA integration
|
/cc |
|
@rthallisey one thing that is difficult for me to model with DRA is how we pass the device information. Today, there is an implicit API/mechanism between the device plugin and kubevirt how the device information are passed through environmental variables. For example, kubevirt cannot work out-of-the-box with any device plugins. |
| resourceClaims: | ||
| - name: rtx4090 | ||
| source: | ||
| resourceClaimTemplateName: rtx4090-claim-template |
There was a problem hiding this comment.
Do we want to reference a claim here or the claim template?
|
/sig compute |
|
Hey. Does it make sense to split this proposal into two:
Thoughts? |
@varunrsekar is discussing this with upstream DRA folks. We're working on a path to formalize device info in vendor plugins. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with /lifecycle stale |
kubevirt-bot
added
the
lifecycle/stale
|
@rthallisey @varunrsekar Are we still going ahead with this? |
|
/cc |
|
@aburdenthehand yes |
|
Discussion has moved to #331 |
DRA (Dynamic Resource Allocation) design proposal.
What this PR does / why we need it:
KubeVirt DRA integration will allow VM users fine-grained control of devices. This is important for many use-cases:
In the current device-plugin model, GPUs can only be advertised in one mode (Passthrough, MIG, vGPU) for the full lifecycle of the device. This model doesn’t work when an end-user has the ability to choose which type of device they need - PT, vGPU, or MIG.
Advertising full devices is a common use-case in ephemeral workloads like HPC, ML, Cloud Gaming, ect.., that require on-demand driver switches on the GPU, based on the type of workload requested.
Similar to the GPU, the CPU can be logically separated and handed out to workloads. Conceptually the use-case would be the same as GPUs - allow a plugin to handle the specialized allocation of the CPU. Similarly, need memory management as well. We should be allowing full platform management for specialized vertical solutions.
DRA is not a device-plugin replacement - it solves more problems.
Release note: