< Marvin> I have a k8s workpool that runs in google when i t Prefect Community #ask-marvin

<@ULVA73B9P> I have a k8s workpool that runs in go...

Rasmus

07/09/2025, 11:00 AM

@Marvin I have a k8s workpool that runs in google, when i try to execute two flows simoultaneously, one of them is stuck in pending until the other finishes executing - how can i change this? I dont have any concurrency limit

Marvin

07/09/2025, 11:00 AM

✅ thought for 97.2 seconds

Marvin

07/09/2025, 11:02 AM

Based on the research and issue review, I can explain what's happening and how to fix it. The issue you're experiencing is likely related to the default configuration of your Kubernetes work pool. Here's how to enable multiple concurrent flow runs: 1. First, check your work pool settings in the UI by going to the Work Pools page and selecting your Kubernetes work pool. 2. You can enable concurrent runs in one of two ways: Option 1: Through the UI - Navigate to your work pool - Click on the "Default Queue" (or the specific queue you're using) - Set the concurrency limit to a higher number (or -1 for unlimited concurrency) Option 2: Through the CLI

Copy code

bash
   prefect work-pool update-queue "your-k8s-pool-name" --concurrency-limit 5

3. Additionally, ensure your Kubernetes cluster has enough resources to handle multiple pods. Check: - Available CPU and memory in your node pool - Any resource quotas set on your namespace - Pod scheduling settings 4. If you're using the default work pool configuration, you might want to adjust the Kubernetes-specific settings in your work pool configuration to optimize for concurrent execution:

Copy code

yaml
   push_work_pool:
     name: "k8s-pool"
     work_queue:
       name: "default"
       concurrency_limit: 5
     job_variables:
       resources:
         requests:
           memory: "512Mi"
           cpu: "250m"
         limits:
           memory: "1Gi"
           cpu: "500m"

The key points to remember: - Each flow run creates its own Kubernetes pod - Concurrency is managed at the work queue level - Make sure your Kubernetes cluster has enough resources to handle multiple pods - The default queue concurrency limit might be set to 1, which would cause the behavior you're seeing Links for further reading: - Work Pools Documentation - How to Configure Work Queues Let me know if you need help with any specific configuration settings or if you run into any issues while implementing these changes.

Rasmus

07/09/2025, 11:15 AM

@Marvin my concurreny limit is "None", and my cluster should have enough resources. When i trigger two runs at the same time, one of the pods goes immediately to "running" state, while the other is stuck in pending

Marvin

07/09/2025, 11:15 AM

✅ thought for 77.9 seconds

Marvin

07/09/2025, 11:16 AM

If one pod is stuck in "Pending" while another is "Running", this is almost certainly a Kubernetes scheduling issue. Here's how to diagnose and fix it: 1. First, check why the pod is pending:

Copy code

bash
kubectl describe pod <pending-pod-name>

Look for the "Events" section at the bottom - this will tell you exactly why Kubernetes hasn't scheduled the pod. 2. Common reasons for pending pods and their solutions: a. Node Selector/Affinity Issues - If your work pool configuration includes node selectors or affinity rules, ensure they're not preventing scheduling on available nodes - Check if your nodes are properly labeled b. Resource Quotas - Check if your namespace has resource quotas:

Copy code

bash
     kubectl describe resourcequota -n your-namespace

- Verify current resource usage:

Copy code

bash
     kubectl describe namespace your-namespace

c. Pod Anti-Affinity - If you have pod anti-affinity rules (either in your work pool config or cluster config), they might prevent pods from being scheduled on the same node 3. To fix this, you might need to: a. Adjust your work pool's job template to specify appropriate resource requests:

Copy code

yaml
   job_configuration:
     kubernetes:
       pod_spec:
         containers:
           - name: prefect
             resources:
               requests:
                 memory: "256Mi"
                 cpu: "100m"
               limits:
                 memory: "512Mi"
                 cpu: "200m"

b. Check if you have enough nodes available:

