Add Windows VMs vCPU overcommit prevention VAP

[jcanocan]

What type of PR is this?

Feature

What this PR does / why we need it?

It is required to enable some sort of protection in Windows based VMs to prevent them to overcommit vCPUs. To achieve this, it is assumed that CPUmanager is enabled on, and only on, Windows Licensed nodes. This is due to the fact that, during the scheduling process, any VM with spec.domain.cpu.dedicatedCpuPlacement will be assigned to nodes with cpumanager feature enabled. Therefore, the scheduler will effectively assign those VMs to Windows Licensed nodes. Moreover, if the VM does not overcommit, vCPUs will be allowed to run.

This approach has the following drawbacks as it is:

• All Windows VMs created with supported workflows will be required to no overcommit vCPUs.
• It does not prevent users to manually create their own custom Windows VM manifest/preference and overcommit vCPUs.
• User will be still allowed to schedule non-windows VMs overcommitting CPUs to Windows Licensed nodes.

Which Jira/Github issue(s) this PR fixes?

Fixes #

Special notes for your reviewer:

Pre-checks (if applicable):

• Tested latest changes against a cluster

• Included documentation changes with PR

• If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

  matchExpressions:
  - key: api.openshift.com/fedramp
    operator: NotIn
    values: ["true"]

[app-sre-bot]

Can one of the admins verify this patch?

[openshift-ci]

Hi @jcanocan. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dominikholler]

spec.domain.cpu.dedicatedCpuPlacement is quite low level. Can we point the user to an instancetype to use? If there is no instancetype available yet, let's create one

[jcanocan]

Yes, we can also follow that path. Great idea. In such case, the drawbacks will still apply. However, we will have a 100% supported way of creating Windows VMs, which is a nice advantage compared with my orginal proposal.

[jcanocan]

After thinking about this twice, if we want to follow this idea, we should force the user to pick up specific preferences for the supported Windows versions. We can include them in the common-instancetypes repo or here, whatever we find more appropriated. This will allow the user to have different windows sizes by using the different instance types we currently provide.

[dominikholler]

sounds worth a try!

[jcanocan]

Added an approximation of what it could look like, it is still required to add further preferences for all supported windows versions.

[BraeTroutman]

should this key be set explicitly to a non-empty value or is the key with no value valid configuration?

[jcanocan]

Sorry for the late reply. No it does not, removed.

[BraeTroutman]

no worries! Thanks Javier

[jcanocan]

@ksimon1 many thanks for your reviews! Much appreciated :)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jcanocan
Once this PR has been reviewed and has the lgtm label, please assign robotmaxtron for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ksimon1]

missing new line at the end of file

[jcanocan]

Fixed