Use Boolean logic for descheduler.alpha.kubernetes.io/evict annotation

In all the example and tests descheduler.alpha.kubernetes.io/evict
annotation was used with = true value to force a pod to
be considered evictable regardless of all the other checks.
Surprisingly descheduler.alpha.kubernetes.io/evict=false
was also producing the same effect.
Properly implement Boolean logic so that
descheduler.alpha.kubernetes.io/evict=false can be used
to configure a pod to be ignored by the descheduler
regardless of all the other checks.

Signed-off-by: Simone Tiraboschi <[email protected]>

Author: tiraboschi

README.md

@@ -1010,10 +1010,12 @@ never evicted because these pods won't be recreated. (Standalone pods in failed
 * Pods with PVCs are evicted (unless `ignorePvcPods: true` is set).
 * In `LowNodeUtilization` and `RemovePodsViolatingInterPodAntiAffinity`, pods are evicted by their priority from low to high, and if they have same priority,
 best effort pods are evicted before burstable and guaranteed pods.
-* All types of pods with the annotation `descheduler.alpha.kubernetes.io/evict` are eligible for eviction. This
-  annotation is used to override checks which prevent eviction and users can select which pod is evicted.
+* `descheduler.alpha.kubernetes.io/evict` annotation can be used to force eviction eligibility.
+  All types of pods with the annotation `descheduler.alpha.kubernetes.io/evict=true` are eligible for eviction.
+  This annotation is used to override checks which prevent eviction and users can select which pod is evicted.
   Users should know how and if the pod will be recreated.
   The annotation only affects internal descheduler checks.
+  `descheduler.alpha.kubernetes.io/evict=false` will force a pod to be considered not eligible for eviction.
   The anti-disruption protection provided by the [/eviction](https://kubernetes.io/docs/concepts/scheduling-eviction/api-eviction/)
   subresource is still respected.
 * Pods with a non-nil DeletionTimestamp are not evicted by default.

pkg/framework/plugins/defaultevictor/defaultevictor.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -58,10 +59,20 @@ func IsPodEvictableBasedOnPriority(pod *v1.Pod, priority int32) bool {
 	return pod.Spec.Priority == nil || *pod.Spec.Priority < priority
 }
 
-// HaveEvictAnnotation checks if the pod have evict annotation
-func HaveEvictAnnotation(pod *v1.Pod) bool {
-	_, found := pod.ObjectMeta.Annotations[evictPodAnnotationKey]
-	return found
+// HaveEvictAnnotation checks if the pod have evict annotation and its value
+func HaveEvictAnnotation(pod *v1.Pod) (bool, bool) {
+	svalue, found := pod.ObjectMeta.Annotations[evictPodAnnotationKey]
+	bvalue := false
+	if found {
+		switch {
+		case strings.EqualFold(svalue, "false"):
+			bvalue = false
+		// backward compatibility
+		default:
+			bvalue = true
+		}
+	}
+	return bvalue, found
 }
 
 // New builds plugin from its arguments while passing a handle
@@ -236,8 +247,11 @@ func (d *DefaultEvictor) PreEvictionFilter(pod *v1.Pod) bool {
 func (d *DefaultEvictor) Filter(pod *v1.Pod) bool {
 	checkErrs := []error{}
 
-	if HaveEvictAnnotation(pod) {
-		return true
+	if value, found := HaveEvictAnnotation(pod); found {
+		if value {
+			return true
+		}
+		checkErrs = append(checkErrs, fmt.Errorf("pod is annotated with %v=%v", evictPodAnnotationKey, value))
 	}
 
