feat: Support DRA Admin Access

Signed-off-by: MenD32 <[email protected]>

tests: added utilization test for adminaccess resourceclaims

Signed-off-by: MenD32 <[email protected]>

fix: ran gofmt

Signed-off-by: MenD32 <[email protected]>

fix: false positives on SanitizedPodResourceClaims

Signed-off-by: MenD32 <[email protected]>

fix: non admin results get removed from resourceclaim when requests is empty

Signed-off-by: MenD32 <[email protected]>

feat: Support DRA Admin Access

Signed-off-by: MenD32 <[email protected]>

refactor: moved device filtering to groupAllocatedDevices

Signed-off-by: MenD32 <[email protected]>

tests: added test of combined admin access and non-admin access utilization calculation

Signed-off-by: MenD32 <[email protected]>

tests: added test for admin access request sanitization

Signed-off-by: MenD32 <[email protected]>

feat: Support DRA Admin Access

Signed-off-by: MenD32 <[email protected]>

tests: added utilization test for adminaccess resourceclaims

Signed-off-by: MenD32 <[email protected]>

fix: ran gofmt

Signed-off-by: MenD32 <[email protected]>

fix: false positives on SanitizedPodResourceClaims

Signed-off-by: MenD32 <[email protected]>

fix: non admin results get removed from resourceclaim when requests is empty

Signed-off-by: MenD32 <[email protected]>

feat: Support DRA Admin Access

Signed-off-by: MenD32 <[email protected]>

refactor: moved device filtering to groupAllocatedDevices

Signed-off-by: MenD32 <[email protected]>

fix: removed ClaimWithoutAdminAccessRequests  sanitization

Signed-off-by: MenD32 <[email protected]>

chore: migrated to v1

Signed-off-by: MenD32 <[email protected]>

fix: changed methodology to using ptr.Deref

Signed-off-by: MenD32 <[email protected]>

fix: changed methodology to using ptr.Deref

Signed-off-by: MenD32 <[email protected]>

removed allocation status check from getDeviceResultRequest

Signed-off-by: MenD32 <[email protected]>

fix: added handling logic for daemonsets with non-adminAccess resource claims (and also style fixes)

Signed-off-by: MenD32 <[email protected]>

tests: changed duplicated test name

Signed-off-by: MenD32 <[email protected]>

style: changed variable name to hasRegularAllocations

Signed-off-by: MenD32 <[email protected]>

Author: MenD32

cluster-autoscaler/simulator/dynamicresources/utils/sanitize.go

@@ -24,6 +24,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/dynamic-resource-allocation/resourceclaim"
+	"k8s.io/utils/ptr"
 	"k8s.io/utils/set"
 )
 
@@ -54,11 +55,13 @@ func SanitizedNodeResourceSlices(nodeLocalSlices []*resourceapi.ResourceSlice, n
 //   - ResourceClaims not owned by oldOwner are returned unchanged in the result. They are shared claims not bound to the
 //     lifecycle of the duplicated pod, so they shouldn't be duplicated.
 //   - Works for unallocated claims (e.g. if the pod being duplicated isn't scheduled).
+//   - Works for claims with only AdminAccess allocations, which can be safely duplicated without sanitization since they
+//     don't reserve devices.
 //   - Works for claims allocated on a single node that is being duplicated (e.g. if the pod being duplicated is a scheduled DS pod).
 //     The name of the old node and its pools have to be provided in this case. Such allocated claims are pointed to newNodeName,
-//     and nameSuffix is appended to all pool names in allocation results, to match the pool names of the new, duplicated node.
-//   - Returns an error if any of the allocated claims is not node-local on oldNodeName. Such allocations can't be sanitized, the only
-//     option is to clear the allocation and run scheduler filters&reserve to get a new allocation when duplicating a pod.
+//     and nameSuffix is appended to all pool names in non-AdminAccess allocation results, to match the pool names of the new, duplicated node.
+//   - Returns an error if any of the allocated non-AdminAccess claims is not node-local on oldNodeName. Such allocations can't be sanitized,
+//     the only option is to clear the allocation and run scheduler filters&reserve to get a new allocation when duplicating a pod.
 func SanitizedPodResourceClaims(newOwner, oldOwner *v1.Pod, claims []*resourceapi.ResourceClaim, nameSuffix, newNodeName, oldNodeName string, oldNodePoolNames set.Set[string]) ([]*resourceapi.ResourceClaim, error) {
 	var result []*resourceapi.ResourceClaim
 	for _, claim := range claims {
@@ -81,14 +84,17 @@ func SanitizedPodResourceClaims(newOwner, oldOwner *v1.Pod, claims []*resourceap
 			continue
 		}
 
-		if singleNodeSelector := nodeSelectorSingleNode(claimCopy.Status.Allocation.NodeSelector); singleNodeSelector == "" || singleNodeSelector != oldNodeName {
-			// This claim most likely has an allocation available on more than a single Node. We can't sanitize it, and it shouldn't be duplicated as we'd
-			// have multiple claims allocating the same devices.
-			return nil, fmt.Errorf("claim %s/%s is allocated, but not node-local on %s - can't be sanitized", claim.Namespace, claim.Name, oldNodeName)
-		}
-
 		var sanitizedAllocations []resourceapi.DeviceRequestAllocationResult
+		hasRegularAllocations := false
 		for _, devAlloc := range claim.Status.Allocation.Devices.Results {
+			if ptr.Deref(devAlloc.AdminAccess, false) {
+				// AdminAccess Device allocations don't actually reserve the Device, and the same Device can be allocated for multiple AdminAccess requests.
+				// When we just copy the allocation without sanitizing, we introduce multiple allocations for the same DRA Device.
+				// But this is fine for AdminAccess allocations, so in this case we can just copy it.
+				sanitizedAllocations = append(sanitizedAllocations, devAlloc)
+				continue
+			}
+			hasRegularAllocations = true
 			// It's possible to have both node-local and global allocations in a single resource claim. Make sure that all allocations were node-local on the old node.
 			if !oldNodePoolNames.Has(devAlloc.Pool) {
 				return nil, fmt.Errorf("claim %s/%s has an allocation %s, from a pool that isn't node-local on %s - can't be sanitized", claim.Namespace, claim.Name, devAlloc.Request, oldNodeName)
@@ -97,6 +103,13 @@ func SanitizedPodResourceClaims(newOwner, oldOwner *v1.Pod, claims []*resourceap
 			sanitizedAllocations = append(sanitizedAllocations, devAlloc)
 		}
 
+		// if all allocations were AdminAccess, we're done checking for node-locality, doesn't matter since it doesn't reserve anything.
+		if singleNodeSelector := nodeSelectorSingleNode(claimCopy.Status.Allocation.NodeSelector); hasRegularAllocations && (singleNodeSelector == "" || singleNodeSelector != oldNodeName) {
+			// This claim most likely has an allocation available on more than a single Node. We can't sanitize it, and it shouldn't be duplicated as we'd
+			// have multiple claims allocating the same devices.
+			return nil, fmt.Errorf("claim %s/%s is allocated, but not node-local on %s - can't be sanitized", claim.Namespace, claim.Name, oldNodeName)
+		}
+
 		claimCopy.Status.Allocation.Devices.Results = sanitizedAllocations
 		claimCopy.Status.Allocation.NodeSelector = createNodeSelectorSingleNode(newNodeName)
 		claimCopy.Status.ReservedFor = []resourceapi.ResourceClaimConsumerReference{PodClaimConsumerReference(newOwner)}

cluster-autoscaler/simulator/dynamicresources/utils/sanitize_test.go

@@ -26,6 +26,7 @@ import (
 	resourceapi "k8s.io/api/resource/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/autoscaler/cluster-autoscaler/utils/test"
+	"k8s.io/utils/ptr"
 	"k8s.io/utils/set"
 )
 
