[Backport 7.65.x] [clusteragent] Fix wrong computation of the init container resources (#36756)

agent-platform-auto-pr[bot] · iamluc · web-flow · commit cca933d34b0f · 2025-05-09T08:35:24.000+02:00
Co-authored-by: Luc Vieillescazes &lt;luc@vieillescazes.net&gt;
diff --git a/pkg/clusteragent/admission/mutate/autoinstrumentation/auto_instrumentation.go b/pkg/clusteragent/admission/mutate/autoinstrumentation/auto_instrumentation.go
@@ -293,6 +293,8 @@ func podSumRessourceRequirements(pod *corev1.Pod) corev1.ResourceRequirements {
 
 	for _, k := range [2]corev1.ResourceName{corev1.ResourceMemory, corev1.ResourceCPU} {
 		// Take max(initContainer ressource)
+		maxInitContainerLimit := resource.Quantity{}
+		maxInitContainerRequest := resource.Quantity{}
 		for i := range pod.Spec.InitContainers {
 			c := &pod.Spec.InitContainers[i]
 			if initContainerIsSidecar(c) {
@@ -301,19 +303,18 @@ func podSumRessourceRequirements(pod *corev1.Pod) corev1.ResourceRequirements {
 				continue
 			}
 			if limit, ok := c.Resources.Limits[k]; ok {
-				existing := ressourceRequirement.Limits[k]
-				if limit.Cmp(existing) == 1 {
-					ressourceRequirement.Limits[k] = limit
+				if limit.Cmp(maxInitContainerLimit) == 1 {
+					maxInitContainerLimit = limit
 				}
 			}
 			if request, ok := c.Resources.Requests[k]; ok {
-				existing := ressourceRequirement.Requests[k]
-				if request.Cmp(existing) == 1 {
-					ressourceRequirement.Requests[k] = request
+				if request.Cmp(maxInitContainerRequest) == 1 {
+					maxInitContainerRequest = request
 				}
 			}
 		}
 
+		// Take sum(container resources) + sum(sidecar containers)
 		limitSum := resource.Quantity{}
 		reqSum := resource.Quantity{}
 		for i := range pod.Spec.Containers {
@@ -338,15 +339,24 @@ func podSumRessourceRequirements(pod *corev1.Pod) corev1.ResourceRequirements {
 			}
 		}
 
-		// Take max(sum(container resources) + sum(sidecar container resources))
-		existingLimit := ressourceRequirement.Limits[k]
-		if limitSum.Cmp(existingLimit) == 1 {
-			ressourceRequirement.Limits[k] = limitSum
+		// Take max(max(initContainer resources), sum(container resources) + sum(sidecar containers))
+		if limitSum.Cmp(maxInitContainerLimit) == 1 {
+			maxInitContainerLimit = limitSum
+		}
+		if reqSum.Cmp(maxInitContainerRequest) == 1 {
+			maxInitContainerRequest = reqSum
+		}
+
+		// Ensure that the limit is greater or equal to the request
+		if maxInitContainerRequest.Cmp(maxInitContainerLimit) == 1 {
+			maxInitContainerLimit = maxInitContainerRequest
 		}
 
-		existingReq := ressourceRequirement.Requests[k]
-		if reqSum.Cmp(existingReq) == 1 {
-			ressourceRequirement.Requests[k] = reqSum
+		if maxInitContainerLimit.CmpInt64(0) == 1 {
+			ressourceRequirement.Limits[k] = maxInitContainerLimit
+		}
+		if maxInitContainerRequest.CmpInt64(0) == 1 {
+			ressourceRequirement.Requests[k] = maxInitContainerRequest
 		}
 	}
 
