YongGang 46dbc74053
Support Dynamic Peon Pod Template Selection in K8s extension (#16510)
* initial commit

* add Javadocs

* refine JSON input config

* more test and fix build

* extract existing behavior as default strategy

* change template mapping fallback

* add docs

* update doc

* fix doc

* address comments

* define Matcher interface

* fix test coverage

* use lower case for endpoint path

* update Json name

* add more tests

* refactoring Selector class
2024-06-12 15:27:10 -07:00

21 KiB
Raw Blame History

id title
k8s-jobs MM-less Druid in K8s

Apache Druid Extension to enable using Kubernetes for launching and managing tasks instead of the Middle Managers. This extension allows you to launch tasks as kubernetes jobs removing the need for your middle manager.

Consider this an EXPERIMENTAL feature mostly because it has not been tested yet on a wide variety of long-running Druid clusters.

How it works

The K8s extension builds a pod spec for each task using the specified pod adapter. All jobs are natively restorable, they are decoupled from the Druid deployment, thus restarting pods or doing upgrades has no affect on tasks in flight. They will continue to run and when the overlord comes back up it will start tracking them again.


To use this extension please make sure to includedruid-kubernetes-overlord-extensions in the extensions load list for your overlord process.

The extension uses druid.indexer.runner.capacity to limit the number of k8s jobs in flight. A good initial value for this would be the sum of the total task slots of all the middle managers you were running before switching to K8s based ingestion. The K8s task runner uses one thread per Job that is created, so setting this number too large can cause memory issues on the overlord. Additionally set the variable druid.indexer.runner.namespace to the namespace in which you are running druid.

Other configurations required are: druid.indexer.runner.type: k8s and druid.indexer.task.encapsulatedTask: true

Pod Adapters

The logic defining how the pod template is built for your Kubernetes Job depends on which pod adapter you have specified.

Overlord Single Container Pod Adapter/Overlord Multi Container Pod Adapter

The overlord single container pod adapter takes the podSpec of your Overlord pod and creates a kubernetes job from this podSpec. This is the default pod adapter implementation, to explicitly enable it you can specify the runtime property druid.indexer.runner.k8s.adapter.type: overlordSingleContainer

The overlord multi container pod adapter takes the podSpec of your Overlord pod and creates a kubernetes job from this podSpec. It uses kubexit to manage dependency ordering between the main container that runs your druid peon and other sidecars defined in the Overlord pod spec. Thus if you have sidecars such as Splunk or Istio it will be able to handle them. To enable this pod adapter you can specify the runtime property druid.indexer.runner.k8s.adapter.type: overlordMultiContainer

For the sidecar support to work for the multi container pod adapter, your entry point / command in docker must be explicitly defined your spec.

You can't have something like this: Dockerfile: ENTRYPOINT: ["foo.sh"]

and in your sidecar specs:

        name: foo
           - arg1
           - arg2 

That will not work, because we cannot decipher what your command is, the extension needs to know it explicitly. *Even for sidecars like Istio which are dynamically created by the service mesh, this needs to happen.

Instead do the following: You can keep your Dockerfile the same but you must have a sidecar spec like so:

        name: foo
        command: foo.sh
           - arg1
           - arg2 

For both of these adapters, you can add optional labels to your K8s jobs / pods if you need them by using the following configuration: druid.indexer.runner.labels: '{"key":"value"}' Annotations are the same with: druid.indexer.runner.annotations: '{"key":"value"}'

All other configurations you had for the middle manager tasks must be moved under the overlord with one caveat, you must specify javaOpts as an array: druid.indexer.runner.javaOptsArray, druid.indexer.runner.javaOpts is no longer supported.

If you are running without a middle manager you need to also use druid.processing.intermediaryData.storage.type=deepstore

Custom Template Pod Adapter

The custom template pod adapter allows you to specify a pod template file per task type for more flexibility on how to define your pods. This adapter expects a Pod Template to be available on the overlord's file system. This pod template is used as the base of the pod spec for the Kubernetes Job. You can override things like labels, environment variables, resources, annotation, or even the base image with this template. To enable this pod adapter you can specify the runtime property druid.indexer.runner.k8s.adapter.type: customTemplateAdapter

The base pod template must be specified as the runtime property druid.indexer.runner.k8s.podTemplate.base: /path/to/basePodSpec.yaml

Task specific pod templates can be specified as the runtime property druid.indexer.runner.k8s.podTemplate.{taskType}: /path/to/taskSpecificPodSpec.yaml where {taskType} is the name of the task type i.e index_parallel.