@@ -322,6 +323,86 @@ func TestSanitizedPodResourceClaims(t *testing.T) {
 			},
 		},
 	}
+	singleNodeAllocationWithAdminAccessRequest := &resourceapi.AllocationResult{
+		NodeSelector: &apiv1.NodeSelector{NodeSelectorTerms: []apiv1.NodeSelectorTerm{{
+			MatchFields: []apiv1.NodeSelectorRequirement{
+				{Key: "metadata.name", Operator: apiv1.NodeSelectorOpIn, Values: []string{"testNode"}},
+			}},
+		}},
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{Request: "request1", Driver: "driver.foo.com", Pool: "testNodePool1", Device: "device1"},
+				{Request: "request2", Driver: "driver.foo.com", Pool: "testNodePool1", Device: "device2", AdminAccess: ptr.To(false)},
+				{Request: "request3", Driver: "driver.foo.com", Pool: "testNodePool2", Device: "device1", AdminAccess: ptr.To(true)},
+			},
+		},
+	}
+	singleNodeAllocationWithAdminAccessRequestSanitized := &resourceapi.AllocationResult{
+		NodeSelector: &apiv1.NodeSelector{NodeSelectorTerms: []apiv1.NodeSelectorTerm{{
+			MatchFields: []apiv1.NodeSelectorRequirement{
+				{Key: "metadata.name", Operator: apiv1.NodeSelectorOpIn, Values: []string{"newNode"}},
+			}},
+		}},
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{Request: "request1", Driver: "driver.foo.com", Pool: "testNodePool1-abc", Device: "device1"},
+				{Request: "request2", Driver: "driver.foo.com", Pool: "testNodePool1-abc", Device: "device2", AdminAccess: ptr.To(false)},
+				{Request: "request3", Driver: "driver.foo.com", Pool: "testNodePool2", Device: "device1", AdminAccess: ptr.To(true)},
+			},
+		},
+	}
+	singleNodeAllocationOnlyAdminAccess := &resourceapi.AllocationResult{
+		NodeSelector: &apiv1.NodeSelector{NodeSelectorTerms: []apiv1.NodeSelectorTerm{{
+			MatchFields: []apiv1.NodeSelectorRequirement{
+				{Key: "metadata.name", Operator: apiv1.NodeSelectorOpIn, Values: []string{"testNode"}},
+			}},
+		}},
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{Request: "request1", Driver: "driver.foo.com", Pool: "testNodePool1", Device: "device1", AdminAccess: ptr.To(true)},
+				{Request: "request2", Driver: "driver.foo.com", Pool: "testNodePool2", Device: "device2", AdminAccess: ptr.To(true)},
+			},
+		},
+	}
+	singleNodeAllocationOnlyAdminAccessSanitized := &resourceapi.AllocationResult{
+		NodeSelector: &apiv1.NodeSelector{NodeSelectorTerms: []apiv1.NodeSelectorTerm{{
+			MatchFields: []apiv1.NodeSelectorRequirement{
+				{Key: "metadata.name", Operator: apiv1.NodeSelectorOpIn, Values: []string{"newNode"}},
+			}},
+		}},
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{Request: "request1", Driver: "driver.foo.com", Pool: "testNodePool1", Device: "device1", AdminAccess: ptr.To(true)},
+				{Request: "request2", Driver: "driver.foo.com", Pool: "testNodePool2", Device: "device2", AdminAccess: ptr.To(true)},
+			},
+		},
+	}
+	multipleNodesAllocationOnlyAdminAccess := &resourceapi.AllocationResult{
+		NodeSelector: &apiv1.NodeSelector{NodeSelectorTerms: []apiv1.NodeSelectorTerm{{
+			MatchExpressions: []apiv1.NodeSelectorRequirement{
+				{Key: "someLabel", Operator: apiv1.NodeSelectorOpIn, Values: []string{"val1", "val2"}},
+			}},
+		}},
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{Request: "request1", Driver: "driver.foo.com", Pool: "sharedPool1", Device: "device1", AdminAccess: ptr.To(true)},
+				{Request: "request2", Driver: "driver.foo.com", Pool: "sharedPool1", Device: "device2", AdminAccess: ptr.To(true)},
+			},
+		},
+	}
+	multipleNodesAllocationOnlyAdminAccessSanitized := &resourceapi.AllocationResult{
+		NodeSelector: &apiv1.NodeSelector{NodeSelectorTerms: []apiv1.NodeSelectorTerm{{
+			MatchFields: []apiv1.NodeSelectorRequirement{
+				{Key: "metadata.name", Operator: apiv1.NodeSelectorOpIn, Values: []string{"newNode"}},
+			}},
+		}},
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{Request: "request1", Driver: "driver.foo.com", Pool: "sharedPool1", Device: "device1", AdminAccess: ptr.To(true)},
+				{Request: "request2", Driver: "driver.foo.com", Pool: "sharedPool1", Device: "device2", AdminAccess: ptr.To(true)},
+			},
+		},
+	}
 