diff --git a/pkg/clusteragent/admission/mutate/autoinstrumentation/auto_instrumentation_test.go b/pkg/clusteragent/admission/mutate/autoinstrumentation/auto_instrumentation_test.go
@@ -1052,6 +1052,8 @@ func TestInjectLibInitContainer(t *testing.T) {
 		wantErr                   bool
 		wantCPU                   string
 		wantMem                   string
+		limitCPU                  string
+		limitMem                  string
 		secCtx                    *corev1.SecurityContext
 	}{
 		{
@@ -1469,6 +1471,124 @@ func TestInjectLibInitContainer(t *testing.T) {
 			wantCPU: "700m",
 			wantMem: "151Mi",
 		},
+		{
+			name: "init_container_request_greater_than_limit",
+			pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "java-pod",
+				},
+				Spec: corev1.PodSpec{
+					InitContainers: []corev1.Container{{Name: "i1", Resources: corev1.ResourceRequirements{
+						Limits: corev1.ResourceList{}, // No limits
+						Requests: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("200m"),
+							corev1.ResourceMemory: resource.MustParse("200Mi"),
+						},
+					}}},
+					Containers: []corev1.Container{{Name: "c1", Resources: corev1.ResourceRequirements{
+						Limits: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("100m"),
+							corev1.ResourceMemory: resource.MustParse("100Mi"),
+						},
+						Requests: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("100m"),
+							corev1.ResourceMemory: resource.MustParse("100Mi"),
+						},
+					}}},
+				},
+			},
+			image:    "gcr.io/datadoghq/dd-lib-java-init:v1",
+			lang:     java,
+			wantErr:  false,
+			wantCPU:  "200m",
+			wantMem:  "200Mi",
+			limitCPU: "200m",
+			limitMem: "200Mi",
+		},
+		{
+			name: "containers_request_greater_than_limit",
+			pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "java-pod",
+				},
+				Spec: corev1.PodSpec{
+					InitContainers: []corev1.Container{{Name: "i1", Resources: corev1.ResourceRequirements{
+						Limits: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("100m"),
+							corev1.ResourceMemory: resource.MustParse("100Mi"),
+						},
+						Requests: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("100m"),
+							corev1.ResourceMemory: resource.MustParse("100Mi"),
+						},
+					}}},
+					Containers: []corev1.Container{{Name: "c1", Resources: corev1.ResourceRequirements{
+						Limits: corev1.ResourceList{}, // No limits
+						Requests: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("200m"),
+							corev1.ResourceMemory: resource.MustParse("200Mi"),
+						},
+					}}},
+				},
+			},
+			image:    "gcr.io/datadoghq/dd-lib-java-init:v1",
+			lang:     java,
+			wantErr:  false,
+			wantCPU:  "200m",
+			wantMem:  "200Mi",
+			limitCPU: "200m",
+			limitMem: "200Mi",
+		},
+		{
+			name: "sidecar_container_request_greater_than_limit",
+			pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "java-pod",
+				},
+				Spec: corev1.PodSpec{
+					InitContainers: []corev1.Container{
+						{
+							Name: "init-container-1",
+							Resources: corev1.ResourceRequirements{
+								Limits: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("501m"),
+									corev1.ResourceMemory: resource.MustParse("101Mi"),
+								},
+								Requests: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("501m"),
+									corev1.ResourceMemory: resource.MustParse("101Mi"),
+								},
+							},
+						}, {
+							Name:          "sidecar-container-1",
+							RestartPolicy: pointer.Ptr(corev1.ContainerRestartPolicyAlways),
+							Resources: corev1.ResourceRequirements{
+								Limits: corev1.ResourceList{},
+								Requests: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("500m"),
+									corev1.ResourceMemory: resource.MustParse("50Mi"),
+								},
+							},
+						},
+					},
+					Containers: []corev1.Container{{Name: "c1", Resources: corev1.ResourceRequirements{
+						Limits: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("200m"),
+							corev1.ResourceMemory: resource.MustParse("101Mi"),
+						},
+						Requests: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("200m"),
+							corev1.ResourceMemory: resource.MustParse("101Mi"),
+						},
+					}}},
+				},
+			},
+			image:   "gcr.io/datadoghq/dd-lib-java-init:v1",
+			lang:    java,
+			wantErr: false,
+			wantCPU: "700m",
+			wantMem: "151Mi",
+		},
 		{
 			name: "todo",
 			pod: &corev1.Pod{
@@ -1579,17 +1699,27 @@ func TestInjectLibInitContainer(t *testing.T) {
 
