Siormeir/feat-create-admission-webhooks-service-phase-3 (#350)

* feat: switch kai to use seperate admission webhooks

* fix: switch gpusharingm admissionhooks

* fix: remove namespace call

* feat: split spusharing, remove hooks from binder package

* fix: remove mutate from mock plugin in binder

* feat: set up new admisson service

* feat: add service and add to creation flow

* fix: remove references from binder

* fix: remove rbac as it is not nessessary

* fix: apply CR comments

* fix: conflict issues

* fix: merge conflicts

* fix: fix rebasing

* fix: alias import

* fix: clean struct names

Author: SiorMeir

Makefile

@@ -16,7 +16,7 @@ KUSTOMIZE ?= $(LOCALBIN)/kustomize
 
 # Space seperated list of services to build by default
 # SERVICE_NAMES := service1 service2 service3
-SERVICE_NAMES := podgrouper scheduler binder webhookmanager resourcereservation snapshot-tool scalingpod nodescaleadjuster podgroupcontroller queuecontroller fairshare-simulator
+SERVICE_NAMES := podgrouper scheduler binder webhookmanager resourcereservation snapshot-tool scalingpod nodescaleadjuster podgroupcontroller queuecontroller fairshare-simulator admission
 
 
 lint: fmt-go vet-go lint-go
@@ -66,6 +66,7 @@ manifests: controller-gen kustomize ## Generate ClusterRole and CustomResourceDe
 	$(CONTROLLER_GEN) rbac:roleName=kai-node-scale-adjuster,headerFile="./hack/boilerplate.yaml.txt" paths="./pkg/nodescaleadjuster/..." paths="./cmd/nodescaleadjuster/..." output:stdout > deployments/kai-scheduler/templates/rbac/nodescaleadjuster.yaml
 	$(CONTROLLER_GEN) rbac:roleName=kai-podgroup-controller,headerFile="./hack/boilerplate.yaml.txt" paths="./pkg/podgroupcontroller/..." paths="./cmd/podgroupcontroller/..." output:stdout > deployments/kai-scheduler/templates/rbac/podgroupcontroller.yaml
 	$(CONTROLLER_GEN) rbac:roleName=queuecontroller,headerFile="./hack/boilerplate.yaml.txt" paths="./pkg/queuecontroller/..." paths="./cmd/queuecontroller/..." output:stdout > deployments/kai-scheduler/templates/rbac/queuecontroller.yaml
+	$(CONTROLLER_GEN) rbac:roleName=kai-admission,headerFile="./hack/boilerplate.yaml.txt" paths="./pkg/admission/..." paths="./cmd/admission/..." output:stdout > deployments/kai-scheduler/templates/rbac/admission.yaml
 
 	$(CONTROLLER_GEN) rbac:roleName=kai-webhookmanager,headerFile="./hack/boilerplate.yaml.txt" paths="./pkg/webhookmanager/..." paths="./cmd/webhookmanager/..." output:stdout > deployments/kustomization/webhookmanager-clusterrole/resource.yaml
 	$(KUSTOMIZE) build deployments/kustomization/webhookmanager-clusterrole >  deployments/kai-scheduler/templates/rbac/webhookmanager.yaml

