Skip to content

feat(admission-controller): separate CPU/Memory requests and limits for Auto-Instrumentation Init Containers #41048

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
puretension wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(admission-controller): separate CPU/Memory requests and limits for Auto-Instrumentation Init Containers #41048

puretension wants to merge 4 commits into from

Conversation

@puretension
Copy link

@puretension puretension commented Sep 18, 2025

What does this PR do?

Adds support for separate CPU/Memory requests and limits for auto-instrumentation init containers by introducing 4 new environment variables:

  • DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_INIT_REQUESTS_CPU
  • DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_INIT_REQUESTS_MEMORY
  • DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_INIT_LIMITS_CPU
  • DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_INIT_LIMITS_MEMORY

This allows independent configuration of requests (for scheduling) and limits (for initialization spikes), while maintaining backward compatibility with existing DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_INIT_RESOURCES_* variables.

Motivation

Fixes #38831

The current implementation forces requests = limits for auto-instrumentation init containers, leading to:

  • Over-provisioned init containers: Bad for scheduling, especially with large/complex pods
  • Under-provisioned init containers: Risking OOM or throttling during library initialization

Related issues:

Describe how you validated your changes

  1. Unit Tests: Added TestSeparateRequestsAndLimits to verify configuration parsing and validation logic
  2. Integration Tests: Added TestSeparateRequestsAndLimitsIntegration to test actual pod injection scenarios
  3. Backward Compatibility: All existing tests pass, confirming legacy environment variables still work
  4. Validation Logic: Implemented and tested limits ≥ requests validation with clear error messages

Test coverage includes:

  • Separate requests/limits configuration
  • Legacy configuration (requests = limits)
  • Auto-calculation fallback
  • Validation error cases

Additional Notes

  • Backward Compatible: Existing configurations continue to work unchanged
  • Priority Logic: New variables → Legacy variables → Auto-calculation
  • Kubernetes Best Practices: Aligns with standard requests ≠ limits pattern
  • Release Note: Added comprehensive reno release note explaining the new feature

@puretension puretension requested review from a team as code owners September 18, 2025 14:26
@puretension
feat(admission-controller): separate CPU/Memory requests and limits f…
b66f82c 
…or auto-instrumentation init containers

Add support for separate CPU/Memory requests and limits for auto-instrumentation init containers using new environment variables:

- DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_INIT_REQUESTS_CPU
- DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_INIT_REQUESTS_MEMORY
- DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_INIT_LIMITS_CPU
- DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_INIT_LIMITS_MEMORY

This resolves OOMKilled issues while maintaining scheduling efficiency by allowing low requests for scheduling and higher limits for initialization spikes.

Fixes DataDog#38831
@puretension puretension force-pushed the feat/separate-init-container-requests-limits-38831 branch from 30be358 to b66f82c Compare September 18, 2025 14:36
hush-hush
hush-hush requested changes Oct 24, 2025
View reviewed changes
@puretension
fix: use BindEnvAndSetDefault for init container resource configs
04c93ed 
Replace BindEnv with BindEnvAndSetDefault for admission controller
auto-instrumentation init container resource configurations to provide
explicit types and default values as requested in code review.

Signed-off-by: puretension <[email protected]>
@puretension puretension changed the title feat(admission-controller): separate CPU/Memory requests and limits f… feat(admission-controller): separate CPU/Memory requests and limits for Auto-Instrumentation Init Containers Oct 28, 2025
@puretension
Copy link
Author

puretension commented Oct 28, 2025

Hi @hush-hush! Thank you for approving the PR 🙏

There's a conflict in pkg/config/setup/config.go that needs to be resolved.
Would it be okay if I resolve the conflict?

zhuminyi
zhuminyi reviewed Oct 28, 2025
View reviewed changes
pkg/clusteragent/admission/mutate/autoinstrumentation/auto_instrumentation.go Outdated

// If neither requests nor limits are configured, use auto-calculation
if _, hasReq := conf.requests[k]; !hasReq {
if _, hasLim := conf.limits[k]; !hasLim {
Copy link
Contributor

@zhuminyi zhuminyi Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only auto-calculates when BOTH requests AND limits are missing. What if user only sets one value? Can you clarify in the comment or doc for this case.

zhuminyi
zhuminyi reviewed Oct 28, 2025
View reviewed changes
pkg/clusteragent/admission/mutate/autoinstrumentation/auto_instrumentation.go Outdated
// We don't support other resources
requirements.Limits[k] = maxPodLim
}
if maxPodReq, ok := podRequirements.Requests[k]; ok {
Copy link
Contributor

@zhuminyi zhuminyi Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we move this part outsides of current !hasLim condition?

@puretension
fix: separate requests and limits auto-calculation logic
ac8cd17 
Address zhuminyi's review feedback:
- Remove nested conditions that only auto-calculated when BOTH requests AND limits were missing
- Move requests processing outside of !hasLim condition to handle them independently
- Now each resource (requests/limits) is auto-calculated independently when not configured

This allows users to set only requests OR only limits, with the other being auto-calculated.

Signed-off-by: puretension <[email protected]>
@puretension
Copy link
Author

puretension commented Oct 28, 2025
edited
Loading

Thank you for the sharp feedback @zhuminyi.
I've updated the logic to handle requests and limits independently:

  • Previously the nested conditions only auto-calculated when BOTH were missing, but now each resource is handled separately. If a user sets only requests, limits will be auto-calculated, and vice versa.
  • I also moved the requests processing outside of the !hasLim condition as you suggested, so they're now processed in completely independent blocks.

This makes the behavior much clearer and more flexible for users who want to configure only one of the two values.
Please let me know if you spot any other issues or edge cases I should consider.

@wdhif wdhif removed the team/container-platform The Container Platform Team label Nov 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hush-hush hush-hush hush-hush approved these changes

@zhuminyi zhuminyi zhuminyi approved these changes

@rtrieu rtrieu rtrieu approved these changes

@rahulkaukuntla rahulkaukuntla rahulkaukuntla approved these changes

Assignees

No one assigned

Labels

community team/injection-platform

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Separate CPU/Memory Requests and Limits for Auto-Instrumentation Init Containers

6 participants

@puretension @hush-hush @zhuminyi @rtrieu @rahulkaukuntla @wdhif