Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

operator: Add cilium node garbage collector #19576

Merged
merged 4 commits into from
May 6, 2022
Merged

operator: Add cilium node garbage collector #19576

merged 4 commits into from
May 6, 2022

Conversation

sayboras
Copy link
Member

@sayboras sayboras commented Apr 26, 2022
edited

Description

In the normal scenario, CiliumNode is created by agent with owner
references attached all time time in below PR[0]. However, there could
be the case that CiliumNode is created by IPAM module[1], which
didn't have any ownerReferences at all. For this case, if the
corresponding node got terminated and never came back with same
name, the CiliumNode resource is still dangling, and needs to be
garbage collected.

This commit is to add garbage collector for CiliumNode, with below
logic:

  • Gargage collector will run every predefined interval (e.g. specify
    by flag --nodes-gc-interval)
  • Each run will check if CiliumNode is having a counterpart k8s node
    resource. Also, remove this node from GC candidate if required.
  • If yes, CiliumNode is considered as valid, happy day.
  • If no, check if ownerReferences are set.
    • If yes, let k8s perform garbage collection.
    • If no, mark the node as GC candidate. If in the next run, this
      node is still in GC candidate, remove it.

Testing

Testing was done locally with kind cluster

Create one dummy ciliumnode and check gc 
$ ksyslo deployment/cilium-operator --timestamps | grep kind-worker-dummy
2022-04-26T10:59:22.106774489Z level=debug msg="UpdatedStatus Node" error="<nil>" node-name=kind-worker-dummy subsys=pod-cidr
2022-04-26T10:59:23.087007602Z level=debug msg="UpdatedStatus Node" error="<nil>" node-name=kind-worker-dummy subsys=pod-cidr
2022-04-26T10:59:51.977272944Z level=info msg="Add CiliumNode to garbage collector candidates" nodeName=kind-worker-dummy subsys=watchers
2022-04-26T11:00:21.978387751Z level=info msg="Perform GC for invalid CiliumNode" nodeName=kind-worker-dummy subsys=watchers

$ kg ciliumnodes
NAME                 AGE
kind-control-plane   156m
kind-worker          156m

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 26, 2022
@sayboras sayboras added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. labels Apr 26, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 26, 2022
@sayboras sayboras force-pushed the tam/cilium-nodes-gc branch 6 times, most recently from 76a8681 to 1cb3631 Compare April 26, 2022 14:05
@sayboras sayboras marked this pull request as ready for review April 26, 2022 14:05
@sayboras sayboras requested a review from a team as a code owner April 26, 2022 14:05
@sayboras sayboras requested a review from a team April 26, 2022 14:05
@sayboras sayboras requested review from a team as code owners April 26, 2022 14:05
@christarazi christarazi added sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. area/operator Impacts the cilium-operator component labels Apr 26, 2022
christarazi
christarazi requested changes Apr 26, 2022
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good, just a few minor comments

install/kubernetes/cilium/templates/cilium-operator/clusterrole.yaml Outdated Show resolved Hide resolved
Documentation/operations/upgrade.rst Outdated Show resolved Hide resolved
operator/flags.go Outdated Show resolved Hide resolved
operator/watchers/cilium_node_gc.go Outdated Show resolved Hide resolved
kaworu
kaworu requested changes Apr 27, 2022
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seeing that we are selectively adding RBAC permissions and passing the nodes-gc-interval flag through the ConfigMap, I'm assuming there is a use-case for disabling this feature. In what context users would want to disable it?

Follow-up question: how are users expected to effectively disable this feature through Helm? I think the combination of the flag being a duration, the default value, and different ways of checking it (hasKey in the ConfigMap, "emptiness" in the ClusterRole) might not work as expected:

% helm template cilium ./install/kubernetes/cilium --namespace kube-system | grep -E "nodes-gc-interval|# To perform CiliumNode garbage collector"
  nodes-gc-interval: "5m0s"
    # To perform CiliumNode garbage collector
% helm template cilium ./install/kubernetes/cilium --namespace kube-system --set operator.nodeGCInterval=1s | grep -E "nodes-gc-interval|# To perform CiliumNode garbage collector"
  nodes-gc-interval: "1s"
    # To perform CiliumNode garbage collector

Here the first grep expression is for the flag value, second expression for RBAC. Using the default and override will correctly set the flag and add the RBAC permission, happy day™.

% helm template cilium ./install/kubernetes/cilium --namespace kube-system --set operator.nodeGCInterval=null | grep -E "nodes-gc-interval|# To perform CiliumNode garbage collector"
% helm template cilium ./install/kubernetes/cilium --namespace kube-system --set operator.nodeGCInterval= | grep -E "nodes-gc-interval|# To perform CiliumNode garbage collector"
  nodes-gc-interval: ""
% helm template cilium ./install/kubernetes/cilium --namespace kube-system --set operator.nodeGCInterval=0s | grep -E "nodes-gc-interval|# To perform CiliumNode garbage collector"
  nodes-gc-interval: "0s"
    # To perform CiliumNode garbage collector

Settting to null shows nothing, meaning we don't pass the flag and we don't have the RBAC permission. The issue here is that we'll be using the non-zero CLI default (5m) and will fail because we don't have the permission.