cmd/admission/app/app.go

@@ -0,0 +1,174 @@
+// Copyright 2025 NVIDIA CORPORATION
+// SPDX-License-Identifier: Apache-2.0
+
+package app
+
+import (
+	"context"
+	"flag"
+
+	admissionhooks "github.com/NVIDIA/KAI-scheduler/pkg/admission/webhook/v1alpha2/podhooks"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"github.com/spf13/pflag"
+	"go.uber.org/zap/zapcore"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	schedulingv1alpha2 "github.com/NVIDIA/KAI-scheduler/pkg/apis/scheduling/v1alpha2"
+
+	admissionplugins "github.com/NVIDIA/KAI-scheduler/pkg/admission/plugins"
+	"github.com/NVIDIA/KAI-scheduler/pkg/binder/controllers"
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(schedulingv1alpha2.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+type App struct {
+	K8sInterface     kubernetes.Interface
+	Client           client.WithWatch
+	InformerFactory  informers.SharedInformerFactory
+	Options          *Options
+	manager          manager.Manager
+	reconcilerParams *controllers.ReconcilerParams
+	admissionPlugins *admissionplugins.KaiAdmissionPlugins
+}
+
+// +kubebuilder:webhook:path=/mutate--v1-pod,mutating=true,failurePolicy=fail,sideEffects=None,resources=pods,verbs=create,groups=core,versions=v1,name=admission.run.ai,admissionReviewVersions=v1,reinvocationPolicy=IfNeeded
+// +kubebuilder:webhook:path=/validate--v1-pod,mutating=false,failurePolicy=fail,sideEffects=None,resources=pods,verbs=create;update,groups=core,versions=v1,name=admission.run.ai,admissionReviewVersions=v1
+
+func New() (*App, error) {
+	options := InitOptions()
+	opts := zap.Options{
+		Development: true,
+		TimeEncoder: zapcore.ISO8601TimeEncoder,
+	}
+	opts.BindFlags(flag.CommandLine)
+	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
+
+	pflag.Parse()
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	config := ctrl.GetConfigOrDie()
+	config.QPS = float32(options.QPS)
+	config.Burst = options.Burst
+
+	mgr, err := ctrl.NewManager(config, ctrl.Options{
+		Scheme: scheme,
+		Metrics: server.Options{
+			BindAddress: options.MetricsAddr,
+		},
+		WebhookServer: webhook.NewServer(webhook.Options{
+			Port: options.WebhookPort,
+		}),
+		HealthProbeBindAddress: options.ProbeAddr,
+		LeaderElection:         options.EnableLeaderElection,
+		LeaderElectionID:       "2ad35f9c.kai.scheduler",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		return nil, err
+	}
+
+	clientWithWatch, err := client.NewWithWatch(mgr.GetConfig(), client.Options{
+		Scheme: scheme,
+		Cache: &client.CacheOptions{
+			Reader: mgr.GetCache(),
+		},
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to create client with watch")
+		return nil, err
+	}
+
+	kubeClient := kubernetes.NewForConfigOrDie(config)
+	informerFactory := informers.NewSharedInformerFactory(kubeClient, 0)
+
+	reconcilerParams := &controllers.ReconcilerParams{
+		RateLimiterBaseDelaySeconds: options.RateLimiterBaseDelaySeconds,
+		RateLimiterMaxDelaySeconds:  options.RateLimiterMaxDelaySeconds,
+	}
+
+	app := &App{
+		K8sInterface:     kubeClient,
+		Client:           clientWithWatch,
+		InformerFactory:  informerFactory,
+		Options:          options,
+		manager:          mgr,
+		reconcilerParams: reconcilerParams,
+	}
+	return app, nil
+}
+
+func (app *App) RegisterPlugins(admissionPlugins *admissionplugins.KaiAdmissionPlugins) {
+	app.admissionPlugins = admissionPlugins
+}
+
+func (app *App) Run() error {
+	var err error
+	go func() {
+		app.manager.GetCache().WaitForCacheSync(context.Background())
+	}()
+
+	// +kubebuilder:scaffold:builder
+
+	if err = ctrl.NewWebhookManagedBy(app.manager).For(&corev1.Pod{}).
+		WithDefaulter(admissionhooks.NewPodMutator(app.manager.GetClient(), app.admissionPlugins, app.Options.SchedulerName)).
+		WithValidator(admissionhooks.NewPodValidator(app.manager.GetClient(), app.admissionPlugins, app.Options.SchedulerName)).Complete(); err != nil {
+		setupLog.Error(err, "unable to create pod webhooks", "webhook", "Pod")
+		return err
+	}
+
+	stopCh := make(chan struct{})
+	app.InformerFactory.Start(stopCh)
+	app.InformerFactory.WaitForCacheSync(stopCh)
+
+	if err = app.manager.AddHealthzCheck("healthz", app.manager.GetWebhookServer().StartedChecker()); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		return err
+	}
+	if err = app.manager.AddReadyzCheck("readyz", app.manager.GetWebhookServer().StartedChecker()); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		return err
+	}
+
+	setupLog.Info("starting manager")
+	if err = app.manager.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		return err
+	}
+	return nil
+}