 	for _, tc := range []struct {
 		testName         string
@@ -416,6 +497,46 @@ func TestSanitizedPodResourceClaims(t *testing.T) {
 				TestClaimWithPodReservations(TestClaimWithAllocation(newOwnerClaim2, singleNodeAllocationSanitized), newOwner),
 			},
 		},
+		{
+			testName: "adminAccess pod-owned claims are sanitized",
+			claims: []*resourceapi.ResourceClaim{
+				TestClaimWithPodReservations(TestClaimWithAllocation(oldOwnerClaim1, singleNodeAllocationWithAdminAccessRequest), oldOwner),
+				TestClaimWithPodReservations(TestClaimWithAllocation(oldOwnerClaim2, singleNodeAllocationWithAdminAccessRequest), oldOwner),
+			},
+			oldNodeName:      "testNode",
+			newNodeName:      "newNode",
+			oldNodePoolNames: set.New("testNodePool1", "testNodePool2"),
+			wantClaims: []*resourceapi.ResourceClaim{
+				TestClaimWithPodReservations(TestClaimWithAllocation(newOwnerClaim1, singleNodeAllocationWithAdminAccessRequestSanitized), newOwner),
+				TestClaimWithPodReservations(TestClaimWithAllocation(newOwnerClaim2, singleNodeAllocationWithAdminAccessRequestSanitized), newOwner),
+			},
+		},
+		{
+			testName: "pod with multiple claims, one without AdminAccess and one with only AdminAccess",
+			claims: []*resourceapi.ResourceClaim{
+				TestClaimWithPodReservations(TestClaimWithAllocation(oldOwnerClaim1, singleNodeAllocation), oldOwner),
+				TestClaimWithPodReservations(TestClaimWithAllocation(oldOwnerClaim2, singleNodeAllocationOnlyAdminAccess), oldOwner),
+			},
+			oldNodeName:      "testNode",
+			newNodeName:      "newNode",
+			oldNodePoolNames: set.New("testNodePool1", "testNodePool2"),
+			wantClaims: []*resourceapi.ResourceClaim{
+				TestClaimWithPodReservations(TestClaimWithAllocation(newOwnerClaim1, singleNodeAllocationSanitized), newOwner),
+				TestClaimWithPodReservations(TestClaimWithAllocation(newOwnerClaim2, singleNodeAllocationOnlyAdminAccessSanitized), newOwner),
+			},
+		},
+		{
+			testName: "claim available on multiple nodes with all AdminAccess allocations can be sanitized",
+			claims: []*resourceapi.ResourceClaim{
+				TestClaimWithPodReservations(TestClaimWithAllocation(oldOwnerClaim1, multipleNodesAllocationOnlyAdminAccess), oldOwner),
+			},
+			oldNodeName:      "testNode",
+			newNodeName:      "newNode",
+			oldNodePoolNames: set.New("testNodePool1", "testNodePool2"),
+			wantClaims: []*resourceapi.ResourceClaim{
+				TestClaimWithPodReservations(TestClaimWithAllocation(newOwnerClaim1, multipleNodesAllocationOnlyAdminAccessSanitized), newOwner),
+			},
+		},
 	} {
 		t.Run(tc.testName, func(t *testing.T) {
 			claims, err := SanitizedPodResourceClaims(newOwner, oldOwner, tc.claims, nameSuffix, tc.newNodeName, tc.oldNodeName, tc.oldNodePoolNames)

cluster-autoscaler/simulator/dynamicresources/utils/utilization.go

@@ -22,14 +22,15 @@ import (
 	v1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/autoscaler/cluster-autoscaler/simulator/framework"
+	"k8s.io/utils/ptr"
 )
 
 // CalculateDynamicResourceUtilization calculates a map of ResourceSlice pool utilization grouped by the driver and pool. Returns
 // an error if the NodeInfo doesn't have all ResourceSlices from a pool.
 func CalculateDynamicResourceUtilization(nodeInfo *framework.NodeInfo) (map[string]map[string]float64, error) {
 	result := map[string]map[string]float64{}
 	claims := nodeInfo.ResourceClaims()
-	allocatedDevices, err := groupAllocatedDevices(claims)
+	allocatedDevices, err := groupAllocatedReservedDevices(claims)
 	if err != nil {
 		return nil, err
 	}
@@ -99,9 +100,10 @@ func getAllDevices(slices []*resourceapi.ResourceSlice) []resourceapi.Device {
 	return devices
 }
 
-// groupAllocatedDevices groups the devices from claim allocations by their driver and pool. Returns an error
-// if any of the claims isn't allocated.
-func groupAllocatedDevices(claims []*resourceapi.ResourceClaim) (map[string]map[string][]string, error) {
+// groupAllocatedReservedDevices groups reserved devices from claim allocations by their driver and pool.
+// If a deviced will not exclusively reserved (i.e. AdminAccess), it will not be included in the result.
+// Returns an error if any of the claims isn't allocated.
+func groupAllocatedReservedDevices(claims []*resourceapi.ResourceClaim) (map[string]map[string][]string, error) {
 	result := map[string]map[string][]string{}
 	for _, claim := range claims {
 		alloc := claim.Status.Allocation
@@ -110,6 +112,11 @@ func groupAllocatedDevices(claims []*resourceapi.ResourceClaim) (map[string]map[
 		}
 
 		for _, deviceAlloc := range alloc.Devices.Results {
+			if ptr.Deref(deviceAlloc.AdminAccess, false) {
+				// Admin access Device allocations don't actually reserve the Device, so they shouldn't be counted towards utilization.
+				continue
+			}
+
 			if result[deviceAlloc.Driver] == nil {
 				result[deviceAlloc.Driver] = map[string][]string{}
 			}