CNI: keep cni config on shutdown; taint instead, queue deletions

[squeed]

This change is made up of several commits, which build on each other. It fixes a wart with how CNI, Containerd, and Dockershim interact, and prevents some possible outage scenarios.

Ultimately, I'd like to make much of this less necessary with an improved CNI STATUS verb, but that will take some time to roll out across the ecosystem.

Asynchronous CNI delete

The CNI plugin now queues DEL for later submission, rather than failing. It tries to connect to the agent socket, and if that fails, it will write a file in /run/cilium with the pod's details. When the agent starts up, it will read that queue and process all pending deletes.

This fixes #22067, where an end-user found themselves with an unrecoverable cluster. Cilium got descheduled but their node was at its pod limit. They couldn't start any pods, and they couldn't delete any pods without Cilium running. Not good.

Taint the node when Cilium is shut down

On nodes where Cilium is scheduled, if it is not running, taint the node with NoSchedule. This will prevent new pods from being scheduled there. This has two goals:

1. Minimize ignorable errors from pods failing to start because Cilium can't handle a CNI ADD
2. Minimize pods being started with a non-Cilium network provider

Preserve CNI configuration

Lastly, we no longer delete the CNI configuration file when stopping the agent. This has several important effects:

• the node no longer goes NotReady, so it won't be removed from cloud LB backends just because cilium is being upgraded. This prevents unneeded churn.
• CNI DEL will still succeed, so pods can always be cleaned up
• No chance of pods being started with a different CNI provider

The Cilium operator now taints nodes where Cilium is scheduled to run but is not running. 
This prevents pods from being scheduled on nodes without Cilium.
The CNI configuration file is no longer removed on agent shutdown. 
This means that pod deletion will always succeed; previously it would fail if Cilium was down for an upgrade.
This should help prevent nodes accidentally entering an unmanageable state.
It also means that nodes are not removed from cloud LoadBalancer backends during Cilium upgrades.

Fixes: #22067.

[squeed]

/test

Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed:

Click to show.

Test Name

K8sDatapathConfig MonitorAggregation Checks that monitor aggregation restricts notifications

Failure Output

FAIL: Found 1 k8s-app=cilium logs matching list of errors that must be investigated:

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 so I can create one.

[squeed]

Test failures are either known flakes, or unlikely to be caused by this:

• l4lb XDP doesn't use CNI at all
• TestGetIdentity/Duplicated_identity is a known flake
• MonitorAggregation didn't get all ICMP events. Again, not something this could do.

So, rebasing and retrying to see if that helps.

[christarazi]

Looks mostly good to me, a few minor comments to address.

If I may share an opinion: I appreciate the PR description because it made reviewing the code much easier, however I'd hate to lose all that context because it isn't somewhere in the commit msg. What do you think of putting it somewhere in the commit(s)? The reason is because when bisecting, it's much easier to read all the context related to a change from the commit msg, rather than think "hmm, I wonder if there's more to this" and have to locate the PR behind it.

What I've seen people do (and what I try to do as well) is paste the "important" commit msgs in the PR description as well, so people sort of have a cover letter to read before diving in, as you did in your PR, while also preserving the history in the commit(s) themselves.

On another note, for the release note: I'd suggest stripping the extra newlines as it's not going to format quite as nicely in the end. Something like this would be easier to read:

This is sentence 1 of the release note.
This is sentence 2 of the same release note.
And so on...

[sayboras]

This PR is not only interesting but alsoo fun to read, love the comment in code 👍.

LGTM ✔️

[squeed]

/test

[christarazi]

Apologies for extending this PR, but upon a second read, I noticed that the error logs are quite terse. I think we'd benefit from providing more context when there are warnings / errors, because we don't want the user to then think, "OK well I've got this error, but what should I do / what is Cilium going to do about it?".

Minor comments below.

[squeed]

@christarazi updated the logging based on your suggestions, thanks for the review.

[christarazi]

/test

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: Expected

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

[squeed]

jenkins job failure is because of a missed tail call!? This PR has nothing to do with BPF...

time="2023-03-21T21:17:36Z" level=debug msg="running local command: kubectl exec -n kube-system cilium-dj8v9 -- cilium metrics list -o json | jq '.[] | select( .name == \"cilium_drop_count_total\" and .labels.reason == \"Missed tail call\" ).value'"
cmd: "kubectl exec -n kube-system cilium-dj8v9 -- cilium metrics list -o json | jq '.[] | select( .name == \"cilium_drop_count_total\" and .labels.reason == \"Missed tail call\" ).value'" exitCode: 0 duration: 168.910676ms stdout:
1

[squeed]

/mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next

👍 created #24514

[squeed]

/test-1.26-net-next

[aojea]

it is sad we don't have a better defined processs for the Pod lifecycle in k8s so we don't have to implement these things :(