 			req := tt.pod.Spec.InitContainers[initalInitContainerCount].Resources.Requests[corev1.ResourceCPU]
 			lim := tt.pod.Spec.InitContainers[initalInitContainerCount].Resources.Limits[corev1.ResourceCPU]
-			wantCPUQuantity := resource.MustParse(tt.wantCPU)
-			t.Log("CPU wants:", wantCPUQuantity.String(), "actual lim: ", lim.String())
-			require.Zero(t, wantCPUQuantity.Cmp(req)) // Cmp returns 0 if equal
-			require.Zero(t, wantCPUQuantity.Cmp(lim))
+			requestCPUQuantity := resource.MustParse(tt.wantCPU)
+			limitCPUQuantity := requestCPUQuantity
+			if tt.limitCPU != "" {
+				limitCPUQuantity = resource.MustParse(tt.limitCPU)
+			}
+
+			t.Log("expected CPU request/limit:", requestCPUQuantity.String(), "/", limitCPUQuantity.String(), ", actual request/limit:", req.String(), "/", lim.String())
+			require.Zero(t, requestCPUQuantity.Cmp(req), "expected CPU request: %s, actual: %s", requestCPUQuantity.String(), req.String()) // Cmp returns 0 if equal
+			require.Zero(t, limitCPUQuantity.Cmp(lim), "expected CPU limit: %s, actual: %s", limitCPUQuantity.String(), lim.String())
 
 			req = tt.pod.Spec.InitContainers[initalInitContainerCount].Resources.Requests[corev1.ResourceMemory]
 			lim = tt.pod.Spec.InitContainers[initalInitContainerCount].Resources.Limits[corev1.ResourceMemory]
-			wantMemQuantity := resource.MustParse(tt.wantMem)
-			t.Log("memeory wants:", wantMemQuantity.String(), "actual lim: ", lim.String())
-			require.Zero(t, wantMemQuantity.Cmp(req))
-			require.Zero(t, wantMemQuantity.Cmp(lim))
+			requestMemQuantity := resource.MustParse(tt.wantMem)
+			limitMemQuantity := requestMemQuantity
+			if tt.limitMem != "" {
+				limitMemQuantity = resource.MustParse(tt.limitMem)
+			}
+
+			t.Log("expected memory request/limit:", requestMemQuantity.String(), "/", limitMemQuantity.String(), ", actual request/limit:", req.String(), "/", lim.String())
+			require.Zero(t, requestMemQuantity.Cmp(req), "expected memory request: %s, actual: %s", requestMemQuantity.String(), req.String())
+			require.Zero(t, limitMemQuantity.Cmp(lim), "expected memory limit: %s, actual: %s", limitMemQuantity.String(), lim.String())
 
 			expSecCtx := tt.pod.Spec.InitContainers[0].SecurityContext
 			require.Equal(t, tt.secCtx, expSecCtx)
diff --git a/releasenotes-dca/notes/autoinstrumentation-fix-resources-computation-9f00f3aa904f5b5d.yaml b/releasenotes-dca/notes/autoinstrumentation-fix-resources-computation-9f00f3aa904f5b5d.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Fix wrong computation of the init container resources in the autoinstrumentation webhook.

