我的书签
添加书签
移除书签Placing pods relative to other pods using affinity and anti-affinity rules
Affinity is a property of pods that controls the nodes on which they prefer to be scheduled. Anti-affinity is a property of pods that prevents a pod from being scheduled on a node.
In OKD, pod affinity and pod anti-affinity allow you to constrain which nodes your pod is eligible to be scheduled on based on the key-value labels on other pods.
Understanding pod affinity
Pod affinity and pod anti-affinity allow you to constrain which nodes your pod is eligible to be scheduled on based on the key/value labels on other pods.
Pod affinity can tell the scheduler to locate a new pod on the same node as other pods if the label selector on the new pod matches the label on the current pod.
Pod anti-affinity can prevent the scheduler from locating a new pod on the same node as pods with the same labels if the label selector on the new pod matches the label on the current pod.
For example, using affinity rules, you could spread or pack pods within a service or relative to pods in other services. Anti-affinity rules allow you to prevent pods of a particular service from scheduling on the same nodes as pods of another service that are known to interfere with the performance of the pods of the first service. Or, you could spread the pods of a service across nodes, availability zones, or availability sets to reduce correlated failures.
A label selector might match pods with multiple pod deployments. Use unique combinations of labels when configuring anti-affinity rules to avoid matching pods. |
There are two types of pod affinity rules: required and preferred.
Required rules must be met before a pod can be scheduled on a node. Preferred rules specify that, if the rule is met, the scheduler tries to enforce the rules, but does not guarantee enforcement.
Depending on your pod priority and preemption settings, the scheduler might not be able to find an appropriate node for a pod without violating affinity requirements. If so, a pod might not be scheduled. To prevent this situation, carefully configure pod affinity with equal-priority pods. |
You configure pod affinity/anti-affinity through the Pod spec files. You can specify a required rule, a preferred rule, or both. If you specify both, the node must first meet the required rule, then attempts to meet the preferred rule.
The following example shows a Pod spec configured for pod affinity and anti-affinity.
In this example, the pod affinity rule indicates that the pod can schedule onto a node only if that node has at least one already-running pod with a label that has the key security and value S1. The pod anti-affinity rule says that the pod prefers to not schedule onto a node if that node is already running a pod with label having key security and value S2.
Sample Pod config file with pod affinity
apiVersion: v1kind: Podmetadata:name: with-pod-affinityspec:affinity:podAffinity: (1)requiredDuringSchedulingIgnoredDuringExecution: (2)- labelSelector:matchExpressions:- key: security (3)operator: In (4)values:- S1 (3)topologyKey: topology.kubernetes.io/zonecontainers:- name: with-pod-affinityimage: docker.io/ocpqe/hello-pod
| 1 | Stanza to configure pod affinity. |
| 2 | Defines a required rule. |
| 3 | The key and value (label) that must be matched to apply the rule. |
| 4 | The operator represents the relationship between the label on the existing pod and the set of values in the matchExpression parameters in the specification for the new pod. Can be In, NotIn, Exists, or DoesNotExist. |
Sample Pod config file with pod anti-affinity
apiVersion: v1kind: Podmetadata:name: with-pod-antiaffinityspec:affinity:podAntiAffinity: (1)preferredDuringSchedulingIgnoredDuringExecution: (2)- weight: 100 (3)podAffinityTerm:labelSelector:matchExpressions:- key: security (4)operator: In (5)values:- S2topologyKey: kubernetes.io/hostnamecontainers:- name: with-pod-affinityimage: docker.io/ocpqe/hello-pod
| 1 | Stanza to configure pod anti-affinity. |
| 2 | Defines a preferred rule. |
| 3 | Specifies a weight for a preferred rule. The node with the highest weight is preferred. |
| 4 | Description of the pod label that determines when the anti-affinity rule applies. Specify a key and value for the label. |
| 5 | The operator represents the relationship between the label on the existing pod and the set of values in the matchExpression parameters in the specification for the new pod. Can be In, NotIn, Exists, or DoesNotExist. |
If labels on a node change at runtime such that the affinity rules on a pod are no longer met, the pod continues to run on the node. |
Configuring a pod affinity rule
The following steps demonstrate a simple two-pod configuration that creates pod with a label and a pod that uses affinity to allow scheduling with that pod.
