k8s: Fix data race between ServiceCache and K8sWatcher

[joamaki]

correlateEndpoints was modifying a Backend object that was read by
K8sWatcher:

WARNING: DATA RACE
Read at 0x00c000942278 by goroutine 71:
github.com/cilium/cilium/pkg/k8s/watchers.genCartesianProduct()
    /home/chris/code/cilium/cilium/pkg/k8s/watchers/watcher.go:787 +0xb56
github.com/cilium/cilium/pkg/k8s/watchers.datapathSVCs()
    /home/chris/code/cilium/cilium/pkg/k8s/watchers/watcher.go:852 +0x77e
github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcher).addK8sSVCs()
...
Previous write at 0x00c000942278 by goroutine 70:
github.com/cilium/cilium/pkg/k8s.(*ServiceCache).correlateEndpoints()
    /home/chris/code/cilium/cilium/pkg/k8s/service_cache.go:501 +0x409
github.com/cilium/cilium/pkg/k8s.(*ServiceCache).UpdateService()
    /home/chris/code/cilium/cilium/pkg/k8s/service_cache.go:214 +0x3e4
github.com/cilium/cilium/pkg/k8s/watchers.(*K8sWatcherSuite).TestChangeSVCPort()
    /home/chris/code/cilium/cilium/pkg/k8s/watchers/watcher_test.go:685 +0x1d09
...

Since the backends are owned by the ServiceCache and allowing to mutate them when holding a lock is something one might expect, fix the issues by making all public ServiceCache methods return a DeepCopy'd *Endpoint and *Backends.

Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected.

[squeed]

wait, are these objects from the informer cache? what is writing to them?

[christarazi]

While the release note is correct in describing the impact of the change, it doesn't describe what behavior / impact it is improving for users. As of now, this release note sounds quite scary for any user, so either we identify what specific symptoms this bug introduces (if we know), or we downgrade the release note to misc.

[christarazi]

Why not just remove the code?

[joamaki]

These 3 lines are in many many places. @jrajahalme Can we clean these up?

[christarazi]

I'd guess these are meant for debugging, so let's just remove them and file an issue to clean up the rest as a followup.

[joamaki]

Ended up just removing them from everywhere.

[christarazi]

Given that #19521 introduced this bug, we'll need to backport to v1.12 and v1.13.

[joamaki]

wait, are these objects from the informer cache? what is writing to them?

They're derived from them, but the cache objects are not mutated. What is mutating is the *k8s.Endpoints, or more specifically *loadbalancer.Backend inside *k8s.Endpoints. This is created and owned by ServiceCache which hands it over to K8sWatcher over the events channel. Bug is that the same*Backend is mutated that is handed over to K8sWatcher.

[joamaki]

While the release note is correct in describing the impact of the change, it doesn't describe what behavior / impact it is improving for users. As of now, this release note sounds quite scary for any user, so either we identify what specific symptoms this bug introduces (if we know), or we downgrade the release note to misc.

Expanded the comment to mention the impact. Are we ok with this? Could also consider downgrading as the impact is minor.

[christarazi]

The release note sounds better now. I don't think we've had any bug reports about backend preferred selection, but then again it's probably hard to pinpoint from a user's perspective that something went wrong there. I think we ship it given we've done our due diligence for as far as we know.

[christarazi]

Rebasing to run CI

[christarazi]

/test

[joamaki]

Discussed with @squeed that it'd be cleaner to DeepCopy the backend that's mutated rather than the whole thing here.

[joamaki]

Ended up flipping this. Now the backends are mutated in-place (with lock held), but all public methods in ServiceCache will always return a copy of the Backends.

[joamaki]

/test

Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed:

Click to show.

Test Name

K8sDatapathConfig Host firewall With native routing and endpoint routes

Failure Output

FAIL: Error deleting resource /home/jenkins/workspace/Cilium-PR-K8s-1.24-kernel-5.4/src/github.com/cilium/cilium/test/k8s/manifests/host-policies.yaml: Cannot retrieve "cilium-jh7j5"'s policy revision: cannot get policy revision: ""

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-5.4/1934/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 so I can create one.

Then please upload the Jenkins artifacts to that issue.

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sDatapathCustomCalls Basic test with byte-counter Loads byte-counter and gets consistent values

Failure Output

FAIL: failed to ensure the namespace kube-system exists: signal: killed

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2028/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

Then please upload the Jenkins artifacts to that issue.

[christarazi]

I'd guess these are meant for debugging, so let's just remove them and file an issue to clean up the rest as a followup.

[joamaki]

/test

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sDatapathServicesTest Checks N/S loadbalancing With host policy Tests NodePort

Failure Output

FAIL: Can not connect to service "tftp://[fd04::12]:31608/hello" from outside cluster (1/10)

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.26-kernel-net-next/2090/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

Then please upload the Jenkins artifacts to that issue.

[joamaki]

/test-1.26-net-next

[nathanjsweet]

I am worried about memory usage, but this all looks good.

[youngnick]

Looks like Chart CI Push hit #25274, merging.