 	if utils.IsMirrorPod(pod) {

pkg/framework/plugins/defaultevictor/defaultevictor_test.go

@@ -376,10 +376,10 @@ func TestDefaultEvictorFilter(t *testing.T) {
 			evictSystemCriticalPods: false,
 			result:                  true,
 		}, {
-			description: "Normal pod eviction with normal ownerRefs and descheduler.alpha.kubernetes.io/evict annotation",
+			description: "Normal pod eviction with normal ownerRefs and descheduler.alpha.kubernetes.io/evict=true annotation",
 			pods: []*v1.Pod{
 				test.BuildTestPod("p2", 400, 0, n1.Name, func(pod *v1.Pod) {
-					pod.Annotations = map[string]string{"descheduler.alpha.kubernetes.io/evict": "true"}
+					pod.Annotations = map[string]string{evictPodAnnotationKey: "true"}
 					pod.ObjectMeta.OwnerReferences = test.GetNormalPodOwnerRefList()
 				}),
 			},
@@ -397,10 +397,10 @@ func TestDefaultEvictorFilter(t *testing.T) {
 			evictSystemCriticalPods: false,
 			result:                  true,
 		}, {
-			description: "Normal pod eviction with replicaSet ownerRefs and descheduler.alpha.kubernetes.io/evict annotation",
+			description: "Normal pod eviction with replicaSet ownerRefs and descheduler.alpha.kubernetes.io/evict=true annotation",
 			pods: []*v1.Pod{
 				test.BuildTestPod("p4", 400, 0, n1.Name, func(pod *v1.Pod) {
-					pod.Annotations = map[string]string{"descheduler.alpha.kubernetes.io/evict": "true"}
+					pod.Annotations = map[string]string{evictPodAnnotationKey: "true"}
 					pod.ObjectMeta.OwnerReferences = test.GetReplicaSetOwnerRefList()
 				}),
 			},
@@ -418,16 +418,27 @@ func TestDefaultEvictorFilter(t *testing.T) {
 			evictSystemCriticalPods: false,
 			result:                  true,
 		}, {
-			description: "Normal pod eviction with statefulSet ownerRefs and descheduler.alpha.kubernetes.io/evict annotation",
+			description: "Normal pod eviction with statefulSet ownerRefs and descheduler.alpha.kubernetes.io/evict=true annotation",
 			pods: []*v1.Pod{
 				test.BuildTestPod("p19", 400, 0, n1.Name, func(pod *v1.Pod) {
-					pod.Annotations = map[string]string{"descheduler.alpha.kubernetes.io/evict": "true"}
+					pod.Annotations = map[string]string{evictPodAnnotationKey: "true"}
 					pod.ObjectMeta.OwnerReferences = test.GetStatefulSetOwnerRefList()
 				}),
 			},
 			evictLocalStoragePods:   false,
 			evictSystemCriticalPods: false,
 			result:                  true,
+		}, {
+			description: "Pod not evicted because it has descheduler.alpha.kubernetes.io/evict=false annotation",
+			pods: []*v1.Pod{
+				test.BuildTestPod("p2", 400, 0, n1.Name, func(pod *v1.Pod) {
+					pod.Annotations = map[string]string{evictPodAnnotationKey: "false"}
+					pod.ObjectMeta.OwnerReferences = test.GetNormalPodOwnerRefList()
+				}),
+			},
+			evictLocalStoragePods:   false,
+			evictSystemCriticalPods: false,
+			result:                  false,
 		}, {
 			description: "Pod not evicted because it is bound to a PV and evictLocalStoragePods = false",
 			pods: []*v1.Pod{
@@ -471,10 +482,10 @@ func TestDefaultEvictorFilter(t *testing.T) {
 			evictSystemCriticalPods: false,
 			result:                  true,
 		}, {
-			description: "Pod is evicted because it is bound to a PV and evictLocalStoragePods = false, but it has scheduler.alpha.kubernetes.io/evict annotation",
+			description: "Pod is evicted because it is bound to a PV and evictLocalStoragePods = false, but it has descheduler.alpha.kubernetes.io/evict=true annotation",
 			pods: []*v1.Pod{
 				test.BuildTestPod("p7", 400, 0, n1.Name, func(pod *v1.Pod) {
-					pod.Annotations = map[string]string{"descheduler.alpha.kubernetes.io/evict": "true"}
+					pod.Annotations = map[string]string{evictPodAnnotationKey: "true"}
 					pod.ObjectMeta.OwnerReferences = test.GetNormalPodOwnerRefList()
 					pod.Spec.Volumes = []v1.Volume{
 						{
@@ -504,10 +515,10 @@ func TestDefaultEvictorFilter(t *testing.T) {
 			evictSystemCriticalPods: false,
 			result:                  false,
 		}, {
-			description: "Pod is evicted because it is part of a daemonSet, but it has scheduler.alpha.kubernetes.io/evict annotation",
+			description: "Pod is evicted because it is part of a daemonSet, but it has descheduler.alpha.kubernetes.io/evict=true annotation",
 			pods: []*v1.Pod{
 				test.BuildTestPod("p9", 400, 0, n1.Name, func(pod *v1.Pod) {
-					pod.Annotations = map[string]string{"descheduler.alpha.kubernetes.io/evict": "true"}
+					pod.Annotations = map[string]string{evictPodAnnotationKey: "true"}
