vertical-pod-autoscaler/docs/components.md
The VPA project consists of 3 components:
Recommender - monitors the current and past resource consumption and, based on it, provides recommended values for the containers' cpu and memory requests.
Updater - checks which of the managed pods have correct resources set and, if not, kills them so that they can be recreated by their controllers with the updated requests.
Admission Controller - sets the correct resource requests on new pods (either just created or recreated by their controller due to Updater's activity).
For detailed information about configuration parameters for each component, see the flags documentation.
More on the architecture can be found HERE.
Recommender is the core binary of Vertical Pod Autoscaler system. It computes the recommended resource requests for pods based on historical and current usage of the resources. The current recommendations are put in status of the VPA resource, where they can be inspected.
../deploy/vpa-rbac.yaml.../deploy/recommender-deployment.yaml.The recommender is based on a model of the cluster that it builds in its memory. The model contains Kubernetes resources: Pods, VerticalPodAutoscalers, with their configuration (e.g. labels) as well as other information, e.g. usage data for each container.
After starting the binary, recommender reads the history of running pods and their usage from VerticalPodAutoscalerCheckpoint (or Prometheus) into the model. It then runs in a loop and at each step performs the following actions:
Updater component for Vertical Pod Autoscaler described in the Vertical Pod Autoscaler - design proposal
Updater runs in Kubernetes cluster and decides which pods should be restarted based on resources allocation recommendation calculated by Recommender. If a pod should be updated, Updater will try to evict the pod. It respects the pod disruption budget, by using Eviction API to evict pods. Updater does not perform the actual resources update, but relies on Vertical Pod Autoscaler admission plugin to update pod resources when the pod is recreated after eviction.
Runs in a loop. On one iteration performs:
This is a binary that registers itself as a Mutating Admission Webhook and because of that is on the path of creating all pods. For each pod creation, it will get a request from the apiserver and it will either decide there's no matching VPA configuration or find the corresponding one and use current recommendation to set resource requests in the pod.
--admission-control flag should have MutatingAdmissionWebhook as one of
the values on the list and its --runtime-config flag should include
admissionregistration.k8s.io/v1beta1=true.
To change those flags, ssh to your API Server instance, edit
/etc/kubernetes/manifests/kube-apiserver.manifest and restart kubelet to pick
up the changes: sudo systemctl restart kubelet.servicebash gencerts.sh. This will use kubectl to create
a secret in your cluster with the certs.kubectl create -f ../deploy/admission-controller-rbac.yamlkubectl create -f ../deploy/admission-controller-deployment.yaml.
The first thing this will do is it will register itself with the apiserver as
Webhook Admission Controller and start changing resource requirements
for pods on their creation & updates.--register-by-url=true and passing --webhook-address and --webhook-port.--min-tls-version with acceptable values being tls1_2 (default), or tls1_3.--tls-ciphers if --min-tls-version is set to tls1_2.--webhook-labels, example format: key1:value1,key2:value2.All VPA configurations in the cluster are watched with a lister. In the context of pod creation, there is an incoming https request from apiserver. The logic to serve that request involves finding the appropriate VPA, retrieving current recommendation from it and encodes the recommendation as a json patch to the Pod resource.