Assign Node Labels
Assigning node labels to namespaces secure them from being shared with other namespaces on worker clusters using the YAML configuration.
A critical application running on a slice can be configured to have its deployments on predefined nodes on a cluster without sharing the nodes with different applications. This is required to avoid security and cluster's multi-tenancy issues such as:
- The deployment that happen on application namespaces onboarded onto a slice are positioned on the cluster nodes arbitrarily. Sometimes, the same nodes on which the deployments happen are shared with other applications and become vulnerable to issues such as denial of service and resource evasion.
- This could also announce as a security issue where an application with the sensitive data is on the same node is shared with others, or the application cannot stay longer without accessing CPU.
- Setting limits and requests does not prevent utilization of common node resources such as network interfaces, SSD drives, and GPUs. These resources do not fit under the scope of the Kubernetes resource quota.
Benefits
- Assigning node labels creates node affinity that allows pods of namespaces to be placed on a node or group of nodes with the same node label. Node affinity allows restricting the pods of namespaces only to specific nodes with same labels.
- Node Affinity helps in effective management of common node resources such as network interfaces, SSD drives, and GPUs.
- It helps in eliminating security issues by isolating the labeled nodes with applications running on a slice from other nodes on the worker clusters.
Node Label Configuration Parameters
The following tables describe the configuration parameters used to assign node labels in the assign-node-labels YAML file.
| Parameter | Parameter Type | Description | Required |
|---|---|---|---|
| apiVersion | String | The KubeSlice Controller API version. A set of resources that are exposed together, along with the version. The value must be controller.kubeslice.io/v1alpha1. | Mandatory |
| kind | String | The name of a particular object schema. The value must be SliceNodeAffinity. | Mandatory |
| metadata | Object | The metadata describes parameters (names and types) and attributes that have been applied. | Mandatory |
| spec | Object | The specification of the desired state of an object. | Mandatory |
Node Label Metadata Parameters
| Parameter | Parameter Type | Description | Required |
|---|---|---|---|
| name | String | The name of the node label object for a slice. | Mandatory |
Node Label Spec Parameters
The following tables describe the configuration spec parameters used to assign node labels in the assign-node-labels YAML file.
| Parameter | Parameter Type | Description | Required |
|---|---|---|---|
| nodeAffinityProfiles | Object | This defines the node affinity profile for the slice. | Mandatory |
Node Affinity Profile Parameters
| Parameter | Parameter Type | Description | Required |
|---|---|---|---|
| cluster | String | This is the cluster in the slice for which this node affinity rule applies to. If you want to assign node labels to a namespace of all the worker clusters, add an asterisk (*) as the value of this property. | Mandatory |
| nodeAffinityRules | Object | These rules define the node affinity profile for the slice. | Mandatory |
Node Affinity Rules Parameters
| Parameter | Parameter Type | Description | Required |
|---|---|---|---|
| namespace | String | This is the namespace in the slice for which the node affinity rules apply to. If you want to assign node labels to all the namespaces of a worker cluster, add an asterisk (*) as the value of this property. | Mandatory |
| nodeSelectorLabels | Object | This object defines the label selectors to select nodes for assigning to pods. It contains values, a key, and an operator that relates the key and values. | Mandatory |
Node Selector Labels Parameters
| Parameter | Parameter Type | Description | Required |
|---|---|---|---|
| key | String | The label key that the selector applies to. | Mandatory |
| operator | String | This represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. | Mandatory |
| values | Array of Strings | This is an array of string values. If the operator is In or NotIn, the values must not be empty. If the operator is Exists or DoesNotExist, the values must be empty. If the operator is Gt or Lt, the values array must have a single value, which will be interpreted as an integer. | Mandatory |
Create Assign Node Label YAML
You can selectively assign node labels to run applications on a slice and namespaces and restrict the nodes from being shared with other applications.
Create the following assign-nodes.yaml file to assign node labels to slice and namespaces.
apiVersion: controller.kubeslice.io/v1alpha1
kind: SliceNodeAffinity
metadata:
name: red
spec:
nodeAffinityProfiles:
- cluster: worker-1
nodeAffinityRules:
- namespace: iperf
nodeSelectorLabels:
- key: beta.kubernetes.io/os
operator: In
values:
- linux
- key: cloud.google.com/gke-boot-disk
operator: In
values:
- pd-standard
- cluster: worker-2
nodeAffinityRules:
- namespace: "*"
nodeSelectorLabels:
- key: beta.kubernetes.io/os
operator: In
values:
- linux
- key: cloud.google.com/gke-boot-disk
operator: In
values:
- pd-standard
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
In the above configuration, application pods belonging to the iperf namespace will be placed on
nodes that have the beta.kubernetes.io/os=linux and cloud.google.com/gke-boot-disk=pd-standard
labels assigned to them.
To assign node labels to a namespace of all the worker clusters, add an asterisk (*) as the value of the
cluster property.
Similarly, to assign node labels to all namespaces of a worker cluster, add an asterisk (*) as
the value of the namespace property.
Ensure that the nodes are correctly labeled on the worker clusters. If nodes matching the labels
configured under node affinity rules are not found, the Kubernetes scheduler places the application
pods in the Pending state.
Apply Assign Node Labels YAML
Apply the node label assignment configuration YAML file using the following command:
kubectl apply -f assign-nodes.yaml -n <project namespace>
Validate Assignment of Node Labels
Validate the assignment of node labels using the following command:
kubectl get slicenodeaffinity.controller.kubeslice.io -n kubeslice-<project-name>
Example
kubectl get slicenodeaffinity.controller.kubeslice.io -n kubeslice-avesha
**** Expected Output****
NAME AGE
red 4s
Edit Assignment of Node Labels
To edit the node label assignment of namespaces, update the configuration in the YAML file and:
Remove Assignment of Node Labels
To remove all assigned node labels from a slice, use the following command:
kubectl delete slicenodeaffinity.controller.kubeslice.io <name-of-the-slice> -n kubeslice-<project-name>