We provide various approaches to run FrameworkController:
Notes:
- For a single k8s cluster, one instance of FrameworkController orchestrates all Frameworks in all namespaces.
- For a single k8s cluster, ensure at most one instance of FrameworkController is running at any point in time.
- For the full FrameworkController configuration, see Config Usage and Config Example.
- This approach is better for production, since StatefulSet by itself provides self-healing and can ensure at most one instance of FrameworkController is running at any point in time.
- Using official image to demonstrate this example.
If the k8s cluster enforces Authorization, you need to first create a ServiceAccount with granted permission for FrameworkController. For example, if the cluster enforces RBAC:
kubectl create serviceaccount frameworkcontroller --namespace default
kubectl create clusterrolebinding frameworkcontroller \
--clusterrole=cluster-admin \
--user=system:serviceaccount:default:frameworkcontroller
Run FrameworkController with above ServiceAccount and the k8s inClusterConfig:
Run with default config
kubectl create -f frameworkcontroller-with-default-config.yaml
frameworkcontroller-with-default-config.yaml:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: frameworkcontroller
namespace: default
spec:
serviceName: frameworkcontroller
selector:
matchLabels:
app: frameworkcontroller
replicas: 1
template:
metadata:
labels:
app: frameworkcontroller
spec:
# Using the ServiceAccount with granted permission
# if the k8s cluster enforces authorization.
serviceAccountName: frameworkcontroller
containers:
- name: frameworkcontroller
image: frameworkcontroller/frameworkcontroller
# Using k8s inClusterConfig, so usually, no need to specify
# KUBE_APISERVER_ADDRESS or KUBECONFIG
#env:
#- name: KUBE_APISERVER_ADDRESS
# value: {http[s]://host:port}
#- name: KUBECONFIG
# value: {Pod Local KubeConfig File Path}
kubectl create -f frameworkcontroller-customized-config.yaml
kubectl create -f frameworkcontroller-with-customized-config.yaml
frameworkcontroller-customized-config.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: frameworkcontroller-config
namespace: default
data:
frameworkcontroller.yaml: |
kubeClientQps: 200
kubeClientBurst: 300
workerNumber: 500
largeFrameworkCompression: true
frameworkCompletedRetainSec: 2592000
#podFailureSpec:
#- code: 221
# phrase: ContainerTensorflowOOMKilled
# type:
# attributes: [Permanent]
# podPatterns:
# - containers:
# - messageRegex: '(?msi)tensorflow.*ResourceExhaustedError.*OOM.*'
# codeRange: {min: 1}
# nameRegex: '(?ms).*'
#- {More customized podFailureSpec, better to also include these in the default config}
frameworkcontroller-with-customized-config.yaml:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: frameworkcontroller
namespace: default
spec:
serviceName: frameworkcontroller
selector:
matchLabels:
app: frameworkcontroller
replicas: 1
template:
metadata:
labels:
app: frameworkcontroller
spec:
# Using the ServiceAccount with granted permission
# if the k8s cluster enforces authorization.
serviceAccountName: frameworkcontroller
containers:
- name: frameworkcontroller
image: frameworkcontroller/frameworkcontroller
# Using k8s inClusterConfig, so usually, no need to specify
# KUBE_APISERVER_ADDRESS or KUBECONFIG
#env:
#- name: KUBE_APISERVER_ADDRESS
# value: {http[s]://host:port}
#- name: KUBECONFIG
# value: {Pod Local KubeConfig File Path}
command: [
"bash", "-c",
"cp /frameworkcontroller-config/frameworkcontroller.yaml . &&
./start.sh"]
volumeMounts:
- name: frameworkcontroller-config
mountPath: /frameworkcontroller-config
volumes:
- name: frameworkcontroller-config
configMap:
name: frameworkcontroller-config
- This approach may be better for development sometimes.
- Using official image to demonstrate this example.
If you have an insecure ApiServer address (can be got from Insecure ApiServer or kubectl proxy) which does not enforce authentication, you only need to provide the address:
docker run -e KUBE_APISERVER_ADDRESS={http[s]://host:port} \
frameworkcontroller/frameworkcontroller
Otherwise, you need to provide your KubeConfig File which inlines or refers the ApiServer Credential Files with granted permission:
docker run -e KUBECONFIG=/mnt/.kube/config \
-v {Host Local KubeConfig File Path}:/mnt/.kube/config \
-v {Host Local ApiServer Credential File Path}:{Container Local ApiServer Credential File Path} \
frameworkcontroller/frameworkcontroller
For example, if the k8s cluster is created by Minikube:
docker run -e KUBECONFIG=/mnt/.kube/config \
-v ${HOME}/.kube/config:/mnt/.kube/config \
-v ${HOME}/.minikube:${HOME}/.minikube \
frameworkcontroller/frameworkcontroller
- This approach may be better for development sometimes.
- Using local built binary distribution to demonstrate this example.
Ensure you have installed Golang 1.12.6 or above and the ${GOPATH} is valid.
Then build the FrameworkController binary distribution:
export PROJECT_DIR=${GOPATH}/src/github.com/microsoft/frameworkcontroller
rm -rf ${PROJECT_DIR}
mkdir -p ${PROJECT_DIR}
git clone https://github.com/microsoft/frameworkcontroller.git ${PROJECT_DIR}
cd ${PROJECT_DIR}
./build/frameworkcontroller/go-build.sh
If you have an insecure ApiServer address (can be got from Insecure ApiServer or kubectl proxy) which does not enforce authentication, you only need to provide the address:
KUBE_APISERVER_ADDRESS={http[s]://host:port} \
./dist/frameworkcontroller/start.sh
Otherwise, you need to provide your KubeConfig File which inlines or refers the ApiServer Credential Files with granted permission:
KUBECONFIG={Process Local KubeConfig File Path} \
./dist/frameworkcontroller/start.sh
For example:
KUBECONFIG=${HOME}/.kube/config \
./dist/frameworkcontroller/start.sh
And in above example, ${HOME}/.kube/config
is the default value of KUBECONFIG
, so you can skip it:
./dist/frameworkcontroller/start.sh