Creating a new cpuset within a Kubernetes pod

Question

I've launched a Kubernetes pod (single container) with a static CPU management policy. It has a CPU request/limit of 10. This all seems to be working as expected:

cat /sys/fs/cgroup/cpuset/cpuset.cpus
11-20

What I'd like to do now is reserve a couple of those cores for a couple very specific threads that are very sensitive to context-switching. Is it possible to create a child cpuset with just a couple of those CPUs? The cgroup filesystem is mounted as read-only:

mount | fgrep cpuset
cgroup on /sys/fs/cgroup/cpuset (ro,nosuid,nodev,noexec,relatime,cpuset)

…and so the usual procedure of using mkdir to create child cpusets doesn't work out of the box. I haven't found a way to mount /sys/fs/cgroup/cpuset/ as read-write.

My read between the lines is that this is all the intended behavior, and allowing pods to further subdivide their CPUs isn't supported. Still, is there a way to create a cpuset within a pod that I'm missing?

Answer 1

You could try to set SYS_ADMIN privilege to the container, but it may cause some security issues.

For example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-deployment
  namespace: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-deployment
  template:
    metadata:
      labels:
        app: demo-deployment
    spec:
      containers:
      - name: demo-deployment
        image: ---
        securityContext:
          runAsUser: 0
          capabilities:
            add: [SYS_ADMIN]
        volumeMounts:
        - name: cgroup
          mountPath: /sys/fs/cgroup
      volumes:
      - name: cgroup
        hostPath:
          path: /sys/fs/cgroup
          type: Directory