 					pod.ObjectMeta.OwnerReferences = test.GetDaemonSetOwnerRefList()
 				}),
 			},
@@ -526,12 +537,12 @@ func TestDefaultEvictorFilter(t *testing.T) {
 			evictSystemCriticalPods: false,
 			result:                  false,
 		}, {
-			description: "Pod is evicted because it is a mirror pod, but it has scheduler.alpha.kubernetes.io/evict annotation",
+			description: "Pod is evicted because it is a mirror pod, but it has descheduler.alpha.kubernetes.io/evict=true annotation",
 			pods: []*v1.Pod{
 				test.BuildTestPod("p11", 400, 0, n1.Name, func(pod *v1.Pod) {
 					pod.ObjectMeta.OwnerReferences = test.GetNormalPodOwnerRefList()
 					pod.Annotations = test.GetMirrorPodAnnotation()
-					pod.Annotations["descheduler.alpha.kubernetes.io/evict"] = "true"
+					pod.Annotations[evictPodAnnotationKey] = "true"
 				}),
 			},
 			evictLocalStoragePods:   false,
@@ -550,14 +561,14 @@ func TestDefaultEvictorFilter(t *testing.T) {
 			evictSystemCriticalPods: false,
 			result:                  false,
 		}, {
-			description: "Pod is evicted because it has system critical priority, but it has scheduler.alpha.kubernetes.io/evict annotation",
+			description: "Pod is evicted because it has system critical priority, but it has descheduler.alpha.kubernetes.io/evict=true annotation",
 			pods: []*v1.Pod{
 				test.BuildTestPod("p13", 400, 0, n1.Name, func(pod *v1.Pod) {
 					pod.ObjectMeta.OwnerReferences = test.GetNormalPodOwnerRefList()
 					priority := utils.SystemCriticalPriority
 					pod.Spec.Priority = &priority
 					pod.Annotations = map[string]string{
-						"descheduler.alpha.kubernetes.io/evict": "true",
+						evictPodAnnotationKey: "true",
 					}
 				}),
 			},
@@ -577,11 +588,11 @@ func TestDefaultEvictorFilter(t *testing.T) {
 			priorityThreshold:       &lowPriority,
 			result:                  false,
 		}, {
-			description: "Pod is evicted because it has a priority higher than the configured priority threshold, but it has scheduler.alpha.kubernetes.io/evict annotation",
+			description: "Pod is evicted because it has a priority higher than the configured priority threshold, but it has descheduler.alpha.kubernetes.io/evict=true annotation",
 			pods: []*v1.Pod{
 				test.BuildTestPod("p15", 400, 0, n1.Name, func(pod *v1.Pod) {
 					pod.ObjectMeta.OwnerReferences = test.GetNormalPodOwnerRefList()
-					pod.Annotations = map[string]string{"descheduler.alpha.kubernetes.io/evict": "true"}
+					pod.Annotations = map[string]string{evictPodAnnotationKey: "true"}
 					pod.Spec.Priority = &highPriority
 				}),
 			},
@@ -602,11 +613,11 @@ func TestDefaultEvictorFilter(t *testing.T) {
 			evictSystemCriticalPods: true,
 			result:                  true,
 		}, {
-			description: "Pod is evicted because it has system critical priority, but evictSystemCriticalPods = true and it has scheduler.alpha.kubernetes.io/evict annotation",
+			description: "Pod is evicted because it has system critical priority, but evictSystemCriticalPods = true and it has descheduler.alpha.kubernetes.io/evict=true annotation",
 			pods: []*v1.Pod{
 				test.BuildTestPod("p16", 400, 0, n1.Name, func(pod *v1.Pod) {
 					pod.ObjectMeta.OwnerReferences = test.GetNormalPodOwnerRefList()
-					pod.Annotations = map[string]string{"descheduler.alpha.kubernetes.io/evict": "true"}
+					pod.Annotations = map[string]string{evictPodAnnotationKey: "true"}
 					priority := utils.SystemCriticalPriority
 					pod.Spec.Priority = &priority
 				}),
@@ -627,11 +638,11 @@ func TestDefaultEvictorFilter(t *testing.T) {
 			priorityThreshold:       &lowPriority,
 			result:                  true,
 		}, {
-			description: "Pod is evicted because it has a priority higher than the configured priority threshold, but evictSystemCriticalPods = true and it has scheduler.alpha.kubernetes.io/evict annotation",
+			description: "Pod is evicted because it has a priority higher than the configured priority threshold, but evictSystemCriticalPods = true and it has descheduler.alpha.kubernetes.io/evict=true annotation",
 			pods: []*v1.Pod{
 				test.BuildTestPod("p17", 400, 0, n1.Name, func(pod *v1.Pod) {
 					pod.ObjectMeta.OwnerReferences = test.GetNormalPodOwnerRefList()
-					pod.Annotations = map[string]string{"descheduler.alpha.kubernetes.io/evict": "true"}
+					pod.Annotations = map[string]string{evictPodAnnotationKey: "true"}
 					pod.Spec.Priority = &highPriority
 				}),
 			},

