-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suspecting wrong backend selection while calling k8s services #17859
Comments
Maybe a precision: we switch |
Thanks for opening the issue. This needs more info:
|
Calls should land on
It is really hard to answer this question as our pods come and go :/ ; Tell me if you want me to give you the IP based on the sysdump.
Accessed from inside. One additional information, we don't have any network policies in place. |
We ran into the same situation and made multiple sysdumps to give you additional info: The pod We made one sysdump for the node hosting Hope that will help. |
Thanks for the sysdumps! Some investigation brain dump below. In-cluster bpf_lxc per-packet LB Client "doorman-7f5f67c946-j47nx" (100.97.222.42) connects to "pastrami" service (100.66.190.186, revnat=57) but gets wrong server "badoom3-598698858d-49zl6" (100.98.135.52, belong to svc=100.69.235.31, revnat=62). The session affinity is disabled. From the CT on the client node there are 4 entries of the wrong selection:
Let's take port "100.97.222.42:33660", there are the following entries in the
From the above we can see that the client with the same sport connected first to The revnat=57 entry has selected backend_id=328 (the RxBytes hack):
This is the wrong backend 100.98.135.52. How is it possible that I expect that it entered this branch https://github.com/cilium/cilium/blob/v1.10.5/bpf/lib/lb.h#L1370, as client->svc tuple should have been new (i.e., CT_NEW), and thus the correct backend should have been selected. @sterchelen some questions:
|
Hello,
It is possible, but we don't have the logs about ip assignements to pods. We have a pool of let's say :
If we take the podname you found. We estimate (we did some kubectl exec curl loops, spying in hubble-ui the real backend accessed on another occurence) that around Each (detected) wrong routing went to As soon as we detect a faulty pair, like here, a doorman pod calling through pastrami svc a badoom pod, it'll stay until either end is deleted, even if the hpa+rs for doorman, pastrami or badoom added/removed pods (as long as it didn't killed either end of the faulty pair). Some additional notes :
Yes sure, but we have yet to find a reliable way to reproduce on demand the issue. |
Are you saying that once the request is routed to the wrong backend, each subsequent request is routed to the same wrong backend from the same client pod?
Could you ping me in the Cilium slack on Monday (I'm |
No, only a small proportion, like 1 out of approximate size of backend pool. And as soon as we detect it, this small error rate will be visible until either pod are killed.
Will do 👍 |
Could you try using |
Closing, as it should be fixed by #18113. Please reopen, if the issue persists. |
Bug report
General Information
v1.10.5
via kops addon5.8.0-1042-aws
v1.21.2
via kopsIPSec
node-local-dns
installed via kops addonpartial
kube-proxy replacement in placeportmap
Summary
Periodically, a source pod receives a 404 error when calling a kubernetes service.
Our traces system shows us that a pod from a deployment B is called instead of a pod from a deployment A. Which induces
a 404 error returned by the wrong pod because it can't handle the request.
How to reproduce?
It is very hard to reproduce the issue and needs a lot of luck because the occurences are very rare and transient.
We succeeded to find a pod generating the issue. When connecting to it and executing a curl loop to simulate http calls to the same k8s service
we were able to reproduce the 404 issue. At the same time, we had 50 pods attached to the kubernetes service.
Findings
io.cilium.proxy-visibility
annotation no error seen from the point of view ofhubbe monitor
cilium monitor
we were able to see that all the requests were sent to the right service ip but without knowing the destination pod ipSee in attachment a sysdump for a node who had the issue.
And here the cilium config:
Thank you 🙇🏼
ping @gmiam @grams @alex-raoul @valouille @IxDay @choutone
The text was updated successfully, but these errors were encountered: