feat(controller): taint/toleration scheduling filter with class merge

syscod3 · syscod3 · commit 54d8cfdcc9be · 2026-03-07T02:32:44.000Z
Add tolerationMatchesTaint, toleratesTaint, nodeToleratedBy, filterByTolerations,
and resolveTolerations helpers. Refactor schedule() to resolve ImpVMClassSpec once
early (step 4) for both toleration merging and capacity; apply the taint filter as
step 5 before capacity checks. System node.kubernetes.io/* taints are skipped since
filterSchedulable already enforces the underlying node conditions.
diff --git a/internal/controller/impvm_coverage_test.go b/internal/controller/impvm_coverage_test.go
@@ -722,6 +722,128 @@ var _ = Describe("filterSchedulable", func() {
 	})
 })
 
+// ─── taint/toleration helpers ────────────────────────────────────────────────
+
+var _ = Describe("tolerationMatchesTaint", func() {
+	It("matches Equal operator with correct key+value+effect", func() {
+		tol := corev1.Toleration{Key: "env", Operator: corev1.TolerationOpEqual, Value: "prod", Effect: corev1.TaintEffectNoSchedule}
+		tai := corev1.Taint{Key: "env", Value: "prod", Effect: corev1.TaintEffectNoSchedule}
+		Expect(tolerationMatchesTaint(tol, tai)).To(BeTrue())
+	})
+
+	It("does not match Equal operator with wrong value", func() {
+		tol := corev1.Toleration{Key: "env", Operator: corev1.TolerationOpEqual, Value: "staging", Effect: corev1.TaintEffectNoSchedule}
+		tai := corev1.Taint{Key: "env", Value: "prod", Effect: corev1.TaintEffectNoSchedule}
+		Expect(tolerationMatchesTaint(tol, tai)).To(BeFalse())
+	})
+
+	It("matches Exists operator regardless of value", func() {
+		tol := corev1.Toleration{Key: "env", Operator: corev1.TolerationOpExists, Effect: corev1.TaintEffectNoSchedule}
+		tai := corev1.Taint{Key: "env", Value: "anything", Effect: corev1.TaintEffectNoSchedule}
+		Expect(tolerationMatchesTaint(tol, tai)).To(BeTrue())
+	})
+
+	It("matches Exists with empty key (wildcard)", func() {
+		tol := corev1.Toleration{Operator: corev1.TolerationOpExists}
+		tai := corev1.Taint{Key: "any-key", Value: "any-value", Effect: corev1.TaintEffectNoExecute}
+		Expect(tolerationMatchesTaint(tol, tai)).To(BeTrue())
+	})
+
+	It("does not match when effect differs", func() {
+		tol := corev1.Toleration{Key: "env", Operator: corev1.TolerationOpEqual, Value: "prod", Effect: corev1.TaintEffectNoExecute}
+		tai := corev1.Taint{Key: "env", Value: "prod", Effect: corev1.TaintEffectNoSchedule}
+		Expect(tolerationMatchesTaint(tol, tai)).To(BeFalse())
+	})
+
+	It("matches when toleration effect is empty (tolerates all effects)", func() {
+		tol := corev1.Toleration{Key: "env", Operator: corev1.TolerationOpEqual, Value: "prod"}
+		tai := corev1.Taint{Key: "env", Value: "prod", Effect: corev1.TaintEffectNoSchedule}
+		Expect(tolerationMatchesTaint(tol, tai)).To(BeTrue())
+	})
+})
+
+var _ = Describe("nodeToleratedBy", func() {
+	It("returns true when node has no taints", func() {
+		n := corev1.Node{}
+		Expect(nodeToleratedBy(n, nil)).To(BeTrue())
+	})
+
+	It("returns true when NoSchedule taint is tolerated", func() {
+		n := corev1.Node{Spec: corev1.NodeSpec{Taints: []corev1.Taint{
+			{Key: "key", Value: "val", Effect: corev1.TaintEffectNoSchedule},
+		}}}
+		tols := []corev1.Toleration{{Key: "key", Operator: corev1.TolerationOpEqual, Value: "val", Effect: corev1.TaintEffectNoSchedule}}
+		Expect(nodeToleratedBy(n, tols)).To(BeTrue())
+	})
+
+	It("returns false when NoSchedule taint is not tolerated", func() {
+		n := corev1.Node{Spec: corev1.NodeSpec{Taints: []corev1.Taint{
+			{Key: "key", Value: "val", Effect: corev1.TaintEffectNoSchedule},
+		}}}
+		Expect(nodeToleratedBy(n, nil)).To(BeFalse())
+	})
+
+	It("returns true when only PreferNoSchedule taint is present (always allowed)", func() {
+		n := corev1.Node{Spec: corev1.NodeSpec{Taints: []corev1.Taint{
+			{Key: "key", Value: "val", Effect: corev1.TaintEffectPreferNoSchedule},
+		}}}
+		Expect(nodeToleratedBy(n, nil)).To(BeTrue())
+	})
+
+	It("returns false when NoExecute taint is not tolerated", func() {
+		n := corev1.Node{Spec: corev1.NodeSpec{Taints: []corev1.Taint{
+			{Key: "dedicated", Value: "gpu", Effect: corev1.TaintEffectNoExecute},
+		}}}
+		Expect(nodeToleratedBy(n, nil)).To(BeFalse())
+	})
+
+	It("returns true when only system node.kubernetes.io/* taints are present (handled by filterSchedulable)", func() {
+		n := corev1.Node{Spec: corev1.NodeSpec{Taints: []corev1.Taint{
+			{Key: "node.kubernetes.io/not-ready", Effect: corev1.TaintEffectNoSchedule},
+		}}}
+		Expect(nodeToleratedBy(n, nil)).To(BeTrue())
+	})
+})
+
+var _ = Describe("filterByTolerations", func() {
+	It("returns only nodes whose taints are fully tolerated", func() {
+		tols := []corev1.Toleration{{Key: "zone", Operator: corev1.TolerationOpEqual, Value: "us-east", Effect: corev1.TaintEffectNoSchedule}}
+		nodes := []corev1.Node{
+			{ObjectMeta: metav1.ObjectMeta{Name: "ok"}, Spec: corev1.NodeSpec{Taints: []corev1.Taint{
+				{Key: "zone", Value: "us-east", Effect: corev1.TaintEffectNoSchedule},
+			}}},
+			{ObjectMeta: metav1.ObjectMeta{Name: "blocked"}, Spec: corev1.NodeSpec{Taints: []corev1.Taint{
+				{Key: "zone", Value: "eu-west", Effect: corev1.TaintEffectNoSchedule},
+			}}},
+			{ObjectMeta: metav1.ObjectMeta{Name: "clean"}},
+		}
+		result := filterByTolerations(nodes, tols)
+		Expect(result).To(HaveLen(2))
+		names := []string{result[0].Name, result[1].Name}
+		Expect(names).To(ConsistOf("ok", "clean"))
+	})
+})
+
+var _ = Describe("resolveTolerations", func() {
+	It("returns VM tolerations when classSpec is nil", func() {
+		vm := &impdevv1alpha1.ImpVM{}
+		vm.Spec.Tolerations = []corev1.Toleration{
+			{Key: "k", Operator: corev1.TolerationOpEqual, Value: "v"},
+		}
+		Expect(resolveTolerations(vm, nil)).To(HaveLen(1))
+	})
+
+	It("merges class and VM tolerations additively", func() {
+		vm := &impdevv1alpha1.ImpVM{}
+		vm.Spec.Tolerations = []corev1.Toleration{{Key: "vm-key"}}
+		classSpec := &impdevv1alpha1.ImpVMClassSpec{
+			Tolerations: []corev1.Toleration{{Key: "class-key"}},
+		}
+		result := resolveTolerations(vm, classSpec)
+		Expect(result).To(HaveLen(2))
+	})
+})
+
 // ─── syncStatus: node healthy path ───────────────────────────────────────────
 
 var _ = Describe("ImpVM syncStatus: node healthy", func() {
diff --git a/internal/controller/impvm_scheduler.go b/internal/controller/impvm_scheduler.go
@@ -19,6 +19,7 @@ package controller
 import (
 	"context"
 	"sort"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -74,30 +75,43 @@ func (r *ImpVMReconciler) schedule(ctx context.Context, vm *impdevv1alpha1.ImpVM
 		return "", nil
 	}
 
