-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
False
-
-
False
-
None
-
None
-
None
-
None
-
None
Description
Implement a mutating admission webhook that automatically injects the GOMAXPROCS environment variable into containers running in HyperShift hosted control plane namespaces. This optimization helps improve Go runtime scheduling performance by appropriately setting the number of OS threads that can execute user-level Go code simultaneously based on CPU limits/requests.
Background
Go applications in containerized environments often benefit from having GOMAXPROCS tuned to match the container's CPU allocation rather than using the default value based on the host's CPU count. This is particularly important for control plane components in HyperShift where proper resource utilization is critical for performance and stability.
Implementation Details
Core Functionality
- Scope: Only targets namespaces labeled with hypershift.openshift.io/hosted-control-plane: "true"
- Operation: Mutates Pod CREATE admissions only
- Behavior: Respects existing GOMAXPROCS environment variables (no override)
- Failure Policy: "Ignore" - Pod creation proceeds without mutation if webhook is unavailable
Key Features
1. Smart Workload Resolution: Intelligently resolves top-level workload owners
- ReplicaSet → Deployment
- Job → CronJob
- Supports complex ownership chains with cycle detection
2. Flexible Configuration System: YAML-based configuration with:
- Global default values
- Per-workload/container overrides
- Explicit exclusions
- Live configuration reload support
3. Comprehensive Deployment: Includes:
- ServiceAccount, RBAC, and ClusterRole bindings
- TLS certificate management
- Kubernetes manifests and Kustomize support
- Comprehensive unit test coverage
Configuration Schema
default: "32" # Optional global default overrides: # Per-workload/container overrides * workloadKind: Deployment workloadName: kube-apiserver containerName: kube-apiserver value: "20" exclusions: # Explicit exclusions * workloadKind: Deployment workloadName: oauth-openshift containerName: oauth-openshift
Acceptance Criteria
- [ ] Admission webhook correctly identifies HyperShift control plane namespaces
- [ ] GOMAXPROCS injection works for all supported workload types (Deployment, StatefulSet, DaemonSet, Job, CronJob)
- [ ] Existing GOMAXPROCS environment variables are preserved
- [ ] Configuration can be updated without webhook restart (live reload)
- [ ] Comprehensive test coverage including unit and integration tests
- [ ] Deployment manifests support installation via Kustomize
- [ ] Documentation includes installation, configuration, and troubleshooting guides
- [ ] Webhook follows Kubernetes admission controller best practices
Technical Implementation
Components Delivered
- contrib/gomaxprocs-webhook/ - Complete webhook implementation
- Admission handler with Pod mutation logic (internal/webhook/pod/handler.go)
- Configuration management system (internal/config/)
- CLI interface and server implementation (cmd/)
- Kubernetes deployment manifests (manifests/)
- Comprehensive test suite
- Documentation and usage guides
Supported Workload Types
- Deployment (via ReplicaSet resolution)
- StatefulSet
- DaemonSet
- Job
- CronJob (via Job resolution)
- ReplicaSet (standalone)
- Pod (orphaned)
Benefits
-
- Performance Optimization: Proper GOMAXPROCS setting improves Go runtime efficiency
2. Automated Management: No manual configuration required for new workloads
3. Flexibility: Granular control via configuration overrides and exclusions
4. High Availability: Ignore failure policy ensures Pod creation isn't blocked
5. HyperShift Integration: Seamless integration with HyperShift control plane lifecycle
- Performance Optimization: Proper GOMAXPROCS setting improves Go runtime efficiency
Files Modified/Added
- 21 files changed, 2191 insertions
- Complete webhook implementation with tests, manifests, and documentation
- Zero modifications to existing HyperShift core functionality
Related Documentation
- README with installation and configuration instructions
- Makefile for build and deployment automation
- Docker container support with multi-stage build