operator: remove pod list of an entire cluster #11376

aanm · 2020-05-06T20:55:06Z

Doing a pod list every 30 minutes can be brutal for kube-apiserver, specially if it is not running with a limit of the number of pods that should be returned. Having a watcher that receives notifications for the pods running as well as the CEPs, is enough to provide a GC for Cilium Identities and CEPs.

Since we have a k8s watcher and the CEPs have an owner set to themselves the CEP GC interval was decreased to 5 minutes.

Also, given that we don't depend on the CEP GC to perform Cilium IdentityGC we can set the identity heartbeat timeout to 2* the KVStore Lease TTL.

Signed-off-by: André Martins andre@cilium.io

Fixes #11472

maintainer-s-little-helper · 2020-05-06T20:55:08Z

Please set the appropriate release note label.

aanm · 2020-05-07T20:15:44Z

test-me-please

coveralls · 2020-05-07T21:40:30Z

Coverage decreased (-0.07%) to 37.791% when pulling 29f49b0 on pr/avoid-pod-list into f8972f8 on master.

aanm · 2020-05-11T09:27:29Z

test-me-please

errordeveloper · 2020-05-11T10:27:07Z

operator/k8s_cep_gc.go

-						// there is more data, continue
-						continue perCEPFetch
+					if !exists {
+						// FIXME: this is fragile has we might have received the


there are a few typos in this comment...

operator/watchers/cilium_endpoint.go

aanm · 2020-05-11T12:43:54Z

test-me-please

operator/k8s_cep_gc.go

aanm · 2020-05-11T20:16:52Z

test-me-please

aanm · 2020-05-12T07:47:35Z

retest-net-next

aanm · 2020-05-12T09:10:38Z

test-me-please

operator/k8s_identity.go

tgraf · 2020-05-13T08:48:33Z

operator/identity/heartbeat.go

@@ -57,6 +58,11 @@ func (i *IdentityHeartbeatStore) IsAlive(identity string) bool {
 	i.mutex.RLock()
 	defer i.mutex.RUnlock()

+	// The identity is definitely alive if there's a CE using it.
+	if watchers.HasCEWithIdentity(identity) {


This looked very expensive at first but the index makes it bearable it seems.

aanm · 2020-05-13T09:16:09Z

test-me-please

aanm · 2020-05-13T10:39:19Z

test-me-please

Doing a pod list every 30 minutes can be brutal for kube-apiserver, specially if it is not running with a limit of the number of pods that should be returned. Having a watcher that receives notifications for the pods running as well as the CEPs, is enough to provide a GC for Cilium Identities and CEPs. Since we have a k8s watcher and the CEPs have an owner set to themselves the CEP GC interval was decreased to 5 minutes. Also, given that we don't depend on the CEP GC to perform Cilium Identity GC we can set the identity heartbeat timeout to 2* the KVStore Lease TTL. Signed-off-by: André Martins <andre@cilium.io>

aanm · 2020-05-13T11:20:43Z

test-me-please

aanm · 2020-05-13T13:59:04Z

hit #11512

maintainer-s-little-helper bot added the dont-merge/needs-release-note label May 6, 2020

maintainer-s-little-helper bot added this to In progress in 1.8.0 May 6, 2020

aanm added the release-note/bug This PR fixes an issue in a previous release of Cilium. label May 6, 2020

maintainer-s-little-helper bot removed the dont-merge/needs-release-note label May 6, 2020

aanm force-pushed the pr/avoid-pod-list branch 2 times, most recently from 1eee453 to 3371814 Compare May 7, 2020 20:15

aanm changed the base branch from pr/use-slimmer-protobuf-definitions-others to master May 7, 2020 20:15

aanm added area/operator Impacts the cilium-operator component release-note/misc This PR makes changes that have no direct user impact. and removed release-note/bug This PR fixes an issue in a previous release of Cilium. labels May 7, 2020

aanm marked this pull request as ready for review May 7, 2020 20:15

aanm requested a review from a team May 7, 2020 20:20

aanm force-pushed the pr/avoid-pod-list branch from 3371814 to 8712c63 Compare May 8, 2020 09:13

nebril approved these changes May 8, 2020

View reviewed changes

aanm requested a review from tgraf May 8, 2020 15:00