You cannot add an affinity directly to a scheduled pod. |
Procedure
Create a pod with a specific label in the pod spec:
Create a YAML file with the following content:
apiVersion: v1kind: Podmetadata:name: security-s1labels:security: S1spec:containers:- name: security-s1image: docker.io/ocpqe/hello-pod
Create the pod.
$ oc create -f <pod-spec>.yaml
When creating other pods, configure the following parameters to add the affinity:
Create a YAML file with the following content:
apiVersion: v1kind: Podmetadata:name: security-s1-east#...specaffinity (1)podAffinity:requiredDuringSchedulingIgnoredDuringExecution: (2)- labelSelector:matchExpressions:- key: security (3)values:- S1operator: In (4)topologyKey: topology.kubernetes.io/zone (5)#...
1 Adds a pod affinity. 2 Configures the requiredDuringSchedulingIgnoredDuringExecutionparameter or thepreferredDuringSchedulingIgnoredDuringExecutionparameter.3 Specifies the keyandvaluesthat must be met. If you want the new pod to be scheduled with the other pod, use the samekeyandvaluesparameters as the label on the first pod.4 Specifies an operator. The operator can beIn,NotIn,Exists, orDoesNotExist. For example, use the operatorInto require the label to be in the node.5 Specify a topologyKey, which is a prepopulated Kubernetes label that the system uses to denote such a topology domain.Create the pod.
$ oc create -f <pod-spec>.yaml
Configuring a pod anti-affinity rule
The following steps demonstrate a simple two-pod configuration that creates pod with a label and a pod that uses an anti-affinity preferred rule to attempt to prevent scheduling with that pod.
You cannot add an affinity directly to a scheduled pod. |
Procedure
Create a pod with a specific label in the pod spec:
Create a YAML file with the following content:
apiVersion: v1kind: Podmetadata:name: security-s1labels:security: S1spec:containers:- name: security-s1image: docker.io/ocpqe/hello-pod
Create the pod.
$ oc create -f <pod-spec>.yaml
When creating other pods, configure the following parameters:
Create a YAML file with the following content:
apiVersion: v1kind: Podmetadata:name: security-s2-east#...specaffinity (1)podAntiAffinity:preferredDuringSchedulingIgnoredDuringExecution: (2)- weight: 100 (3)podAffinityTerm:labelSelector:matchExpressions:- key: security (4)values:- S1operator: In (5)topologyKey: kubernetes.io/hostname (6)#...
1 Adds a pod anti-affinity. 2 Configures the requiredDuringSchedulingIgnoredDuringExecutionparameter or thepreferredDuringSchedulingIgnoredDuringExecutionparameter.3 For a preferred rule, specifies a weight for the node, 1-100. The node that with highest weight is preferred. 4 Specifies the keyandvaluesthat must be met. If you want the new pod to not be scheduled with the other pod, use the samekeyandvaluesparameters as the label on the first pod.5 Specifies an operator. The operator can beIn,NotIn,Exists, orDoesNotExist. For example, use the operatorInto require the label to be in the node.6 Specifies a topologyKey, which is a prepopulated Kubernetes label that the system uses to denote such a topology domain.Create the pod.
$ oc create -f <pod-spec>.yaml
Sample pod affinity and anti-affinity rules
The following examples demonstrate pod affinity and pod anti-affinity.
Pod Affinity
The following example demonstrates pod affinity for pods with matching labels and label selectors.
The pod team4 has the label
team:4.apiVersion: v1kind: Podmetadata:name: team4labels:team: "4"#...spec:containers:- name: ocpimage: docker.io/ocpqe/hello-pod#...
The pod team4a has the label selector
team:4underpodAffinity.apiVersion: v1kind: Podmetadata:name: team4a#...spec:affinity:podAffinity:requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:matchExpressions:- key: teamoperator: Invalues:- "4"topologyKey: kubernetes.io/hostnamecontainers:- name: pod-affinityimage: docker.io/ocpqe/hello-pod#...
The team4a pod is scheduled on the same node as the team4 pod.
Pod Anti-affinity
The following example demonstrates pod anti-affinity for pods with matching labels and label selectors.
The pod pod-s1 has the label
security:s1.apiVersion: v1kind: Podmetadata:name: pod-s1labels:security: s1#...spec:containers:- name: ocpimage: docker.io/ocpqe/hello-pod#...
The pod pod-s2 has the label selector
security:s1underpodAntiAffinity.apiVersion: v1kind: Podmetadata:name: pod-s2#...spec:affinity:podAntiAffinity:requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:matchExpressions:- key: securityoperator: Invalues:- s1topologyKey: kubernetes.io/hostnamecontainers:- name: pod-antiaffinityimage: docker.io/ocpqe/hello-pod#...