Copy code

bash
   kubectl get nodes
   kubectl describe nodes

c. Verify that your nodes aren't tainted or have appropriate tolerations:

Copy code

bash
   kubectl get nodes -o custom-columns=NAME:.metadata.name,TAINTS:.spec.taints

4. If you're using GKE specifically: - Check if autoscaling is enabled and working properly - Verify that your node pools have enough capacity - Look at the GKE console for any resource quotas or limits at the project level The key is to first identify exactly why Kubernetes isn't scheduling the pod using

kubectl describe pod

. The events section will tell you precisely what's preventing the scheduling, whether it's resource constraints, node selector issues, or other configuration problems. Would you like me to help interpret the output of

kubectl describe pod

for your pending pod? That would give us the exact reason for the scheduling delay.

Marvin

07/09/2025, 11:20 AM

✅ thought for 13.4 seconds

Marvin

07/09/2025, 11:20 AM

Ah, now we can see exactly what's happening. There are two distinct issues here: 1. Initial Resource Constraints:

Copy code

0/2 nodes are available: 1 Insufficient memory, 2 Insufficient cpu

Your cluster doesn't have enough immediate resources available on the existing nodes. 2. Autoscaling Failure:

Copy code

Warning  FailedScaleUp     2m27s  cluster-autoscaler    Node scale up in zones europe-west3-c associated with this pod failed: GCE quota exceeded

The cluster autoscaler tried to create a new node to accommodate your pod, but it hit a GCP quota limit. To fix this, you have several options: 1. Short-term fix: Increase your GCP quotas - Go to the GCP Console → IAM & Admin → Quotas - Look for quotas in europe-west3-c zone, particularly: - CPU quotas - Instance group size quotas - Request an increase for the relevant quotas 2. Resource Management fixes: - Adjust your pod resource requests in your work pool configuration:

Copy code

yaml
   job_configuration:
     kubernetes:
       pod_spec:
         containers:
           - name: prefect-job
             resources:
               requests:
                 memory: "256Mi"  # Adjust these values based on your actual needs
                 cpu: "200m"
               limits:
                 memory: "512Mi"
                 cpu: "500m"

3. Cluster Configuration fixes: - Increase the size of your node pool manually instead of relying on autoscaling - Or adjust your node pool's autoscaling configuration:

Copy code

bash
   gcloud container clusters update your-cluster-name \
     --node-pool=your-pool-name \
     --enable-autoscaling \
     --min-nodes=2 \
     --max-nodes=4  # Adjust based on your quota and needs

4. Immediate Workaround: - If possible, schedule your flows to run sequentially rather than concurrently until you can implement one of the above solutions - Or terminate any unnecessary pods/workloads to free up resources The good news is that your pod eventually did get scheduled (

Successfully assigned prefect/prefect-worker-dlqcs-cvptf

), but this delay is not ideal for production workloads. Would you like me to provide more specific guidance on any of these solutions? For example, I can help you: 1. Calculate appropriate resource requests based on your workload 2. Guide you through the GCP quota increase process 3. Help optimize your node pool configuration

Rasmus

07/09/2025, 11:30 AM

@Marvin Im running in GKE autopilot - can this affect it? Also am i affected by my helm chart?

Marvin

07/09/2025, 11:31 AM

✅ thought for 53.8 seconds

Marvin

07/09/2025, 11:32 AM

Yes, GKE Autopilot absolutely affects this situation! This is actually quite important because GKE Autopilot has some specific requirements and limitations that are likely causing your scheduling issues: 1. GKE Autopilot Requirements: - Autopilot requires you to specify resource requests and limits for all containers - It enforces minimum resource requirements - It has stricter pod scheduling rules than standard GKE 2. Minimum Resource Requirements in Autopilot:

Copy code

CPU: minimum 0.25 vCPU (250m)
   Memory: minimum 0.5 Gi

Any pods requesting less than these minimums will be automatically increased to meet them. 3. Your Helm Chart Configuration: Yes, your Helm chart values can definitely affect this. You should check:

Copy code

yaml
   # In your values.yaml
   worker:
     resources:
       requests:
         cpu: "500m"      # Must be at least 250m in Autopilot
         memory: "512Mi"  # Must be at least 0.5Gi in Autopilot
       limits:
         cpu: "1000m"    
         memory: "1Gi"

To fix this in GKE Autopilot: 1. Update your Work Pool configuration:

Copy code

yaml
   job_configuration:
     kubernetes:
       pod_spec:
         containers:
           - name: prefect-job
             resources:
               requests:
                 memory: "1Gi"     # Safe Autopilot minimum
                 cpu: "500m"       # Safe Autopilot minimum
               limits:
                 memory: "2Gi"     # Adjust based on your workload
                 cpu: "1000m"      # Adjust based on your workload

2. Check your Helm chart values: - Ensure resource requests/limits are properly set - Make sure you're not using any features that Autopilot doesn't support (like DaemonSets) 3. Consider Workload Optimization: - If possible, batch your workloads instead of running them concurrently - Use work queues to control the flow of concurrent executions - Consider using Prefect's built-in concurrency controls at the flow level 4. Monitor Resource Usage:

Copy code

bash
   # Check actual resource usage of your pods
   kubectl top pods -n your-namespace
   
   # Check Autopilot cluster metrics
   kubectl get --raw "/apis/metrics.k8s.io/v1beta1/nodes" | jq

The key differences with Autopilot vs standard GKE are: - You can't manage nodes directly - Resource requirements are strictly enforced - Scaling is fully automated but must comply with Autopilot's requirements Would you like me to: 1. Help review your current Helm chart configuration? 2. Provide specific resource configurations optimized for your workload in Autopilot? 3. Suggest alternative scheduling strategies that might work better with Autopilot's constraints?

