Skip to content

enable nested virt & set single process oom kill #8672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

enable nested virt & set single process oom kill #8672

wants to merge 1 commit into from
+66 −77

Conversation

upodroid
Copy link
Member

@upodroid upodroid commented Oct 20, 2025
edited
Loading

More immediate version of #8600
Fixes: #800

Before this change is applied:

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 20, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: upodroid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 20, 2025
@k8s-ci-robot k8s-ci-robot added area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/gcp Issues or PRs related to Kubernetes GCP infrastructure area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Oct 20, 2025
@upodroid upodroid added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 20, 2025
@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for dir: infra/gcp/terraform/k8s-infra-prow-build workspace: default

Plan Error

Show Output 
running 'sh -c' '/atlantis/bin/terraform1.13.4 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/8672/default/infra/gcp/terraform/k8s-infra-prow-build': exit status 1
Initializing the backend...

Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.
Upgrading modules...
Downloading registry.terraform.io/terraform-google-modules/iam/google 8.2.0 for iam...
- iam in .terraform/modules/iam/modules/projects_iam
- iam.helper in .terraform/modules/iam/modules/helper
- project in ../modules/gke-project
- prow_build_cluster in ../modules/gke-cluster
- prow_build_nodepool_c4_highmem_8_localssd in ../modules/gke-nodepool
- prow_build_nodepool_c4a_highmem_8_localssd in ../modules/gke-nodepool
- prow_build_nodepool_c4d_highmem_8_localssd in ../modules/gke-nodepool
- workload_identity_service_accounts in ../modules/workload-identity-service-account
Initializing provider plugins...
- Finding hashicorp/google versions matching ">= 3.53.0, >= 6.31.0, ~> 6.31.0, ~> 7.7.0, < 8.0.0"...
- Finding hashicorp/google-beta versions matching ">= 6.31.0, ~> 6.31.0, ~> 7.7.0"...
- Finding latest version of hashicorp/local...
- Installing hashicorp/local v2.5.3...
- Installed hashicorp/local v2.5.3 (signed by HashiCorp)
╷
│ Error: Failed to query available provider packages
│ 
│ Could not retrieve the list of available versions for provider
│ hashicorp/google: no available releases match the given constraints >=
│ 3.53.0, >= 6.31.0, ~> 6.31.0, ~> 7.7.0, < 8.0.0
│ 
│ To see which modules are currently depending on hashicorp/google and what
│ versions are specified, run the following command:
│     terraform providers
╵
╷
│ Error: Failed to query available provider packages
│ 
│ Could not retrieve the list of available versions for provider
│ hashicorp/google-beta: no available releases match the given constraints >=
│ 6.31.0, ~> 6.31.0, ~> 7.7.0
│ 
│ To see which modules are currently depending on hashicorp/google-beta and
│ what versions are specified, run the following command:
│     terraform providers
╵

BenTheElder
BenTheElder reviewed Oct 20, 2025
View reviewed changes
infra/gcp/terraform/k8s-infra-prow-build/main.tf
machine_type = "c4-highmem-8-lssd"
disk_size_gb = 100
disk_type = "hyperdisk-balanced"
enable_nested_virtualization = true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the use case? Nested virt can have poor performance, create noise for neighbors, and we need to make sure the VMs are not leaked ...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is an example, trying to enable workflows like these in prow.
https://github.com/kubernetes/kops/blob/master/.github/workflows/e2e.yml

https://github.com/kubernetes/kops/actions/runs/18663330367/job/53208805245

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK, in kind we also use actions for this, which is mostly ~fine.

@upodroid upodroid mentioned this pull request Oct 20, 2025
Merged
@BenTheElder
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 20, 2025
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 22, 2025
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for dir: infra/gcp/terraform/k8s-infra-prow-build workspace: default

Show Output 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place

Terraform will perform the following actions:

  # google_vmwareengine_network_peering.gvce_peering will be updated in-place
~ resource "google_vmwareengine_network_peering" "gvce_peering" {
      ~ export_custom_routes_with_public_ip = false -> true
        id                                  = "projects/k8s-infra-prow-build/locations/global/networkPeerings/peer-with-gcve-project"
      ~ import_custom_routes_with_public_ip = false -> true
        name                                = "peer-with-gcve-project"
        # (13 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/gcp/terraform/k8s-infra-prow-build
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/gcp/terraform/k8s-infra-prow-build

Plan: 0 to add, 1 to change, 0 to destroy.

  • ⏩ To apply all unapplied plans from this Pull Request, comment: 
    atlantis apply
  • 🚮 To delete all plans and locks from this Pull Request, comment: 
    atlantis unlock

@upodroid
Copy link
Member Author

/hold cancel

Successfully applied

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alvaroaleman alvaroaleman Awaiting requested review from alvaroaleman

@hakman hakman Awaiting requested review from hakman

@ameukam ameukam Awaiting requested review from ameukam

1 more reviewer

@BenTheElder BenTheElder BenTheElder left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@BenTheElder BenTheElder

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/infra/gcp Issues or PRs related to Kubernetes GCP infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@upodroid @k8s-ci-robot @k8s-infra-ci-robot @BenTheElder