If you are trying to use the default image's environment variable parsing feature to set runtime properties, you need to add a extra escape underscore when specifying pod templates. e.g. set the environment variable druid_indexer_runner_k8s_podTemplate_index__parallel when setting druid.indxer.runner.k8s.podTemplate.index_parallel

The following is an example Pod Template that uses the regular druid docker image.

apiVersion: "v1"
kind: "PodTemplate"
      sidecar.istio.io/proxyCPU: "512m" # to handle a injected istio sidecar
      app.kubernetes.io/name: "druid-realtime-backend"
    affinity: {}
    - command:
        - sh
        - -c
        - |
          /peon.sh /druid/data 1
        value: "hello"
      image: apache/druid:{{DRUIDVERSION}}
      name: main
      - containerPort: 8091
        name: druid-tls-port
        protocol: TCP
      - containerPort: 8100
        name: druid-port
        protocol: TCP
          cpu: "1"
          memory: 2400M
          cpu: "1"
          memory: 2400M
      - mountPath: /opt/druid/conf/druid/cluster/master/coordinator-overlord # runtime props are still mounted in this location because that's where peon.sh looks for configs
        name: nodetype-config-volume
        readOnly: true
      - mountPath: /druid/data
        name: data-volume
      - mountPath: /druid/deepstorage
        name: deepstorage-volume
    restartPolicy: "Never"
      fsGroup: 1000
      runAsGroup: 1000
      runAsUser: 1000
    - effect: NoExecute
      key: node.kubernetes.io/not-ready
      operator: Exists
      tolerationSeconds: 300
    - effect: NoExecute
      key: node.kubernetes.io/unreachable
      operator: Exists
      tolerationSeconds: 300
    - configMap:
        defaultMode: 420
        name: druid-tiny-cluster-peons-config
      name: nodetype-config-volume
    - emptyDir: {}
      name: data-volume
    - emptyDir: {}
      name: deepstorage-volume

The below runtime properties need to be passed to the Job's peon process.

druid.port=8100 (what port the peon should run on)
druid.service=druid/peon (for metrics reporting)
druid.indexer.task.baseTaskDir=/druid/data (this should match the argument to the ./peon.sh run command in the PodTemplate)

Any runtime property or JVM config used by the peon process can also be passed. E.G. below is a example of a ConfigMap that can be used to generate the nodetype-config-volume mount in the above template.

kind: ConfigMap
    name: druid-tiny-cluster-peons-config
    namespace: default
apiVersion: v1
    jvm.config: |-
    log4j2.xml: |-
        <?xml version="1.0" encoding="UTF-8" ?>
        <Configuration status="WARN">
                <Console name="Console" target="SYSTEM_OUT">
                    <PatternLayout pattern="%d{ISO8601} %p [%t] %c - %m%n"/>
                <Root level="info">
                    <AppenderRef ref="Console"/>
    runtime.properties: |

Dynamic Pod Template Selection Config

The Dynamic Pod Template Selection feature enhances the K8s extension by enabling more flexible and dynamic selection of pod templates based on task properties. This process is governed by the PodTemplateSelectStrategy. Below are the two strategies implemented:

Property Description Default
TaskTypePodTemplateSelectStrategy This strategy selects pod templates based on task type for execution purposes, implementing the behavior that maps templates to specific task types. true
SelectorBasedPodTemplateSelectStrategy This strategy evaluates a series of selectors, known as selectors, which are aligned with potential task properties. false

SelectorBasedPodTemplateSelectStrategy, the strategy implementing this new feature, is based on conditional selectors that match against top-level keys from the task payload. Currently, it supports matching based on task context tags, task type, and dataSource. These selectors are ordered in the dynamic configuration, with the first selector given the highest priority during the evaluation process. This means that the selection process uses these ordered conditions to determine a tasks Pod template. The first matching condition immediately determines the Pod template, thereby prioritizing certain configurations over others. If no selector matches, it will fall back to an optional defaultKey if configured; if there is still no match, it will use the base template.

Example Configuration:

We define two template keys in the configuration—low-throughput and medium-throughput—each associated with specific task conditions and arranged in a priority order.

  • Low Throughput Template: This is the first template evaluated and has the highest priority. Tasks that have a context tag billingCategory=streaming_ingestion and a datasource of wikipedia will be classified under the low-throughput template. This classification directs such tasks to utilize a predefined pod template optimized for low throughput requirements.

  • Medium Throughput Template: If a task does not meet the low-throughput criteria, the system will then evaluate it against the next selector in order. In this example, if the task type is index_kafka, it will fall into the medium-throughput template.

  "type": "default",
    "type": "selectorBased",
    "selectors": [
        "selectionKey": "low-throughput",
          "billingCategory": ["streaming_ingestion"]
        "dataSource": ["wikipedia"]
        "selectionKey": "medium-throughput",
        "type": ["index_kafka"]
    "defaultKey"" "base"

Task specific pod templates can be specified as the runtime property druid.indexer.runner.k8s.podTemplate.{template}: /path/to/taskSpecificPodSpec.yaml where {template} is the matched selectionKey of the podTemplateSelectStrategy i.e low-throughput.