test/e2e/e2e_test.go

@@ -19,10 +19,12 @@ package e2e
 import (
 	"bufio"
 	"context"
+	"errors"
 	"fmt"
 	"math"
 	"os"
 	"sort"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -1211,8 +1213,17 @@ func TestPodLabelSelector(t *testing.T) {
 	}
 }
 
-func TestEvictAnnotation(t *testing.T) {
+func TestEvictAnnotationFalse(t *testing.T) {
+	testEvictAnnotation(t, false)
+}
+
+func TestEvictAnnotationTrue(t *testing.T) {
+	testEvictAnnotation(t, true)
+}
+
+func testEvictAnnotation(t *testing.T, evictAnnotationValue bool) {
 	ctx := context.Background()
+	const podNumber = 5
 
 	clientSet, _, nodeLister, _ := initializeClient(ctx, t)
 
@@ -1222,18 +1233,26 @@ func TestEvictAnnotation(t *testing.T) {
 	}
 	defer clientSet.CoreV1().Namespaces().Delete(ctx, testNamespace.Name, metav1.DeleteOptions{})
 
-	t.Log("Create RC with pods with local storage which require descheduler.alpha.kubernetes.io/evict annotation to be set for eviction")
-	rc := RcByNameContainer("test-rc-evict-annotation", testNamespace.Name, int32(5), map[string]string{"test": "annotation"}, nil, "")
-	rc.Spec.Template.Annotations = map[string]string{"descheduler.alpha.kubernetes.io/evict": "true"}
-	rc.Spec.Template.Spec.Volumes = []v1.Volume{
-		{
-			Name: "sample",
-			VolumeSource: v1.VolumeSource{
-				EmptyDir: &v1.EmptyDirVolumeSource{
-					SizeLimit: resource.NewQuantity(int64(10), resource.BinarySI),
+	if evictAnnotationValue {
+		t.Log("Create RC with pods with local storage which require descheduler.alpha.kubernetes.io/evict=true annotation to be set for eviction")
+	} else {
+		t.Log("Create RC with pods with descheduler.alpha.kubernetes.io/evict=false annotation to skip eviction")
+	}
+
+	rc := RcByNameContainer("test-rc-evict-annotation", testNamespace.Name, int32(podNumber), map[string]string{"test": "annotation"}, nil, "")
+	rc.Spec.Template.Annotations = map[string]string{"descheduler.alpha.kubernetes.io/evict": strconv.FormatBool(evictAnnotationValue)}
+	if evictAnnotationValue {
+		t.Logf("Adding a local storage volume")
+		rc.Spec.Template.Spec.Volumes = []v1.Volume{
+			{
+				Name: "sample",
+				VolumeSource: v1.VolumeSource{
+					EmptyDir: &v1.EmptyDirVolumeSource{
+						SizeLimit: resource.NewQuantity(int64(10), resource.BinarySI),
+					},
 				},
 			},
-		},
+		}
 	}
 
 	if _, err := clientSet.CoreV1().ReplicationControllers(rc.Namespace).Create(ctx, rc, metav1.CreateOptions{}); err != nil {
@@ -1266,19 +1285,31 @@ func TestEvictAnnotation(t *testing.T) {
 			return false, fmt.Errorf("unable to list pods after running plugin: %v", err)
 		}
 
-		excludePodNames := getPodNames(podList.Items)
-		sort.Strings(excludePodNames)
-		t.Logf("Existing pods: %v", excludePodNames)
+		existingPodNames := getPodNames(podList.Items)
+		sort.Strings(existingPodNames)
+		t.Logf("Existing pods: %v", existingPodNames)
 
-		// validate no pods were deleted
-		if len(intersectStrings(initialPodNames, excludePodNames)) > 0 {
-			t.Logf("Not every pods was evicted")
+		if evictAnnotationValue {
+			if len(intersectStrings(initialPodNames, existingPodNames)) > 0 {
+				t.Logf("Not every pods was evicted")
+				return false, nil
+			}
+		} else {
+			// validate no pods were deleted
+			if len(intersectStrings(initialPodNames, existingPodNames)) != podNumber {
+				t.Logf("At least a pod was evicted")
+				return false, fmt.Errorf("none of %v unevictable pods are expected to be deleted", initialPodNames)
+			}
 			return false, nil
 		}
 
 		return true, nil
 	}); err != nil {
-		t.Fatalf("Error waiting for pods to be deleted: %v", err)
+		if !evictAnnotationValue && (wait.Interrupted(err) || errors.Is(err, context.DeadlineExceeded)) {
+			t.Logf("No one of the unevictable pod got evicted")
+		} else {
+			t.Fatalf("Error waiting for pods to be deleted: %v", err)
+		}
 	}
 }