cmd/admission/app/options.go

@@ -0,0 +1,77 @@
+// Copyright 2025 NVIDIA CORPORATION
+// SPDX-License-Identifier: Apache-2.0
+
+package app
+
+import (
+	"github.com/spf13/pflag"
+
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+)
+
+type Options struct {
+	SchedulerName               string
+	QPS                         float64
+	Burst                       int
+	RateLimiterBaseDelaySeconds int
+	RateLimiterMaxDelaySeconds  int
+	EnableLeaderElection        bool
+	MetricsAddr                 string
+	ProbeAddr                   string
+	WebhookPort                 int
+	FakeGPUNodes                bool
+	GpuCdiEnabled               bool
+	VolumeBindingTimeoutSeconds int
+	GPUSharingEnabled           bool
+}
+
+func InitOptions() *Options {
+	options := &Options{}
+
+	fs := pflag.CommandLine
+
+	fs.StringVar(&options.SchedulerName,
+		"scheduler-name", "kai-scheduler",
+		"The scheduler name the workloads are scheduled with")
+	fs.Float64Var(&options.QPS,
+		"qps", 50,
+		"Queries per second to the K8s API server")
+	fs.IntVar(&options.Burst,
+		"burst", 300,
+		"Burst to the K8s API server")
+	fs.IntVar(&options.RateLimiterBaseDelaySeconds,
+		"rate-limiter-base-delay", 1,
+		"Base delay in seconds for the ExponentialFailureRateLimiter")
+	fs.IntVar(&options.RateLimiterMaxDelaySeconds,
+		"rate-limiter-max-delay", 60,
+		"Max delay in seconds for the ExponentialFailureRateLimiter")
+	fs.BoolVar(&options.EnableLeaderElection,
+		"leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	fs.StringVar(&options.MetricsAddr,
+		"metrics-bind-address", ":8080",
+		"The address the metric endpoint binds to.")
+	fs.StringVar(&options.ProbeAddr,
+		"health-probe-bind-address", ":8081",
+		"The address the probe endpoint binds to.")
+	fs.IntVar(&options.WebhookPort,
+		"webhook-addr", 9443,
+		"The port the webhook binds to.")
+	fs.BoolVar(&options.FakeGPUNodes,
+		"fake-gpu-nodes", false,
+		"Enables running fractions on fake gpu nodes for testing")
+	fs.BoolVar(&options.GpuCdiEnabled,
+		"cdi-enabled", false,
+		"Specifies if the gpu device plugin uses the cdi devices api to set gpu devices to the pods")
+	fs.IntVar(&options.VolumeBindingTimeoutSeconds,
+		"volume-binding-timeout-seconds", 120,
+		"Volume binding timeout in seconds")
+	fs.BoolVar(&options.GPUSharingEnabled,
+		"gpu-sharing-enabled", false,
+		"Specifies if the GPU sharing is enabled")
+
+	utilfeature.DefaultMutableFeatureGate.AddFlag(fs)
+
+	return options
+}

cmd/admission/main.go

@@ -0,0 +1,50 @@
+package main
+
+// Copyright 2025 NVIDIA CORPORATION
+// SPDX-License-Identifier: Apache-2.0
+
+import (
+	"os"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+
+	"github.com/NVIDIA/KAI-scheduler/cmd/admission/app"
+
+	"github.com/NVIDIA/KAI-scheduler/pkg/admission/plugins"
+	"github.com/NVIDIA/KAI-scheduler/pkg/admission/webhook/v1alpha2/gpusharing"
+)
+
+var (
+	setupLog = ctrl.Log.WithName("admission-setup")
+)
+
+func main() {
+	app, err := app.New()
+	if err != nil {
+		setupLog.Error(err, "failed to create app")
+		os.Exit(1)
+	}
+
+	err = registerPlugins(app)
+	if err != nil {
+		setupLog.Error(err, "failed to register plugins")
+		os.Exit(1)
+	}
+
+	err = app.Run()
+	if err != nil {
+		setupLog.Error(err, "failed to run app")
+		os.Exit(1)
+	}
+}
+
+func registerPlugins(app *app.App) error {
+	admissionPlugins := plugins.New()
+
+	admissionGpuSharingPlugin := gpusharing.New(app.Client,
+		app.Options.GpuCdiEnabled, app.Options.GPUSharingEnabled)
+
+	admissionPlugins.RegisterPlugin(admissionGpuSharingPlugin)
+	app.RegisterPlugins(admissionPlugins)
+	return nil
+}