Similar to Overlord dynamic configuration, the following API endpoints are defined to retrieve and manage dynamic configurations of Pod Template Selection config:

  • Get dynamic configuration: POST /druid/indexer/v1/k8s/taskRunner/executionConfig

  • Update dynamic configuration: GET /druid/indexer/v1/k8s/taskRunner/executionConfig

  • Get dynamic configuration history: GET /druid/indexer/v1/k8s/taskRunner/executionConfig/history


Property Possible Values Description Default required
druid.indexer.runner.debugJobs boolean Clean up K8s jobs after tasks complete. False No
druid.indexer.runner.sidecarSupport boolean Deprecated, specify adapter type as runtime property druid.indexer.runner.k8s.adapter.type: overlordMultiContainer instead. If your overlord pod has sidecars, this will attempt to start the task with the same sidecars as the overlord pod. False No
druid.indexer.runner.primaryContainerName String If running with sidecars, the primaryContainerName should be that of your druid container like druid-overlord. First container in podSpec list No
druid.indexer.runner.kubexitImage String Used kubexit project to help shutdown sidecars when the main pod completes. Otherwise jobs with sidecars never terminate. karlkfi/kubexit:latest No
druid.indexer.runner.disableClientProxy boolean Use this if you have a global http(s) proxy and you wish to bypass it. false No
druid.indexer.runner.maxTaskDuration Duration Max time a task is allowed to run for before getting killed PT4H No
druid.indexer.runner.taskCleanupDelay Duration How long do jobs stay around before getting reaped from K8s P2D No
druid.indexer.runner.taskCleanupInterval Duration How often to check for jobs to be reaped PT10M No
druid.indexer.runner.K8sjobLaunchTimeout Duration How long to wait to launch a K8s task before marking it as failed, on a resource constrained cluster it may take some time. PT1H No
druid.indexer.runner.javaOptsArray JsonArray java opts for the task. -Xmx1g No
druid.indexer.runner.labels JsonObject Additional labels you want to add to peon pod {} No
druid.indexer.runner.annotations JsonObject Additional annotations you want to add to peon pod {} No
druid.indexer.runner.peonMonitors JsonArray Overrides druid.monitoring.monitors. Use this property if you don't want to inherit monitors from the Overlord. [] No
druid.indexer.runner.graceTerminationPeriodSeconds Long Number of seconds you want to wait after a sigterm for container lifecycle hooks to complete. Keep at a smaller value if you want tasks to hold locks for shorter periods. PT30S (K8s default) No
druid.indexer.runner.capacity Integer Number of concurrent jobs that can be sent to Kubernetes. 2147483647 No
druid.indexer.runner.cpuCoreInMicro Integer Number of CPU micro core for the task. 1000 No

Metrics added

Metric Description Dimensions Normal value
k8s/peon/startup/time Metric indicating the milliseconds for peon pod to startup. dataSource, taskId, taskType, groupId, taskStatus, tags Varies


  • All Druid Pods belonging to one Druid cluster must be inside the same Kubernetes namespace.

  • You must have a role binding for the overlord's service account that provides the needed permissions for interacting with Kubernetes. An example spec could be:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
  namespace: <druid-namespace>
  name: druid-k8s-task-scheduler
  - apiGroups: ["batch"]
    resources: ["jobs"]
    verbs: ["get", "watch", "list", "delete", "create"]
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "watch", "list", "delete", "create"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
  name: druid-k8s-binding
  namespace: <druid-namespace>
  - kind: ServiceAccount
    name: <druid-overlord-k8s-service-account>
    namespace: <druid-namespace>
  kind: Role
  name: druid-k8s-task-scheduler
  apiGroup: rbac.authorization.k8s.io

Migration/Kubernetes and Worker Task Runner

If you are running a cluster with tasks running on middle managers or indexers and want to do a zero downtime migration to mm-less ingestion, the mm-less ingestion system is capable of running in migration mode by reading tasks from middle managers/indexers and Kubernetes and writing tasks to either middle managers or to Kubernetes.

To do this, set the following property. druid.indexer.runner.type: k8sAndWorker (instead of druid.indexer.runner.type: k8s)

Additional Configurations

Property Possible Values Description Default required
druid.indexer.runner.k8sAndWorker.runnerStrategy.type String (e.g., k8s, worker, taskType) Defines the strategy for task runner selection. k8s No
druid.indexer.runner.k8sAndWorker.runnerStrategy.workerType String (e.g., httpRemote, remote) Specifies the variant of the worker task runner to be utilized. httpRemote No
For taskType runner strategy:
druid.indexer.runner.k8sAndWorker.runnerStrategy.taskType.default String (e.g., k8s, worker) Specifies the default runner to use if no overrides apply. This setting ensures there is always a fallback runner available. None No
druid.indexer.runner.k8sAndWorker.runnerStrategy.taskType.overrides JsonObject(e.g., {"index_kafka": "worker"}) Defines task-specific overrides for runner types. Each entry sets a task type to a specific runner, allowing fine control. {} No