Rasmus

07/09/2025, 11:34 AM

@Marvin My helm for my prefect worker looks like this: ## Common parameters # -- partially overrides common.names.name nameOverride: "" # -- fully override common.names.fullname fullnameOverride: "prefect-worker" # -- fully override common.names.namespace namespaceOverride: "" # -- labels to add to all deployed objects commonLabels: {} # -- annotations to add to all deployed objects commonAnnotations: {} ## Deployment Configuration worker: autoscaling: # -- enable autoscaling for the worker enabled: true # -- minimum number of replicas to scale down to minReplicas: 1 # -- maximum number of replicas to scale up to maxReplicas: 10 # -- target CPU utilization percentage for scaling the worker targetCPUUtilizationPercentage: 80 # -- target memory utilization percentage for scaling the worker targetMemoryUtilizationPercentage: 80 # -- unique cluster identifier, if none is provided this value will be inferred at time of helm install clusterUid: "" initContainer: # -- the resource specifications for the sync-base-job-template initContainer # Defaults to the resources defined for the worker container resources: {} # -- the requested resources for the sync-base-job-template initContainer # requests: # memory: 256Mi # cpu: 100m # ephemeral-storage: # -- the requested limits for the sync-base-job-template initContainer # limits: # memory: 1Gi # cpu: 1000m # ephemeral-storage: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container # -- security context for the sync-base-job-template initContainer containerSecurityContext: # -- set init containers' security context runAsUser runAsUser: 1001 # -- set init containers' security context runAsNonRoot runAsNonRoot: true # -- set init containers' security context readOnlyRootFilesystem readOnlyRootFilesystem: true # -- set init containers' security context allowPrivilegeEscalation allowPrivilegeEscalation: false # -- set init container's security context capabilities capabilities: {} # -- additional sidecar containers extraContainers: [] ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy # -- optional dns policy for worker deployment dnsPolicy: "" ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: # -- optional list of IP addresses that will be used as dns servers for the Pod nameservers: [] # -- optional list of dns search domains for hostname lookup in the Pod searches: [] # -- optional list of dns options for the Pod options: [] # - name: ndots # value: "2" image: # -- worker image repository repository: prefecthq/prefect ## prefect tag is pinned to the latest available image tag at packaging time. Update the value here to ## override pinned tag # -- prefect image tag (immutable tags are recommended) prefectTag: 3-python3.11-kubernetes # -- worker image pull policy pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## e.g: ## pullSecrets: ## - myRegistryKeySecretName # -- worker image pull secrets pullSecrets: [] # -- enable worker image debug mode debug: false ## general configuration of the worker config: # -- the work pool that your started worker will poll. workPool: "test-work-pool" # -- one or more work queue names for the worker to pull from. if not provided, the worker will pull from all work queues in the work pool workQueues: [] # -- how often the worker will query for runs queryInterval: 5 # -- when querying for runs, how many seconds in the future can they be scheduled prefetchSeconds: 10 # -- connect using HTTP/2 if the server supports it (experimental) http2: true ## You can set the worker type here. ## The default image includes only the type "kubernetes". ## Custom workers must be properly registered with the prefect cli. ## See the guide here: https://docs.prefect.io/2.11.3/guides/deployment/developing-a-new-worker-type/ # -- specify the worker type type: kubernetes ## one of 'always', 'if-not-present', 'never', 'prompt' # -- install policy to use workers from Prefect integration packages. installPolicy: prompt # -- the name to give to the started worker. If not provided, a unique name will be generated. name: null # -- maximum number of flow runs to start simultaneously (default: unlimited) limit: null ## If unspecified, Prefect will use the default base job template for the given worker type. If the work pool already exists, this will be ignored. ## e.g.: ## baseJobTemplate: ## configuration: | ## { ## "variables": { ## ... ## }, ## "job_configuration": { ## ... ## } ## } ## OR ## baseJobTemplate: ## existingConfigMapName: "my-existing-config-map" baseJobTemplate: # -- the name of an existing ConfigMap containing a base job template. NOTE - the key must be 'baseJobTemplate.json' existingConfigMapName: "" # -- JSON formatted base job template. If data is provided here, the chart will generate a configmap and mount it to the worker pod configuration: null # -- optionally override the default name of the generated configmap # name: "" ## connection settings # -- one of 'cloud', 'selfManagedCloud', or 'selfHostedServer' apiConfig: selfHostedServer selfHostedServerApiConfig: # If the prefect server is located external to this cluster, set a fully qualified domain name as the apiUrl # If the prefect server pod is deployed to this cluster, use the cluster DNS endpoint: http//<prefect server service name>.<namespace>.svc.cluster.local<prefect-server-port>/api # -- prefect API url (PREFECT_API_URL) apiUrl: "http://prefect-server.prefect.svc.cluster.local:4200/api" # ref: https://docs.prefect.io/v3/develop/settings-and-profiles#security-settings basicAuth: # -- enable basic auth for the worker, for an administrator/password combination. must be enabled on the server as well enabled: true # -- basic auth credentials in the format admin:<your-password> (no brackets) authString: "admin:pass" # -- name of existing secret containing basic auth credentials. takes precedence over authString. must contain a key

auth-string

with the value of the auth string existingSecret: "" # -- the number of old ReplicaSets to retain to allow rollback revisionHistoryLimit: 10 # -- number of worker replicas to deploy replicaCount: 1 resources: # -- the requested resources for the worker container requests: memory: 256Mi cpu: 100m # ephemeral-storage: # -- the requested limits for the worker container limits: memory: 24Gi cpu: 10000m # ephemeral-storage: # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ livenessProbe: enabled: false config: # -- The number of seconds to wait before starting the first probe. initialDelaySeconds: 10 # -- The number of seconds to wait between consecutive probes. periodSeconds: 10 # -- The number of seconds to wait for a probe response before considering it as failed. timeoutSeconds: 5 # -- The number of consecutive failures allowed before considering the probe as failed. failureThreshold: 3 # -- The minimum consecutive successes required to consider the probe successful. successThreshold: 1 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod podSecurityContext: # -- set worker pod's security context runAsUser runAsUser: 1001 # -- set worker pod's security context runAsNonRoot runAsNonRoot: true # -- set worker pod's security context fsGroup fsGroup: 1001 # -- set worker pod's seccomp profile seccompProfile: type: RuntimeDefault # -- in case of Localhost value in seccompProfile.type, set seccompProfile.localhostProfile value below # localhostProfile: /my-path.json # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass # -- priority class name to use for the worker pods; if the priority class is empty or doesn't exist, the worker pods are scheduled without a priority class priorityClassName: "" ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- set worker containers' security context runAsUser runAsUser: 1001 # -- set worker containers' security context runAsNonRoot runAsNonRoot: true # -- set worker containers' security context readOnlyRootFilesystem readOnlyRootFilesystem: true # -- set worker containers' security context allowPrivilegeEscalation allowPrivilegeEscalation: false # -- set worker container's security context capabilities capabilities: {} ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ # -- extra labels for worker pod podLabels: {} ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ # -- extra annotations for worker pod podAnnotations: {} ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # -- affinity for worker pods assignment affinity: {} ## ref: https://kubernetes.io/docs/user-guide/node-selection/ # -- node labels for worker pods assignment nodeSelector: {} ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ # -- tolerations for worker pods assignment tolerations: [] ## List of extra env vars ## e.g: ## extraEnvVars: ## - name: FOO ## value: "bar" # -- array with extra environment variables to add to worker nodes extraEnvVars: [] # -- name of existing ConfigMap containing extra env vars to add to worker nodes (deprecated, use extraEnvVarsCMs) extraEnvVarsCM: "" # -- names of existing ConfigMaps containing extra env vars to add to worker nodes extraEnvVarsCMs: [] # -- name of existing Secret containing extra env vars to add to worker nodes (deprecated, use extraEnvVarsSecrets) extraEnvVarsSecret: "" # -- names of existing Secrets containing extra env vars to add to worker nodes extraEnvVarsSecrets: [] # -- additional sidecar containers extraContainers: [] # -- array with extra volumes for the worker pod extraVolumes: [] # -- array with extra volumeMounts for the worker pod extraVolumeMounts: [] # -- array with extra Arguments for the worker container to start with extraArgs: [] ## ServiceAccount configuration serviceAccount: # -- specifies whether a ServiceAccount should be created create: true # -- the name of the ServiceAccount to use. if not set and create is true, a name is generated using the common.names.fullname template name: "" # -- additional service account annotations (evaluated as a template) annotations: {}

