Do not fail eagerly on ImagePullBackoff

[KnVerey]

What are you trying to accomplish with this PR?

At Shopify, our largest apps are seeing many deploys failing because of transient registry errors. Kubernetes (well, the container runtime) is doing the right thing and retrying until the image is successfully pulled, usually within a couple minutes, but because kubernetes-deploy declares a resource failed as soon as it observes ImagePullBackoff, our developers are being overexposed to these transient errors.

ErrImagePull's messages give us enough information to determine whether the image actually isn't in the registry, which is the case we were trying to catch. ImagePullBackoff does not. Given how quickly the former turns into the latter regardless of the underlying error reason, our assumption that we can use ImagePullBackoff to fail the deploy is breaking down at scale.

How is this accomplished?

Always requiring "not found" to be part of the error message, which in reality I believe is only the case for initial ErrImagePull messages at this time.

What could go wrong?

• We will catch cases where developers actually did not push their image before deploying (or did not wait for automation to do so) much less often. Basically we have to get really lucky and observe the pod between the first and second errors being thrown k8s-side.
• The experience of accidentally deploying a missing image will be inconsistent as a result of the above--sometimes it'll fail fast, and sometimes it'll hang until a timeout.
• This helps administrators paper over registry problems.

@Shopify/cloudx

[KnVerey]

Alternatively, we could remove this entirely. In practice I don't think ImagePullBackoff ever includes "not found" in existing k8s versions, so this detection is extremely racy. I can see the argument that a consistent timeout would be better for UX.

[dturn]

I think we should try and be helpful where we can.

[stefanmb]

In practice I don't think ImagePullBackoff ever includes "not found" in existing k8s versions

This comes from here I think: https://github.com/kubernetes/kubernetes/blob/d24fe8a801748953a5c34fd34faa8005c6ad1770/pkg/kubelet/images/image_manager.go#L126

fmt.Sprintf("Back-off pulling image %q", container.Image)

Shouldn't we then remove ImagePullBackOff because it would always fail the not found string match?

[KnVerey]

Yes, it was lazy of me not to look up the source. Thanks for finding it! Since it is confirmed to not be possible for the error to match, I agree that keeping ImagePullBackoff here is just misleading.

[KnVerey]

This cannot be integration tested anymore because it is super racy.

[KnVerey]

Modified this test to also cover the basic fact that it halts the deploy, which was previously covered by test_bad_container_image_on_unmanaged_pod_halts_and_fails_deploy.

[KnVerey]

AFAIK this doesn't actually happen though.

[dturn]

Code lgtm. That being said, we're making our code less helpful to handle a docker/gcr issue. Could we run core on this branch for a bit before merging in hopes that this gets resolved quickly?

[dturn]

I think we should try and be helpful where we can.

[KnVerey]

Could we run core on this branch for a bit before merging in hopes that this gets resolved quickly?

We could, but my feeling is that core uncovered that the code we're removing here is undermining a fundamental resiliency win Kubernetes provides by making judgements based on inadequate information.

[DazWorrall]

Code LGTM, and I agree that this seems not to have scaled well so it's ok to drop this optimisation.

These failures have become so common in the last week that it would be great to get this into production ASAP. It's possible that we'll find some direct cause of the uptick in failures that we can fix, in which case we can revisit this decision, but so far neither us nor Google have found anything so I lean towards acting now.