Original file line number	Diff line number	Diff line change
`@@ -293,6 +293,8 @@ func podSumRessourceRequirements(pod *corev1.Pod) corev1.ResourceRequirements {`
`293`	`293`
`294`	`294`	`for _, k := range [2]corev1.ResourceName{corev1.ResourceMemory, corev1.ResourceCPU} {`
`295`	`295`	`// Take max(initContainer ressource)`
	`296`	`+ maxInitContainerLimit := resource.Quantity{}`
	`297`	`+ maxInitContainerRequest := resource.Quantity{}`
`296`	`298`	`for i := range pod.Spec.InitContainers {`
`297`	`299`	`c := &pod.Spec.InitContainers[i]`
`298`	`300`	`if initContainerIsSidecar(c) {`
`@@ -301,19 +303,18 @@ func podSumRessourceRequirements(pod *corev1.Pod) corev1.ResourceRequirements {`
`301`	`303`	`continue`
`302`	`304`	`}`
`303`	`305`	`if limit, ok := c.Resources.Limits[k]; ok {`
`304`		`- existing := ressourceRequirement.Limits[k]`
`305`		`- if limit.Cmp(existing) == 1 {`
`306`		`- ressourceRequirement.Limits[k] = limit`
	`306`	`+ if limit.Cmp(maxInitContainerLimit) == 1 {`
	`307`	`+ maxInitContainerLimit = limit`
`307`	`308`	`}`
`308`	`309`	`}`
`309`	`310`	`if request, ok := c.Resources.Requests[k]; ok {`
`310`		`- existing := ressourceRequirement.Requests[k]`
`311`		`- if request.Cmp(existing) == 1 {`
`312`		`- ressourceRequirement.Requests[k] = request`
	`311`	`+ if request.Cmp(maxInitContainerRequest) == 1 {`
	`312`	`+ maxInitContainerRequest = request`
`313`	`313`	`}`
`314`	`314`	`}`
`315`	`315`	`}`
`316`	`316`
	`317`	`+ // Take sum(container resources) + sum(sidecar containers)`
`317`	`318`	`limitSum := resource.Quantity{}`
`318`	`319`	`reqSum := resource.Quantity{}`
`319`	`320`	`for i := range pod.Spec.Containers {`
`@@ -338,15 +339,24 @@ func podSumRessourceRequirements(pod *corev1.Pod) corev1.ResourceRequirements {`
`338`	`339`	`}`
`339`	`340`	`}`
`340`	`341`
`341`		`- // Take max(sum(container resources) + sum(sidecar container resources))`
`342`		`- existingLimit := ressourceRequirement.Limits[k]`
`343`		`- if limitSum.Cmp(existingLimit) == 1 {`
`344`		`- ressourceRequirement.Limits[k] = limitSum`
	`342`	`+ // Take max(max(initContainer resources), sum(container resources) + sum(sidecar containers))`
	`343`	`+ if limitSum.Cmp(maxInitContainerLimit) == 1 {`
	`344`	`+ maxInitContainerLimit = limitSum`
	`345`	`+ }`
	`346`	`+ if reqSum.Cmp(maxInitContainerRequest) == 1 {`
	`347`	`+ maxInitContainerRequest = reqSum`
	`348`	`+ }`
	`349`	`+`
	`350`	`+ // Ensure that the limit is greater or equal to the request`
	`351`	`+ if maxInitContainerRequest.Cmp(maxInitContainerLimit) == 1 {`
	`352`	`+ maxInitContainerLimit = maxInitContainerRequest`
`345`	`353`	`}`
`346`	`354`
`347`		`- existingReq := ressourceRequirement.Requests[k]`
`348`		`- if reqSum.Cmp(existingReq) == 1 {`
`349`		`- ressourceRequirement.Requests[k] = reqSum`
	`355`	`+ if maxInitContainerLimit.CmpInt64(0) == 1 {`
	`356`	`+ ressourceRequirement.Limits[k] = maxInitContainerLimit`
	`357`	`+ }`
	`358`	`+ if maxInitContainerRequest.CmpInt64(0) == 1 {`
	`359`	`+ ressourceRequirement.Requests[k] = maxInitContainerRequest`
`350`	`360`	`}`
`351`	`361`	`}`
`352`	`362`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +fixes:
 +  - |
 +    Fix wrong computation of the init container resources in the autoinstrumentation webhook.