-	// 2b. Filter out unready / unschedulable nodes
+	// 3. Filter out unready / unschedulable nodes
 	eligible = filterSchedulable(eligible)
 	if len(eligible) == 0 {
 		return "", nil
 	}
 
-	// 3. Count running VMs per node
+	// 4. Resolve VM class spec once (best-effort: tolerations + capacity)
+	var classSpec *impdevv1alpha1.ImpVMClassSpec
+	if cs, err := resolveClassSpec(ctx, r.Client, vm); err != nil {
+		log.V(1).Info("could not resolve class spec; using VM-only tolerations and skipping capacity check",
+			"vm", vm.Name, "err", err)
+	} else {
+		classSpec = cs
+	}
+
+	// 5. Filter by taint tolerations
+	tolerations := resolveTolerations(vm, classSpec)
+	eligible = filterByTolerations(eligible, tolerations)
+	if len(eligible) == 0 {
+		return "", nil
+	}
+
+	// 6. Count running VMs per node
 	allVMs := &impdevv1alpha1.ImpVMList{}
 	if err := r.List(ctx, allVMs); err != nil {
 		return "", err
 	}
 	runningPerNode := countRunningVMs(allVMs.Items)
 
-	// 4. Resolve VM compute class (best-effort: skip capacity check if unresolvable)
+	// 7. Extract compute requirements
 	var vmVCPU, vmMemMiB int32
-	if classSpec, err := resolveClassSpec(ctx, r.Client, vm); err != nil {
-		log.V(1).Info("could not resolve class spec for capacity check; skipping compute limit",
-			"vm", vm.Name, "err", err)
-	} else {
+	if classSpec != nil {
 		vmVCPU = classSpec.VCPU
 		vmMemMiB = classSpec.MemoryMiB
 	}
 
-	// 5a. Explicit-capacity scheduling: use Schedule() for nodes that have VCPUCapacity set on profile.
+	// 8a. Explicit-capacity scheduling
 	usedResources := sumUsedResources(ctx, r.Client, allVMs.Items)
 	var explicitNodes []NodeInfo
 	for _, node := range eligible {
@@ -119,18 +133,17 @@ func (r *ImpVMReconciler) schedule(ctx context.Context, vm *impdevv1alpha1.ImpVM
 		if err == nil {
 			return chosen, nil
 		}
-		// ErrUnschedulable from explicit-capacity nodes — fall through to fraction-based
-		// logic for any nodes without explicit profiles.
+		// ErrUnschedulable from explicit-capacity nodes — fall through to fraction-based.
 	}
 
-	// 5. Fetch global default fraction from ClusterImpConfig (best-effort)
+	// 8. Fetch global default fraction from ClusterImpConfig (best-effort)
 	globalFraction := 0.9
 	cfg := &impdevv1alpha1.ClusterImpConfig{}
 	if err := r.Get(ctx, client.ObjectKey{Name: "cluster"}, cfg); err == nil {
 		globalFraction = parseFraction(cfg.Spec.Capacity.DefaultFraction)
 	}
 
-	// 6. Apply capacity caps
+	// 9. Apply capacity caps
 	type candidate struct {
 		name    string
 		running int
@@ -139,19 +152,16 @@ func (r *ImpVMReconciler) schedule(ctx context.Context, vm *impdevv1alpha1.ImpVM
 	for _, node := range eligible {
 		running := runningPerNode[node.Name]
 
