Explicitly destroy kube-apiserver-sni resources before the kube-apiserver-service is destroyed. #4068
Conversation
|
@ScheererJ Thank you for your contribution. |
gardener-robot
added
needs/review
size/XS
|
@ScheererJ , can you give more details about the issue and how to reproduce it? /assign @mvladev |
I think the problem is that the This causes problems for Istio / Envoy. |
@ialidzhikov we had a cluster two weeks ago were deletion was stuck. The remaining envoy filter caused others cluster's envoy configurations to not be applied anymore as the envoy configuration was inconsistent. We did not try to reproduce it, though. |
ScheererJ
force-pushed
the
bugfix/explicitly-destroy-kube-apiserver-sni-on-shoot-deletion
branch
from
b6e43ca
to
f4e56f2
Compare
Could you please add appropriate release note of type |
@ialidzhikov I added a release note. Any feedback? |
|
@ScheererJ Still, why is the destruction task of the |
@rfranzke In discussion with @mvladev, he suggested that kube-apiserver-sni should be deleted before kube-apiserver-service to reverse the creation order. From his perspective, kube-apiserver-service should be deleted as part of the controlplane deletion. This is why I added the dependency. @ialidzhikov I am still trying to figure out where kube-apiserver-service is actually being deleted. It does not seem completely obvious. |
|
I don't think we explicitly delete the |
@mvladev How should we proceed then? Should I also introduce the explicit destruction of the |
|
I don't know if deletion of the |
|
Ok, but so that we are on the same page: The task for the |
|
OK, sure :) I guess @ialidzhikov were just confused how the other task (deletion of |
This sounds good to me. Going one step back, as we now know that the kube-apiserver Service is not deleted explicitly, the following statement from the release note does not sound good:
We know that both envoy filter and kube-apiserver are deleted as part of the Namespace deletion at the end of the Shoot deletion flow. So what is the real issue? Envoy filter is not deleted when the apiserver Deployment is deleted and this is causing issues? So we now need to delete envoy filter when we delete the apiserver Deployment? |
…rver-service is destroyed.
|
The envoy filter is not located in the shoot namespace on the seed, but in the istio-ingress namespace. Therefore, there is a race. |
ScheererJ
force-pushed
the
bugfix/explicitly-destroy-kube-apiserver-sni-on-shoot-deletion
branch
from
f4e56f2
to
910c8a8
Compare
You are right, I missed that the envoyfilter is in the istio-ingress ns. I see that the envoyfilter has ownerReference to the Shoot namespace in the Seed and that's how it is deleted. |
…rver-service is destroyed. (gardener#4068)
…rver-service is destroyed. (gardener#4068)
In case the envoy filter, which is part of kube-apiserver-sni, is not destroyed before the kube-apiserver-service the envoy configuration might become inconsistent. An inconsistent envoy configuration might affect other clusters as no new configuration changes can be applied. The resolution is to destroy the sni resources earlier.
How to categorize this PR?
/area networking
/kind bug
What this PR does / why we need it:
Explicitly destroys the kube-apiserver-sni resources during the shoot cluster deletion to prevent other cluster configuration changes to be affected by a race during the deletion.
Which issue(s) this PR fixes:
None.
Special notes for your reviewer:
Release note: