[FR] evict tainted pods after period

[dustin-decker]

Add a policy that evicts tainted pods after some configurable period has elapsed

https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/#the-eviction-api

[alpe]

🤔 This feature requires some some kind of time based trigger. For me it fits better into the operator pattern than the admission controller hook. Why not create a separate cmd, binary and artifact so that you have a clear separation of concerns? The operator can run with different permissions as well. I did a couple of operators for similar tasks in the past. I would be able to help with a spike to get this started, if you agree?

[dustin-decker]

I had started implementing this a while back as a goroutine that periodically lists and deletes pods if the given annotation is older than a given duration: https://github.com/cruise-automation/k-rail/compare/exec-taint-label#diff-a6ad059d9beaf8a3c7bdcd2b41ab23b5R18

It's largely there, I think the remaining piece was to add the annotation to pods from the no exec policy and tests.

I could see the operator watch pattern working also so that the periodic polling is not needed.

I haven't touched the feature since early November. I'm open to your help on it or for you to take it over if you wish. Feel free to spike on an approach that we can discuss :+1:

[dustin-decker]

Oh, I just noticed that the WIP is using Delete rather than the Eviction API: https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/#the-eviction-api

We should use the eviction API because it respects PodDisruptionBudgets and some other things.

[mark-adams]

👋 The k-rail project has been deprecated and is no longer under active development. We recommend taking a look at OPA Gatekeeper to see if it might meet your needs going forward.

Thanks for your contribution(s) to the project!