Settting to empty will actually pass it as-is to the flag, which will fail duration parsing.

Settting to 0s will correctly disable the feature in the ConfigMap, but won't add the RBAC permission.

operator/watchers/cilium_node_gc.go Outdated Show resolved Hide resolved
@sayboras
Copy link
Member Author

Thanks for your input, indeed there are a few cases I didn't consider.

Seeing that we are selectively adding RBAC permissions and passing the nodes-gc-interval flag through the ConfigMap, I'm assuming there is a use-case for disabling this feature. In what context users would want to disable it?

Normally, we don't want to disable this GC, it's just an option for users in case of any issue later on.

Settting to null shows nothing, meaning we don't pass the flag and we don't have the RBAC permission. The issue here is that we'll be using the non-zero CLI default (5m) and will fail because we don't have the permission.
Settting to empty will actually pass it as-is to the flag, which will fail duration parsing.
Settting to 0s will correctly disable the feature in the ConfigMap, but won't add the RBAC permission.

Agreed on the above points, I have made below changes to rectify

  • update default value in CLI to 0s i.e disabled by default, so that we don't couple with RBAC permission
  • add default value in config map
  • add check in RBAC to make sure that we only add permission if .Values.operator.nodeGCInterval is having some value, and it's not 0s. I don't think we need to check for correct data type (e.g. duration) in helm.
$ helm template cilium ./install/kubernetes/cilium --namespace kube-system --set operator.nodeGCInterval=null | grep -E "nodes-gc-interval|# To perform CiliumNode garbage collector"

$ helm template cilium ./install/kubernetes/cilium --namespace kube-system --set operator.nodeGCInterval= | grep -E "nodes-gc-interval|# To perform CiliumNode garbage collector" 
  nodes-gc-interval: "0s"
 
$ helm template cilium ./install/kubernetes/cilium --namespace kube-system --set operator.nodeGCInterval=0s | grep -E "nodes-gc-interval|# To perform CiliumNode garbage collector"
  nodes-gc-interval: "0s"
  
$ helm template cilium ./install/kubernetes/cilium --namespace kube-system --set operator.nodeGCInterval=1s | grep -E "nodes-gc-interval|# To perform CiliumNode garbage collector"
  nodes-gc-interval: "1s"
    # To perform CiliumNode garbage collector

@sayboras sayboras requested a review from kaworu April 28, 2022 09:45
@sayboras sayboras force-pushed the tam/cilium-nodes-gc branch 2 times, most recently from 39bf622 to 71d0e3e Compare April 28, 2022 10:33
@sayboras
Copy link
Member Author

sayboras commented May 6, 2022

/test-1.16-4.9

@sayboras
Copy link
Member Author

sayboras commented May 6, 2022

/test-1.22-4.19

@sayboras
Copy link
Member Author

sayboras commented May 6, 2022

/test-1.23-net-next

@sayboras
Copy link
Member Author

sayboras commented May 6, 2022

/test-1.21-5.4

@sayboras
Copy link
Member Author

sayboras commented May 6, 2022

All the tests passed now, marking this ready for merge.

@sayboras sayboras added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 6, 2022
@kaworu kaworu merged commit 167fa2b into cilium:master May 6, 2022
@kaworu kaworu mentioned this pull request May 6, 2022
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.10 in 1.10.11 May 6, 2022
@kaworu kaworu mentioned this pull request May 9, 2022
Merged
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.10 in 1.11.5 May 9, 2022
@aanm aanm added this to Backport pending to v1.10 in 1.10.12 May 9, 2022
@aanm aanm removed this from Backport pending to v1.10 in 1.10.11 May 9, 2022
@aanm aanm mentioned this pull request May 10, 2022
Merged
@aanm aanm added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.10 and removed backport-pending/1.11 labels May 10, 2022
@aanm aanm mentioned this pull request May 10, 2022
Merged
@sayboras sayboras mentioned this pull request May 21, 2022
Closed
2 tasks
@aanm aanm mentioned this pull request May 23, 2022
Merged
1 task
@joestringer joestringer moved this from Backport pending to v1.10 to Backport done to v1.10 in 1.10.12 Jun 10, 2022
@aanm aanm mentioned this pull request Jun 22, 2022
Merged
@hemslo hemslo mentioned this pull request Aug 1, 2022
Merged
@sayboras sayboras mentioned this pull request Aug 15, 2022
Closed
2 tasks
@sayboras sayboras deleted the tam/cilium-nodes-gc branch August 15, 2022 13:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@christarazi christarazi christarazi approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
area/operator Impacts the cilium-operator component backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers.
Projects
No open projects
1.10.12
Backport done to v1.10
1.11.5
Backport pending to v1.10
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@sayboras @aanm @kaworu @christarazi @qmonnet