pkg/k8s: fallback on retrieving CiliumNode from kube-apiserver #22298

aanm · 2022-11-21T20:25:34Z

pkg/k8s: fallback on retrieving CiliumNode from kube-apiserver

Retrieving objects from caches can be useful to prevent doing useless
requests to kube-apiserver. In the unlikely event that the object
doesn't exist in the local cache Cilium can try to retrieve it from
kube-apiserver directly. For this particular case, with CiliumNode, it
is causing Cilium to fatal as it is unable to retrieve CiliumNode from
the cache, due subsystem initialization issues, thus we will fallback on
retrieving the object directly from kube-apiserver.

In this case, the subsystem initialization issue happened due to the
fact that CiliumNode watcher is blocked on its event handler by the
egressGatewayManager [1] which is blocked by the initialization of the
identity allocator [2]. Unfortunately, the identity allocator is only
initialized at a later stage causing the CiliumNode cache from being
populated with all of its nodes.

[1]

cilium/pkg/k8s/watchers/cilium_node.go

Line 56 in 933bdcb

k.egressGatewayManager.OnUpdateNode(n)

[2]

cilium/pkg/egressgateway/manager.go

Line 83 in 933bdcb

    
           if err := manager.identityAllocator.WaitForInitialGlobalIdentities(identityCtx); err != nil {

Fixes: 69e4c69 ("k8s: optimize API calls made to kube-apiserver")

Fix Cilium fatal "Could not create or update CiliumNode resource, despite retries" on environments with `enable-ipv4-egress-gateway`

Retrieving objects from caches can be useful to prevent doing useless requests to kube-apiserver. In the unlikely event that the object doesn't exist in the local cache Cilium can try to retrieve it from kube-apiserver directly. For this particular case, with CiliumNode, it is causing Cilium to fatal as it is unable to retrieve CiliumNode from the cache, due subsystem initialization issues, thus we will fallback on retrieving the object directly from kube-apiserver. In this case, the subsystem initialization issue happened due to the fact that CiliumNode watcher is blocked on its event handler by the egressGatewayManager [1] which is blocked by the initialization of the identity allocator [2]. Unfortunately, the identity allocator is only initialized at a later stage causing the CiliumNode cache from being populated with all of its nodes. [1] https://github.com/cilium/cilium/blob/933bdcbec9319b0148b12688f720fbaaf55e0dba/pkg/k8s/watchers/cilium_node.go#L56 [2] https://github.com/cilium/cilium/blob/933bdcbec9319b0148b12688f720fbaaf55e0dba/pkg/egressgateway/manager.go#L83 Fixes: 69e4c69 ("k8s: optimize API calls made to kube-apiserver") Signed-off-by: André Martins <andre@cilium.io>

aanm · 2022-11-21T23:45:13Z

/test

michi-covalent

a magical one-line fix

aanm · 2022-11-22T12:03:42Z

Travis hit #21730

aanm added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. needs-backport/1.12 labels Nov 21, 2022

aanm requested a review from a team as a code owner November 21, 2022 20:25

aanm requested a review from nathanjsweet November 21, 2022 20:25

maintainer-s-little-helper bot added this to Needs backport from master in 1.12.5 Nov 21, 2022

tommyp1ckles approved these changes Nov 21, 2022

View reviewed changes

christarazi added the sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. label Nov 21, 2022

christarazi approved these changes Nov 21, 2022

View reviewed changes

aanm force-pushed the pr/fix-cn-cache-retrieval branch from d611c8a to 9d0415f Compare November 21, 2022 23:45

aanm added the feature/egress-gateway Impacts the egress IP gateway feature. label Nov 21, 2022

michi-covalent approved these changes Nov 21, 2022

View reviewed changes

nathanjsweet approved these changes Nov 22, 2022

View reviewed changes

aanm merged commit 3a5e985 into cilium:master Nov 22, 2022

tklauser mentioned this pull request Nov 22, 2022

v1.12 backports 2022-11-22 #22308

Merged

tklauser added backport-pending/1.12 and removed needs-backport/1.12 labels Nov 22, 2022

maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.12 in 1.12.5 Nov 22, 2022

jrajahalme added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Nov 24, 2022

maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.5 Nov 24, 2022

aanm deleted the pr/fix-cn-cache-retrieval branch November 24, 2022 19:46

joestringer mentioned this pull request Dec 16, 2022

Prepare for release v1.12.5 #22767

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pkg/k8s: fallback on retrieving CiliumNode from kube-apiserver #22298

pkg/k8s: fallback on retrieving CiliumNode from kube-apiserver #22298

aanm commented Nov 21, 2022 •

edited

aanm commented Nov 21, 2022

michi-covalent left a comment

aanm commented Nov 22, 2022

pkg/k8s: fallback on retrieving CiliumNode from kube-apiserver #22298

pkg/k8s: fallback on retrieving CiliumNode from kube-apiserver #22298

Conversation

aanm commented Nov 21, 2022 • edited

aanm commented Nov 21, 2022

michi-covalent left a comment

Choose a reason for hiding this comment

aanm commented Nov 22, 2022

aanm commented Nov 21, 2022 •

edited