enable nested virt & set single process oom kill

upodroid · upodroid · commit ac88ba5eb775 · 2025-10-21T00:11:31.000+03:00
diff --git a/infra/gcp/terraform/k8s-infra-prow-build/iam.tf b/infra/gcp/terraform/k8s-infra-prow-build/iam.tf
@@ -32,6 +32,7 @@ module "iam" {
     "roles/secretmanager.secretAccessor" = [
       "serviceAccount:kubernetes-external-secrets@k8s-infra-prow-build.iam.gserviceaccount.com",
       "principal://iam.googleapis.com/projects/${module.project.project_number}/locations/global/workloadIdentityPools/${module.project.project_id}.svc.id.goog/subject/ns/external-secrets/sa/external-secrets",
+      "principal://iam.googleapis.com/projects/180382678033/locations/global/workloadIdentityPools/k8s-infra-prow-build-trusted.svc.id.goog/subject/ns/external-secrets/sa/external-secrets",
     ]
   }
 }
diff --git a/infra/gcp/terraform/k8s-infra-prow-build/main.tf b/infra/gcp/terraform/k8s-infra-prow-build/main.tf
@@ -90,14 +90,15 @@ module "prow_build_nodepool_c4_highmem_8_localssd" {
     "us-central1-c",
     "us-central1-f",
   ]
-  name            = "pool6"
-  initial_count   = 1
-  min_count       = 1
-  max_count       = 80
-  machine_type    = "c4-highmem-8"
-  disk_size_gb    = 500
-  disk_type       = "hyperdisk-balanced"
-  service_account = module.prow_build_cluster.cluster_node_sa.email
+  name                         = "pool6"
+  initial_count                = 1
+  min_count                    = 1
+  max_count                    = 80
+  machine_type                 = "c4-highmem-8-lssd"
+  disk_size_gb                 = 100
+  disk_type                    = "hyperdisk-balanced"
+  enable_nested_virtualization = true
+  service_account              = module.prow_build_cluster.cluster_node_sa.email
 }
 
 module "prow_build_nodepool_c4d_highmem_8_localssd" {
@@ -110,54 +111,15 @@ module "prow_build_nodepool_c4d_highmem_8_localssd" {
     "us-central1-b",
     "us-central1-c",
   ]
-  name            = "pool7"
-  initial_count   = 1
-  min_count       = 10
-  max_count       = 80
-  machine_type    = "c4d-highmem-8-lssd" # has 2 local ssd disks attached
-  disk_size_gb    = 100
-  disk_type       = "hyperdisk-balanced"
-  service_account = module.prow_build_cluster.cluster_node_sa.email
-}
-
-
-module "sig_node_node_pool_1_n4_highmem_8" {
-
-  source       = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/gke-nodepool?ref=v39.0.0&depth=1"
-  project_id   = module.project.project_id
-  name         = "sig-node-pool1"
-  location     = module.prow_build_cluster.cluster.location
-  cluster_name = module.prow_build_cluster.cluster.name
-
-  service_account = {
-    email        = module.prow_build_cluster.cluster_node_sa.email
-    oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
-  }
-
-  nodepool_config = {
-    autoscaling = {
-      max_node_count = 10
-      min_node_count = 1 # 1 per zone
-    }
-    management = {
-      auto_repair  = true
-      auto_upgrade = true
-    }
-  }
-
-  node_config = {
-    machine_type                  = "n4-highmem-8"
-    disk_type                     = "hyperdisk-balanced"
-    image_type                    = "COS_CONTAINERD"
-    gvnic                         = true
-    workload_metadata_config_mode = "GKE_METADATA"
-    shielded_instance_config = {
-      enable_secure_boot = true
-    }
-  }
-
-
-  taints = { dedicated = { value = "sig-node", effect = "NO_SCHEDULE" } }
+  name                         = "pool7"
+  initial_count                = 1
+  min_count                    = 10
+  max_count                    = 80
+  machine_type                 = "c4d-highmem-8-lssd" # has 1 local ssd disks attached
+  disk_size_gb                 = 100
+  disk_type                    = "hyperdisk-balanced"
+  enable_nested_virtualization = true
+  service_account              = module.prow_build_cluster.cluster_node_sa.email
 }
 
 module "prow_build_nodepool_c4a_highmem_8_localssd" {
@@ -170,13 +132,14 @@ module "prow_build_nodepool_c4a_highmem_8_localssd" {
     "us-central1-b",
     "us-central1-c",
   ]
-  name          = "pool7-arm64"
-  initial_count = 1
-  min_count     = 1
-  max_count     = 10
-  machine_type  = "c4a-highmem-8-lssd" # has 2 local ssd disks attached
-  disk_size_gb  = 100
-  disk_type     = "hyperdisk-balanced"
+  name                         = "pool7-arm64"
+  initial_count                = 1
+  min_count                    = 1
+  max_count                    = 80
+  machine_type                 = "c4a-highmem-8-lssd" # has 2 local ssd disks attached
+  disk_size_gb                 = 100
+  disk_type                    = "hyperdisk-balanced"
+  enable_nested_virtualization = true
   // GKE automatically taints arm64 nodes
   // https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment#overview
   service_account = module.prow_build_cluster.cluster_node_sa.email
diff --git a/infra/gcp/terraform/k8s-infra-prow-build/provider.tf b/infra/gcp/terraform/k8s-infra-prow-build/provider.tf
@@ -30,11 +30,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 6.31.0"
+      version = "~> 7.7.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 6.31.0"
+      version = "~> 7.7.0"
     }
   }
 }
diff --git a/infra/gcp/terraform/modules/gke-nodepool/main.tf b/infra/gcp/terraform/modules/gke-nodepool/main.tf
@@ -49,6 +49,9 @@ resource "google_container_node_pool" "node_pool" {
 
     service_account = var.service_account
     oauth_scopes    = ["https://www.googleapis.com/auth/cloud-platform"]
+    kubelet_config {
+      single_process_oom_kill = false
+    }
 
     dynamic "ephemeral_storage_config" {
       for_each = var.ephemeral_local_ssd_count > 0 ? [var.ephemeral_local_ssd_count] : []
@@ -57,6 +60,11 @@ resource "google_container_node_pool" "node_pool" {
       }
     }
 
+    advanced_machine_features {
+      enable_nested_virtualization = var.enable_nested_virtualization
+      threads_per_core             = 0
+    }
+
     // Needed for workload identity
     workload_metadata_config {
       mode = "GKE_METADATA"
@@ -72,6 +80,7 @@ resource "google_container_node_pool" "node_pool" {
         value  = taint.value.value
       }
     }
+
   }
 
   // If we need to destroy the node pool, create the new one before destroying
diff --git a/infra/gcp/terraform/modules/gke-nodepool/variables.tf b/infra/gcp/terraform/modules/gke-nodepool/variables.tf
@@ -107,3 +107,9 @@ variable "service_account" {
   description = "The email address of the GCP Service Account to be associated with nodes in this node_pool"
   type        = string
 }
+
+variable "enable_nested_virtualization" {
+  description = "Whether to enable nested virtualization on the node pool's VMs"
+  type        = bool
+  default     = false
+}
diff --git a/infra/gcp/terraform/modules/gke-nodepool/versions.tf b/infra/gcp/terraform/modules/gke-nodepool/versions.tf
@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 6.31.0"
+      version = ">=6.31.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 6.31.0"
+      version = ">=6.31.0"
     }
   }
 }
diff --git a/infra/gcp/terraform/modules/gke-project/versions.tf b/infra/gcp/terraform/modules/gke-project/versions.tf
@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 6.31.0"
+      version = ">=6.31.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 6.31.0"
+      version = ">=6.31.0"
     }
   }
 }
diff --git a/infra/gcp/terraform/modules/workload-identity-service-account/versions.tf b/infra/gcp/terraform/modules/workload-identity-service-account/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 6.31.0"
+      version = ">=6.31.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 6.31.0"
+      version = ">=6.31.0"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ module "iam" {`
`32`	`32`	`"roles/secretmanager.secretAccessor" = [`
`33`	`33`	`"serviceAccount:kubernetes-external-secrets@k8s-infra-prow-build.iam.gserviceaccount.com",`
`34`	`34`	`"principal://iam.googleapis.com/projects/${module.project.project_number}/locations/global/workloadIdentityPools/${module.project.project_id}.svc.id.goog/subject/ns/external-secrets/sa/external-secrets",`
	`35`	`+ "principal://iam.googleapis.com/projects/180382678033/locations/global/workloadIdentityPools/k8s-infra-prow-build-trusted.svc.id.goog/subject/ns/external-secrets/sa/external-secrets",`
`35`	`36`	`]`
`36`	`37`	`}`
`37`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,11 +30,11 @@ terraform {`
`30`	`30`	`required_providers {`
`31`	`31`	`google = {`
`32`	`32`	`source = "hashicorp/google"`
`33`		`- version = "~> 6.31.0"`
	`33`	`+ version = "~> 7.7.0"`
`34`	`34`	`}`
`35`	`35`	`google-beta = {`
`36`	`36`	`source = "hashicorp/google-beta"`
`37`		`- version = "~> 6.31.0"`
	`37`	`+ version = "~> 7.7.0"`
`38`	`38`	`}`
`39`	`39`	`}`
`40`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,9 @@ resource "google_container_node_pool" "node_pool" {`
`49`	`49`
`50`	`50`	`service_account = var.service_account`
`51`	`51`	`oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]`
	`52`	`+ kubelet_config {`
	`53`	`+ single_process_oom_kill = false`
	`54`	`+ }`
`52`	`55`
`53`	`56`	`dynamic "ephemeral_storage_config" {`
`54`	`57`	`for_each = var.ephemeral_local_ssd_count > 0 ? [var.ephemeral_local_ssd_count] : []`
`@@ -57,6 +60,11 @@ resource "google_container_node_pool" "node_pool" {`
`57`	`60`	`}`
`58`	`61`	`}`
`59`	`62`
	`63`	`+ advanced_machine_features {`
	`64`	`+ enable_nested_virtualization = var.enable_nested_virtualization`
	`65`	`+ threads_per_core = 0`
	`66`	`+ }`
	`67`	`+`
`60`	`68`	`// Needed for workload identity`
`61`	`69`	`workload_metadata_config {`
`62`	`70`	`mode = "GKE_METADATA"`
`@@ -72,6 +80,7 @@ resource "google_container_node_pool" "node_pool" {`
`72`	`80`	`value = taint.value.value`
`73`	`81`	`}`
`74`	`82`	`}`
	`83`	`+`
`75`	`84`	`}`
`76`	`85`
`77`	`86`	`// If we need to destroy the node pool, create the new one before destroying`
Original file line number	Diff line number	Diff line change
`@@ -20,11 +20,11 @@ terraform {`
`20`	`20`	`required_providers {`
`21`	`21`	`google = {`
`22`	`22`	`source = "hashicorp/google"`
`23`		`- version = "~> 6.31.0"`
	`23`	`+ version = ">=6.31.0"`
`24`	`24`	`}`
`25`	`25`	`google-beta = {`
`26`	`26`	`source = "hashicorp/google-beta"`
`27`		`- version = "~> 6.31.0"`
	`27`	`+ version = ">=6.31.0"`
`28`	`28`	`}`
`29`	`29`	`}`
`30`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,11 +17,11 @@ terraform {`
`17`	`17`	`required_providers {`
`18`	`18`	`google = {`
`19`	`19`	`source = "hashicorp/google"`
`20`		`- version = "~> 6.31.0"`
	`20`	`+ version = ">=6.31.0"`
`21`	`21`	`}`
`22`	`22`	`google-beta = {`
`23`	`23`	`source = "hashicorp/google-beta"`
`24`		`- version = "~> 6.31.0"`
	`24`	`+ version = ">=6.31.0"`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`	`}`