Kubernetes Job service by javanlacerda · Pull Request #5113 · google/clusterfuzz

javanlacerda · 2026-01-08T21:24:36Z

This PR introduces full support for scheduling and managing fuzzing tasks on Kubernetes clusters,
specifically targeting GKE. It implements a new KubernetesService to
handle batch job creation, supports Kata Containers for isolation, and includes robust testing
and configuration mechanisms.

Key Features:

Kubernetes Service: A new backend for RemoteTaskInterface that schedules tasks as Kubernetes
Jobs. It supports both standard and Kata Container runtimes, automatic Service Account
creation with Workload Identity, and intelligent job limiting to prevent cluster overload.
Traffic Shifting (RemoteTaskGate): A new gating mechanism (RemoteTaskGate) that intelligently
routes tasks between the legacy GCP Batch service and the new Kubernetes service based on
configurable probabilities, allowing for a gradual, controlled migration.
Feature Flags: A new dynamic configuration system backed by Datastore to control runtime
behaviors like job concurrency limits.

Detailed Changes by Module:

Kubernetes Integration (src/clusterfuzz/_internal/k8s/):
- service.py: Implemented KubernetesService for job lifecycle management (creation,
  monitoring, limiting). Includes GKE credential loading, Kata Container spec generation,
  and Service Account provisioning.
- Tests: Added k8s_service_test.py (unit), k8s_service_limit_test.py (limits), and
  k8s_service_e2e_test.py (integration on Kind).
Remote Task Management (src/clusterfuzz/_internal/remote_task/):
- init.py: Introduced RemoteTaskGate, a smart router that implements
  RemoteTaskInterface. It initializes both GcpBatchService and KubernetesService and
  distributes tasks between them based on probabilities defined in job_frequency.py. This
  enables traffic splitting (e.g., 10% to K8s, 90% to Batch) for safe rollout.
- job_frequency.py: Added logic to manage task scheduling frequency and split ratios.
- Refactored core task logic to use the generic RemoteTask and RemoteTaskInterface
  abstractions.
Datastore & Configuration (src/clusterfuzz/_internal/datastore/):
- data_types.py: Added FeatureFlag model to store configuration dynamically.
- feature_flags.py: Added FeatureFlags enum/helper for type-safe access to flags (e.g.,
  K8S_PENDING_JOBS_LIMITER).
Batch & Legacy Refactoring (src/clusterfuzz/_internal/batch/):
- service.py: Updated to align with the new RemoteTask interface.
- Removed obsolete gcp.py and google_cloud_utils/batch.py utilities in favor of the new
  structure.
Infrastructure & CI:
- .github/workflows/kubernetes-e2e-tests.yaml: New workflow for running E2E tests on a Kind
  cluster.
- Pipfile / src/Pipfile: Added kubernetes client and updated Google Cloud dependencies.
Bot & Metrics:
- src/python/bot/startup/run_bot.py: Updates to support K8s-based bot execution via the new
  gate.
- src/clusterfuzz/_internal/metrics/: Enhanced logging and monitoring for remote tasks.

Evidences:

Batch and Kata containers fuzzing hours, proving the Remote Gate, the Batch and Kubernetes services are working properly. The Feature Flag is used to set the job_frequency, then it proves the feature flag and its usage is working as well.

jonathanmetzman

left some very surface level comments.

Pipfile

butler.py

src/clusterfuzz/_internal/tests/core/platforms/__init__.py

src/python/bot/startup/run_bot.py

src/setup.py

This commit introduces the Kubernetes job client and service, providing a mechanism to schedule tasks on Kubernetes clusters (including GKE and Kind), supporting both standard and Kata Containers. Key Features & Changes: - **Kubernetes Service**: Implemented `KubernetesService` in `clusterfuzz._internal.k8s.service` to manage job creation. - **Kata Support**: Added specialized job creation for Kata Containers (`create_kata_container_job`) with required security context (`privileged`, `capabilities: ALL`), networking (`hostNetwork: True`), and environment variables (`HOST_UID`). - **Dependency Management**: Added `kubernetes` and necessary Google Cloud dependencies (`google-api-python-client`, `google-cloud-storage`, `google-cloud-ndb`, etc.) to `Pipfile`. - **E2E Testing**: - Created `tests.core.k8s.k8s_service_e2e_test` to verify job lifecycle on a local Kind cluster. - Updated `local/tests/kubernetes_e2e_test.bash` to provision the test environment. - Updated CI workflow (`.github/workflows/kubernetes-e2e-tests.yaml`) to install JDK 21 (required for Datastore emulator). - Tests now verify job "Running" status to avoid timeouts with long-running commands. - `KubernetesService` skips default credential loading when `K8S_E2E` is set to utilize the test-provided kubeconfig. - **Unit Tests**: Added comprehensive unit tests in `tests.core.k8s.k8s_service_test` and `tests.core.kubernetes.kubernetes_test`, including mocking of `load_kube_config` and `_load_gke_credentials` to ensure robust testing without external dependencies.

Signed-off-by: Javan Lacerda <javanlacerda@google.com>

src/clusterfuzz/_internal/remote_task/remote_task_adapters.py

src/clusterfuzz/_internal/remote_task/remote_task_types.py

src/clusterfuzz/_internal/remote_task/__init__.py

src/clusterfuzz/_internal/tests/core/k8s/k8s_service_e2e_test.py

src/clusterfuzz/_internal/base/tasks/__init__.py

src/clusterfuzz/_internal/batch/service.py

Signed-off-by: Javan Lacerda <javanlacerda@google.com>

src/clusterfuzz/_internal/datastore/feature_flags.py

Signed-off-by: Javan Lacerda <javanlacerda@google.com>

javanlacerda · 2026-01-21T00:37:39Z

Are we using preemptibles btw?

We're not, and will it's not part of the plan using it for the clusters. You can see more details on go/clusterfuzz-to-kubernetes

Signed-off-by: Javan Lacerda <javanlacerda@google.com>

src/clusterfuzz/_internal/base/tasks/__init__.py

src/clusterfuzz/_internal/base/feature_flags.py

jonathanmetzman · 2026-01-22T03:37:02Z