Kubernetes DocumentationQuota Support
This feature requires support for enforceRole on Marathon groups found in Marathon v1.9.73 and Mesos v1.9.0, available starting DC/OS 2.0.
By default, Marathon does not set enforceRole=true on group creation, and existing semantics are maintained.
See Upgrade section to upgrade your Kubernetes cluster to most recent version before continuing.
Strict Mode DC/OS Clusters
For strict mode DC/OS clusters, additional role permissions are required and must be set up before deploying the service.
New Kubernetes cluster in a group with enforceRole=true
New Kubernetes cluster with the name /dev/kubernetes-cluster will need permissions to the dev role
dcos security org users grant <service-account> dcos:mesos:master:reservation:role:dev create
Migrating an existing Kubernetes cluster to a quota enforced role.
Existing service with name /dev/kubernetes-cluster will need permissions to both the dev and dev__kubernetes-cluster-role roles
dcos security org users grant <service-account> dcos:mesos:master:reservation:role:dev create
dcos security org users grant <service-account> dcos:mesos:master:reservation:role:dev__kubernetes-cluster-role create
dcos security org users grant <service-account> dcos:mesos:master:reservation:role:slave_public/dev__kubernete-cluster-role create
dcos security org users grant <service-account> dcos:mesos:master:reservation:role:slave_public/dev create
Deploy new Kubernetes cluster in a group with quota enabled
To create a Kubernetes cluster named /dev/kubernetes-cluster in group dev with quota consumed from role dev, create a group with enforceRole enabled:
cat > create-group.json <<EOF
{
"id":"/dev",
"enforceRole":true
}
EOF
Create Marathon group:
dcos marathon group add create-group.json
Populate the Kubernetes cluster options:
cat > kubernetes-cluster-dev-options.json <<EOF
{
"service":{
"name":"/dev/kubernetes-cluster"
}
}
EOF
Create Kubernetes cluster.
dcos kubernetes cluster create --yes --options=kubernetes-cluster-dev-options.json
Ensure Kubernetes SDK scheduler and pods have been launched under the dev role via Mesos UI.
Migrate an existing cluster to use Quota support
To upgrade an existing cluster to a new version with quota support, use the following procedure.
-
See Upgrade section to upgrade your Kubernetes cluster to most recent version before continuing.
-
Create a file with the current Kubernetes cluster name and the following additional options:
cat > kubernetes-cluster-dev-options.json <<EOF
{
"service":{
"name":"/dev/kubernetes-cluster",
"role": "dev",
"enable_role_migration": true
}
}
EOF
rolespecifies the quota enforced role we are migrating towards, which isdevin this example.enable_role_migrationnotifies the scheduler that its pods will be migrated between legacy and quota enforced roles. The scheduler subscribes with both roles when this flag is set.
- Update the scheduler to use the quota enforced role.
dcos kubernetes cluster update --options=kubernetes-cluster-dev-options.json.json
At this point, the scheduler will be upgraded and will use quota from the dev role. The deployed pods will be unaffected and will use their previous roles.
- Issue pod replace commands to migrate all the pods in the service to the quota enforced role.
dcos kubernetes cluster debug pod replace etcd-0
dcos kubernetes cluster debug pod replace kube-control-plane-0
dcos kubernetes cluster debug pod replace kube-node-0
The pods will be migrated to consume quota from dev.
- Create a file with the current Kubernetes cluster name and the following options to signal the end of the migration:
cat > kubernetes-cluster-dev-disable-migration.json<<EOF
{
"service":{
"name":"/dev/kubernetes-cluster",
"role": "dev",
"enable_role_migration": false
}
}
EOF
Update the scheduler to stop subscribing to the legacy role.
dcos kubernetes cluster update --yes --options=kubernetes-cluster-dev-disable-migration.json.json
At this point, the scheduler and all the previous running pods have been migrated to the quota enforced role. Ensure SDK scheduler and pods have been launched under the dev role via Mesos UI.