-		// Fetch per-node profile (may be absent)
 		profile := &impdevv1alpha1.ClusterImpNodeProfile{}
 		err := r.Get(ctx, client.ObjectKey{Name: node.Name}, profile)
 		if err != nil && !apierrors.IsNotFound(err) {
 			return "", err
 		}
 
-		// Hard count cap from profile.
 		if err == nil && profile.Spec.MaxImpVMs > 0 && int32(running) >= profile.Spec.MaxImpVMs { //nolint:gosec
 			continue
 		}
 
-		// Compute-based cap (only when class was resolved and node has allocatable).
 		if vmVCPU > 0 {
 			fraction := globalFraction
 			if err == nil && profile.Spec.CapacityFraction != "" {
@@ -172,7 +182,7 @@ func (r *ImpVMReconciler) schedule(ctx context.Context, vm *impdevv1alpha1.ImpVM
 		return "", nil
 	}
 
-	// 7. Least-loaded first; alphabetical tie-break
+	// 10. Least-loaded first; alphabetical tie-break
 	sort.Slice(candidates, func(i, j int) bool {
 		if candidates[i].running != candidates[j].running {
 			return candidates[i].running < candidates[j].running
@@ -182,6 +192,71 @@ func (r *ImpVMReconciler) schedule(ctx context.Context, vm *impdevv1alpha1.ImpVM
 	return candidates[0].name, nil
 }
 
+// tolerationMatchesTaint checks whether a single toleration covers a taint.
+func tolerationMatchesTaint(t corev1.Toleration, taint corev1.Taint) bool {
+	// Effect must match, unless toleration effect is empty (matches all effects).
+	if t.Effect != "" && t.Effect != taint.Effect {
+		return false
+	}
+	if t.Operator == corev1.TolerationOpExists {
+		// Empty key = wildcard; matches any taint key.
+		return t.Key == "" || t.Key == taint.Key
+	}
+	// TolerationOpEqual (default)
+	return t.Key == taint.Key && t.Value == taint.Value
+}
+
+// toleratesTaint returns true if any toleration in the list covers the taint.
+func toleratesTaint(taint corev1.Taint, tolerations []corev1.Toleration) bool {
+	for _, t := range tolerations {
+		if tolerationMatchesTaint(t, taint) {
+			return true
+		}
+	}
+	return false
+}
+
+// nodeToleratedBy returns true when all NoSchedule and NoExecute taints on
+// the node are covered by tolerations. PreferNoSchedule is always allowed.
+// System node-lifecycle taints (node.kubernetes.io/*) are skipped because
+// their corresponding conditions are already enforced by filterSchedulable.
+func nodeToleratedBy(node corev1.Node, tolerations []corev1.Toleration) bool {
+	for _, taint := range node.Spec.Taints {
+		if taint.Effect == corev1.TaintEffectPreferNoSchedule {
+			continue
+		}
+		// Skip well-known system taints managed by the node lifecycle controller;
+		// filterSchedulable already gates on the underlying node conditions.
+		if strings.HasPrefix(taint.Key, "node.kubernetes.io/") {
+			continue
+		}
+		if !toleratesTaint(taint, tolerations) {
+			return false
+		}
+	}
+	return true
+}
+
+func filterByTolerations(nodes []corev1.Node, tolerations []corev1.Toleration) []corev1.Node {
+	var result []corev1.Node
+	for _, n := range nodes {
+		if nodeToleratedBy(n, tolerations) {
+			result = append(result, n)
+		}
+	}
+	return result
+}
+
+// resolveTolerations returns the additive union of class-level and VM-level tolerations.
+func resolveTolerations(vm *impdevv1alpha1.ImpVM, classSpec *impdevv1alpha1.ImpVMClassSpec) []corev1.Toleration {
+	var result []corev1.Toleration
+	if classSpec != nil {
+		result = append(result, classSpec.Tolerations...)
+	}
+	result = append(result, vm.Spec.Tolerations...)
+	return result
+}
+
 func filterByNodeSelector(nodes []corev1.Node, selector map[string]string) []corev1.Node {
 	if len(selector) == 0 {
 		return nodes