cmd/binder/app/app.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"time"
 
-	admissionhooks "github.com/NVIDIA/KAI-scheduler/pkg/admission/webhook/v1alpha2/podhooks"
 	"github.com/NVIDIA/KAI-scheduler/pkg/common/constants"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
@@ -33,11 +32,10 @@ import (
 
 	schedulingv1alpha2 "github.com/NVIDIA/KAI-scheduler/pkg/apis/scheduling/v1alpha2"
 
-	admissionplugins "github.com/NVIDIA/KAI-scheduler/pkg/admission/plugins"
 	"github.com/NVIDIA/KAI-scheduler/pkg/binder/binding"
 	"github.com/NVIDIA/KAI-scheduler/pkg/binder/binding/resourcereservation"
 	"github.com/NVIDIA/KAI-scheduler/pkg/binder/controllers"
-	bindingplugins "github.com/NVIDIA/KAI-scheduler/pkg/binder/plugins"
+	"github.com/NVIDIA/KAI-scheduler/pkg/binder/plugins"
 )
 
 var (
@@ -60,13 +58,9 @@ type App struct {
 	manager          manager.Manager
 	rrs              resourcereservation.Interface
 	reconcilerParams *controllers.ReconcilerParams
-	admissionPlugins *admissionplugins.KaiAdmissionPlugins
-	bindingPlugins   *bindingplugins.BinderPlugins
+	plugins          *plugins.BinderPlugins
 }
 
-// +kubebuilder:webhook:path=/mutate--v1-pod,mutating=true,failurePolicy=fail,sideEffects=None,resources=pods,verbs=create,groups=core,versions=v1,name=binder.run.ai,admissionReviewVersions=v1,reinvocationPolicy=IfNeeded
-// +kubebuilder:webhook:path=/validate--v1-pod,mutating=false,failurePolicy=fail,sideEffects=None,resources=pods,verbs=create;update,groups=core,versions=v1,name=binder.run.ai,admissionReviewVersions=v1
-
 func New() (*App, error) {
 	options := InitOptions()
 	opts := zap.Options{
@@ -152,9 +146,8 @@ func New() (*App, error) {
 	return app, nil
 }
 
-func (app *App) RegisterPlugins(admissionPlugins *admissionplugins.KaiAdmissionPlugins, bindingPlugins *bindingplugins.BinderPlugins) {
-	app.admissionPlugins = admissionPlugins
-	app.bindingPlugins = bindingPlugins
+func (app *App) RegisterPlugins(plugins *plugins.BinderPlugins) {
+	app.plugins = plugins
 }
 
 func (app *App) Run() error {
@@ -179,14 +172,7 @@ func (app *App) Run() error {
 		return err
 	}
 
-	if err = ctrl.NewWebhookManagedBy(app.manager).For(&corev1.Pod{}).
-		WithDefaulter(admissionhooks.NewPodMutator(app.manager.GetClient(), app.admissionPlugins, app.Options.SchedulerName)).
-		WithValidator(admissionhooks.NewPodValidator(app.manager.GetClient(), app.admissionPlugins, app.Options.SchedulerName)).Complete(); err != nil {
-		setupLog.Error(err, "unable to create pod webhooks", "webhook", "Pod")
-		return err
-	}
-
-	binder := binding.NewBinder(app.Client, app.rrs, app.bindingPlugins)
+	binder := binding.NewBinder(app.Client, app.rrs, app.plugins)
 
 	stopCh := make(chan struct{})
 	app.InformerFactory.Start(stopCh)