Containers-roadmap: [EKS] [request]: Enable PodNodeSelector Admission Controller for EKS

Created on 23 May 2019  路  12Comments  路  Source: aws/containers-roadmap

Tell us about your request
It would be nice if it was possible to use PodNodeSelector in EKS.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
In our EKS clusters, we are looking to leverage namespaces to represent our deployment environments. In order to do this safely, we want to label different auto-scaling groups of nodes as production and non-production. We then could use have the clusterDefaultNodeSelector select the non-production nodes, and the prod namespace target production nodes.

Are you currently working around this issue?
We are currently considering 2 workarounds.

  1. Having our CD pipeline inject a nodeSelector into each deployment manifest based on the namespace being deployed to.
  2. Writing a MutatingAdmissionWebhook to handle node selection, but this seems like we would just be re-writing the built-in PodNodeSelector.
EKS Proposed
Source
picture toran414
👍84

Most helpful comment

We're taking a look at this.

Update 11/11
We took a deeper look at this. Because the namespaces that are declared for this controller are statically defined in config files that are on the api server, it is not something that we can easily enable today. We're keeping this on our backlog and will continue to evaluate the feasibility of properly enabling this controller in the future.

picture tabern on 9 Nov 2020
4 🚀3

All 12 comments

The PodNodeSelector is an old-skool, compiled-in Admission Controller. A MutatingAdmissionWebhook is the more contemporary way to implement this functionality and requires no messing with the control plane configuration. So you are doing the right thing there I think. Plus your out-of-tree Admission Controller can be more flexible to your needs. Implementing this replacement would be good thing. Node selectors and thus PodNodeSelector should eventually be deprecated and replaced by affinity (once more efficient).

But if it were easy to enable PodNodeSelector right now, it would be a quicker fix for your issue.

whereisaaron picture whereisaaron on 23 May 2019

Another solution I've considered using: give each auto scaling group a different taint. Say the current production environment is called "release 2019-05-01", then one ASG would have the taint release=2019-05-01:NoSchedule, and pods for that release have a toleration {"key": "release", "operator": "Equals", "value": "2019-05-01", "effect": "NoSchedule"}. For new staging releases, you'd make another ASG with a unique taint, and have its pods tolerate it. Thus, pods from the different releases couldn't intermingle on the same node.

kinghajj picture kinghajj on 23 May 2019

So right now even with the latest EKS 1.13 eks.2 we don't have "PodNodeSelector" feature right?

omerfsen picture omerfsen on 7 Aug 2019

My requirement is that to run pods on nodes on default namespace which has label lifecycle=Ec2Spot and run dashboard,grafana,prometheus etc.. (management stuff) on ASG labeled lifecycle=OnDemand so to achieve that

https://stackoverflow.com/questions/52487333/how-to-assign-a-namespace-to-certain-nodes

omerfsen picture omerfsen on 7 Aug 2019
👍2

+1

rosscdh picture rosscdh on 30 Aug 2019

Now that there are managed node groups in 1.14 this would be super useful to automatically restrict pods to certain groups only.

excieve picture excieve on 18 Dec 2019

For those whom still want podnodesselector functionality but can't be bothered to write the admission webhook controllers: https://github.com/liangrog/admission-webhook-server

liangrog picture liangrog on 7 Jan 2020
👍3

@tabern is there any hope that it will be activated on EKS soon?

pierluigilenoci picture pierluigilenoci on 2 Jul 2020
👍5

Yes, any update?

AceHack picture AceHack on 31 Aug 2020

Any update, this is no longer alpha

AceHack picture AceHack on 28 Oct 2020

We're taking a look at this.

Update 11/11
We took a deeper look at this. Because the namespaces that are declared for this controller are statically defined in config files that are on the api server, it is not something that we can easily enable today. We're keeping this on our backlog and will continue to evaluate the feasibility of properly enabling this controller in the future.

tabern picture tabern on 9 Nov 2020
4 🚀3

Is there any other solution to this problem? We have a 3rd party helm chart that doesn't cleanly handle setting tolerations and affinity. We would need everything to run on a specific node group and this would have solved the problem

derhally picture derhally on 10 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

aliabas7 picture aliabas7  路  3Comments
MartinDevillers picture MartinDevillers  路  3Comments
inductor picture inductor  路  3Comments
abby-fuller picture abby-fuller  路  3Comments
miztch picture miztch  路  3Comments