diff --git a/keps/sig-node/3008-cri-class-based-resources/README.md b/keps/sig-node/3008-cri-class-based-resources/README.md index 66a797c58a4e..e7be38b5a7e6 100644 --- a/keps/sig-node/3008-cri-class-based-resources/README.md +++ b/keps/sig-node/3008-cri-class-based-resources/README.md @@ -362,15 +362,15 @@ field, providing per-container setting for class resources. // Configuration specific to Windows containers. WindowsContainerConfig windows = 16; + -+ // Configuration of class resources. -+ ContainerClassResources class_resources = 17; ++ // Configuration of class resources. ++ ContainerClassResources class_resources = 17; } +// ContainerClassResources specifies the configuration of class based +// resources of a container. +message ContainerClassResources { + // Resource classes of the container will be assigned to -+ map class = 1; ++ map classes = 1; +} ``` @@ -407,12 +407,12 @@ Introduce a new field (e.g. class) into ResourceRequirements of Container. ```diff // ResourceRequirements describes the compute resource requirements. type ResourceRequirements struct { - // Limits describes the maximum amount of compute resources allowed. - Limits ResourceList `json:"limits,omitempty" - // Requests describes the minimum amount of compute resources required. - Requests ResourceList `json:"requests,omitempty" -+ // Classes specifies the resource classes that the container should be assigned -+ Classes map[ClassResourceName]string + // Limits describes the maximum amount of compute resources allowed. + Limits ResourceList `json:"limits,omitempty" + // Requests describes the minimum amount of compute resources required. + Requests ResourceList `json:"requests,omitempty" ++ // Classes specifies the resource classes that the container should be assigned ++ Classes map[ClassResourceName]string } +// ClassResourceName is the name of a class-based resource. @@ -448,6 +448,13 @@ resource discovery or access control kubelet does not do any validity checking of the values. Invalid class assignments will cause an error in the container runtime. +Input validation of classes very similar to labels is implemented: keys +(`ClassResourceName`) and values must be non-empty, less than 64 characters +long, must start and end with an alphanumeric character and may contain only +alphanumeric characters, dashes, underscores or dots (`-`, `_` or `.`). +Similar to labels, a namespace prefix (FQDN subdomain separated with a slash) +in the key is allowed, similar to labels, e.g. `vendor/resource`. + ### Container runtimes We have open PRs to implement class-based RDT and blockio support in CRI-O and @@ -662,19 +669,19 @@ If class resources were advertised in node status (similar to other resources), access control could be achieved e.g. by extending ResourceQuotaSpec which would implement restrictions based on the namespace. ```diff -// ResourceQuotaSpec defines the desired hard limits to enforce for Quota. -type ResourceQuotaSpec struct { - // hard is the set of desired hard limits for each named resource. - Hard ResourceList - // A collection of filters that must match each object tracked by a quota. - // If not specified, the quota matches all objects. - Scopes []ResourceQuotaScope - // scopeSelector is also a collection of filters like scopes that must match each - // object tracked by a quota but expressed using ScopeSelectorOperator in combination - // with possible values. - ScopeSelector *ScopeSelector -+ // AllowedClasses specifies the list of allowed classes for each class-based resource -+ AllowedClasses map[ClassResourceName]ResourceClassList + // ResourceQuotaSpec defines the desired hard limits to enforce for Quota. + type ResourceQuotaSpec struct { + // hard is the set of desired hard limits for each named resource. + Hard ResourceList + // A collection of filters that must match each object tracked by a quota. + // If not specified, the quota matches all objects. + Scopes []ResourceQuotaScope + // scopeSelector is also a collection of filters like scopes that must match each + // object tracked by a quota but expressed using ScopeSelectorOperator in combination + // with possible values. + ScopeSelector *ScopeSelector ++ // AllowedClasses specifies the list of allowed classes for each class-based resource ++ AllowedClasses map[ClassResourceName]ResourceClassList } +// ResourceClassList is a list of classes of a specific type of class-based resource.