Marvin

07/09/2025, 11:34 AM

Your message was too long, here's your message at the allowed limit: My helm for my prefect worker looks like this ## Common parameters # -- partially overrides common names name nameOverride # -- fully override common names fullname fullnameOverride prefect-worker # -- fully override common names namespace namespaceOverride # -- labels to add to all deployed objects commonLabels {} # -- annotations to add to all deployed objects commonAnnotations {} ## Deployment Configuration worker autoscaling # -- enable autoscaling for the worker enabled true # -- minimum number of replicas to scale down to minReplicas 1 # -- maximum number of replicas to scale up to maxReplicas 10 # -- target CPU utilization percentage for scaling the worker targetCPUUtilizationPercentage 80 # -- target memory utilization percentage for scaling the worker targetMemoryUtilizationPercentage 80 # -- unique cluster identifier if none is provided this value will be inferred at time of helm install clusterUid initContainer # -- the resource specifications for the sync-base-job-template initContainer # Defaults to the resources defined for the worker container resources {} # -- the requested resources for the sync-base-job-template initContainer # requests # memory 256Mi # cpu 100m # ephemeral-storage # -- the requested limits for the sync-base-job-template initContainer # limits # memory 1Gi # cpu 1000m # ephemeral-storage ## ref <https //kubernetes io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container> # -- security context for the sync-base-job-template initContainer containerSecurityContext # -- set init containers' security context runAsUser runAsUser 1001 # -- set init containers' security context runAsNonRoot runAsNonRoot true # -- set init containers' security context readOnlyRootFilesystem readOnlyRootFilesystem true # -- set init containers' security context allowPrivilegeEscalation allowPrivilegeEscalation false # -- set init container's security context capabilities capabilities {} # -- additional sidecar containers extraContainers [] ## ref <https //kubernetes io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy> # -- optional dns policy for worker deployment dnsPolicy ## ref <https //kubernetes io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config> dnsConfig # -- optional list of IP addresses that will be used as dns servers for the Pod nameservers [] # -- optional list of dns search domains for hostname lookup in the Pod searches [] # -- optional list of dns options for the Pod options [] # - name ndots # value 2 image # -- worker image repository repository prefecthq/prefect ## prefect tag is pinned to the latest available image tag at packaging time Update the value here to ## override pinned tag # -- prefect image tag (immutable tags are recommended) prefectTag 3-python3 11-kubernetes # -- worker image pull policy pullPolicy IfNotPresent ## Optionally specify an array of imagePullSecrets ## Secrets must be manually created in the namespace ## ref <https //kubernetes io/docs/tasks/configure-pod-container/pull-image-private-registry/> ## e g ## pullSecrets ## - myRegistryKeySecretName # -- worker image pull secrets pullSecrets [] # -- enable worker image debug mode debug false ## general configuration of the worker config # -- the work pool that your started worker will poll workPool test-work-pool # -- one or more work queue names for the worker to pull from if not provided the worker will pull from all work queues in the work pool workQueues [] # -- how often the worker

Rasmus

07/09/2025, 11:35 AM

@Marvin My helm for my prefect worker looks like this ## Common parameters # -- partially overrides common names name nameOverride # -- fully override common names fullname fullnameOverride prefect-worker # -- fully override common names namespace namespaceOverride # -- labels to add to all deployed objects commonLabels {} # -- annotations to add to all deployed objects commonAnnotations {} ## Deployment Configuration worker autoscaling # -- enable autoscaling for the worker enabled true # -- minimum number of replicas to scale down to minReplicas 1 # -- maximum number of replicas to scale up to maxReplicas 10 # -- target CPU utilization percentage for scaling the worker targetCPUUtilizationPercentage 80 # -- target memory utilization percentage for scaling the worker targetMemoryUtilizationPercentage 80 # -- unique cluster identifier if none is provided this value will be inferred at time of helm install clusterUid initContainer # -- the resource specifications for the sync-base-job-template initContainer # Defaults to the resources defined for the worker container resources {} # -- the requested resources for the sync-base-job-template initContainer # requests # memory 256Mi # cpu 100m # ephemeral-storage # -- the requested limits for the sync-base-job-template initContainer # limits # memory 1Gi # cpu 1000m # ephemeral-storage ## ref <https //kubernetes io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container> # -- security context for the sync-base-job-template initContainer containerSecurityContext # -- set init containers' security context runAsUser runAsUser 1001 # -- set init containers' security context runAsNonRoot runAsNonRoot true # -- set init containers' security context readOnlyRootFilesystem readOnlyRootFilesystem true # -- set init containers' security context allowPrivilegeEscalation allowPrivilegeEscalation false # -- set init container's security context capabilities capabilities {} # -- additional sidecar containers extraContainers [] ## ref <https //kubernetes io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy> # -- optional dns policy for worker deployment dnsPolicy ## ref <https //kubernetes io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config> dnsConfig # -- optional list of IP addresses that will be used as dns servers for the Pod nameservers [] # -- optional list of dns search domains for hostname lookup in the Pod searches [] # -- optional list of dns options for the Pod options [] # - name ndots # value 2 image # -- worker image repository repository prefecthq/prefect ## prefect tag is pinned to the latest available image tag at packaging time Update the value here to ## override pinned tag # -- prefect image tag (immutable tags are recommended) prefectTag 3-python3 11-kubernetes # -- worker image pull policy pullPolicy IfNotPresent ## Optionally specify an array of imagePullSecrets ## Secrets must be manually created in the namespace ## ref <https //kubernetes io/docs/tasks/configure-pod-container/pull-image-private-registry/> ## e g ## pullSecrets ## - myRegistryKeySecretName # -- worker image pull secrets pullSecrets [] # -- enable worker image debug mode debug false ## general configuration of the worker config # -- the work pool that your started worker will poll workPool test-work-pool # -- one or more work queue names for the worker to pull from if not provided the worker will pull from all work queues in the work pool workQueues [] # -- how often the worker