The pod pod-s2 cannot be scheduled on the same node as
pod-s1.
Pod Affinity with no Matching Labels
The following example demonstrates pod affinity for pods without matching labels and label selectors.
The pod pod-s1 has the label
security:s1.apiVersion: v1kind: Podmetadata:name: pod-s1labels:security: s1#...spec:containers:- name: ocpimage: docker.io/ocpqe/hello-pod#...
The pod pod-s2 has the label selector
security:s2.apiVersion: v1kind: Podmetadata:name: pod-s2#...spec:affinity:podAffinity:requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:matchExpressions:- key: securityoperator: Invalues:- s2topologyKey: kubernetes.io/hostnamecontainers:- name: pod-affinityimage: docker.io/ocpqe/hello-pod#...
The pod pod-s2 is not scheduled unless there is a node with a pod that has the
security:s2label. If there is no other pod with that label, the new pod remains in a pending state:Example output
NAME READY STATUS RESTARTS AGE IP NODEpod-s2 0/1 Pending 0 32s <none>
Using pod affinity and anti-affinity to control where an Operator is installed
By default, when you install an Operator, OKD installs the Operator pod to one of your worker nodes randomly. However, there might be situations where you want that pod scheduled on a specific node or set of nodes.
The following examples describe situations where you might want to schedule an Operator pod to a specific node or set of nodes:
If an Operator requires a particular platform, such as
amd64orarm64If an Operator requires a particular operating system, such as Linux or Windows
If you want Operators that work together scheduled on the same host or on hosts located on the same rack
If you want Operators dispersed throughout the infrastructure to avoid downtime due to network or hardware issues
You can control where an Operator pod is installed by adding a pod affinity or anti-affinity to the Operator’s Subscription object.
The following example shows how to use pod anti-affinity to prevent the installation the Custom Metrics Autoscaler Operator from any node that has pods with a specific label:
Pod affinity example that places the Operator pod on one or more specific nodes
apiVersion: operators.coreos.com/v1alpha1kind: Subscriptionmetadata:name: openshift-custom-metrics-autoscaler-operatornamespace: openshift-kedaspec:name: my-packagesource: my-operatorssourceNamespace: operator-registriesconfig:affinity:podAffinity: (1)requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:matchExpressions:- key: appoperator: Invalues:- testtopologyKey: kubernetes.io/hostname#...
| 1 | A pod affinity that places the Operator’s pod on a node that has pods with the app=test label. |
Pod anti-affinity example that prevents the Operator pod from one or more specific nodes
apiVersion: operators.coreos.com/v1alpha1kind: Subscriptionmetadata:name: openshift-custom-metrics-autoscaler-operatornamespace: openshift-kedaspec:name: my-packagesource: my-operatorssourceNamespace: operator-registriesconfig:affinity:podAntiAffinity: (1)requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:matchExpressions:- key: cpuoperator: Invalues:- hightopologyKey: kubernetes.io/hostname#...
| 1 | A pod anti-affinity that prevents the Operator’s pod from being scheduled on a node that has pods with the cpu=high label. |
Procedure
To control the placement of an Operator pod, complete the following steps:
Install the Operator as usual.
If needed, ensure that your nodes are labeled to properly respond to the affinity.
Edit the Operator
Subscriptionobject to add an affinity:apiVersion: operators.coreos.com/v1alpha1kind: Subscriptionmetadata:name: openshift-custom-metrics-autoscaler-operatornamespace: openshift-kedaspec:name: my-packagesource: my-operatorssourceNamespace: operator-registriesconfig:affinity:podAntiAffinity: (1)requiredDuringSchedulingIgnoredDuringExecution:podAffinityTerm:labelSelector:matchExpressions:- key: kubernetes.io/hostnameoperator: Invalues:- ip-10-0-185-229.ec2.internaltopologyKey: topology.kubernetes.io/zone#...
1 Add a podAffinityorpodAntiAffinity.
Verification
To ensure that the pod is deployed on the specific node, run the following command:
$ oc get pods -o wide
Example output
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATEScustom-metrics-autoscaler-operator-5dcc45d656-bhshg 1/1 Running 0 50s 10.131.0.20 ip-10-0-185-229.ec2.internal <none> <none>