Marvin

07/09/2025, 11:35 AM

✅ thought for 15.2 seconds

Marvin

07/09/2025, 11:35 AM

I notice your Helm chart configuration is cut off, but from what I can see, there's a crucial missing piece: you haven't specified the resource requests and limits for the worker pods themselves (only for the init container). In GKE Autopilot, this is particularly important. Let me help you with the correct configuration: 1. Add Resource Configuration: Add this section to your Helm values:

Copy code

yaml
worker:
  resources:
    requests:
      memory: "1Gi"    # Autopilot minimum is 0.5Gi
      cpu: "500m"      # Autopilot minimum is 250m
    limits:
      memory: "2Gi"    # Adjust based on your workload
      cpu: "1000m"     # Adjust based on your workload

2. Autoscaling Configuration: Your current autoscaling settings look good, but in Autopilot context:

Copy code

yaml
worker:
  autoscaling:
    enabled: true
    minReplicas: 1
    maxReplicas: 10
    targetCPUUtilizationPercentage: 80
    targetMemoryUtilizationPercentage: 80

This is fine, but remember that Autopilot will also enforce its own scaling decisions based on pod resource usage. 3. Init Container Resources: Your current init container resources are too low for Autopilot:

Copy code

yaml
initContainer:
  resources:
    requests:
      memory: "512Mi"  # Increase from 256Mi to meet Autopilot minimum
      cpu: "250m"      # Increase from 100m to meet Autopilot minimum
    limits:
      memory: "1Gi"
      cpu: "1000m"

4. Add Recommended Autopilot Configurations:

Copy code

yaml
worker:
  # Add pod disruption budget for better availability
  podDisruptionBudget:
    enabled: true
    minAvailable: 1

  # Add topology spread constraints for better distribution
  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: <http://topology.kubernetes.io/zone|topology.kubernetes.io/zone>
      whenUnsatisfiable: ScheduleAnyway
      labelSelector:
        matchLabels:
          <http://app.kubernetes.io/name|app.kubernetes.io/name>: prefect-worker

5. Security Context: Your security context looks good, but make sure it's also applied to the main container:

Copy code

yaml
worker:
  containerSecurityContext:
    runAsUser: 1001
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false

To implement these changes: 1. Update your values file with these configurations 2. Upgrade your Helm release:

Copy code

bash
helm upgrade prefect-worker prefect/prefect-worker -f values.yaml -n your-namespace

3. Verify the changes:

Copy code

bash
# Check pod resources
kubectl describe pod -l <http://app.kubernetes.io/name=prefect-worker|app.kubernetes.io/name=prefect-worker> -n your-namespace

# Monitor pod status
kubectl get pods -l <http://app.kubernetes.io/name=prefect-worker|app.kubernetes.io/name=prefect-worker> -n your-namespace -w

Common issues to watch for in Autopilot: 1. Pods stuck in "Pending" due to insufficient quota 2. Pods being terminated due to resource pressure 3. Scheduling delays due to resource fragmentation Would you like me to: 1. Provide a complete values.yaml file with all these configurations? 2. Help you calculate the optimal resource values based on your specific workload? 3. Show you how to monitor resource usage in Autopilot to fine-tune these values?

Open in Slack

Previous Next