GCE: Delete cluster will also delete the DNS entries created by kubernetes #8250
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @mccare. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/assign @geojaz |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
|
||
| zoneResponse, err := d.gceCloud.NameService().ManagedZones.List(d.gceCloud.Project()).Do() | ||
| if err != nil { | ||
| return nil, fmt.Errorf("error getting GCE DNS zones %v", err) |
There was a problem hiding this comment.
This feels copypasta'd from AWS. I would prefer to s/getting GCE DNS zones/listing Cloud DNS zones (GCP Cloud DNS zones?) or similar.
There was a problem hiding this comment.
I checked the aws implementation, and I was wrong about copypasta, but my comment stands :)
There was a problem hiding this comment.
Not quite sure what you mean, the naming of NameService() to CloudDNS()?
There was a problem hiding this comment.
Sorry, this was a nit. I would update the Error to error listing Cloud DNS zones.
pkg/resources/gce/gce.go
Outdated
| continue | ||
| } | ||
|
|
||
| if !strings.HasSuffix(record.Name, "."+d.clusterName+".") { |
There was a problem hiding this comment.
I think you're missing some interpolation here?
There was a problem hiding this comment.
Regardless, the logic feels a bit arbitrary to me. If I'm reading this correctly, you're basically trying to figure out if Cloud DNS records are records that we care about (and thus would need to delete). Would it be useful to pull out the logic to figure out if a given record is one that we should be cleaning up after into a helper?
One major thing that I think we're not yet considering, but was eluded to in the comments of the faux-original implementation (commented out) is the concept of "shared" ownership; ie: assuming there is a record in cloud dns that we think we/kops should own, do we really own it? In this case, i'm not trying to poke holes in your implementation, i'm trying to figure out how to clean up after ourselves... I don't have an answer or suggestion right now.
There was a problem hiding this comment.
Basically the implementation was taken from the AWS implementation.
I've refactored some:
- pulled out the method if a DNS name is kops managed into the clusterDiscoveryGCE (Best would be if this would be a general method for all providers )
- Only api, api.internal and bastion. will be deleted.
- Master-public-name which can be set at the command line will not be deleted. I would need access to the Cloudspec which is not accessible from here
- etcd seems obsolete since the implementation of etcd-manager (see buildPrecreateDNSHostnames in dns.go)
I've readded the check for gossip host name, that was in the previous comments. As far as I understood the previous comments, they were mentioning shared zones. The records we delete are created by kubernetes. So IMHO they can't be really shared (only one A record per name allowed) and can be deleted.
This is not to say that the code may not delete a record e.g. in a private only zone with the same DNS name as the public zone. But from my tests I cannot create a cluster where there is a private a public zone with the same DNS name.
There was a problem hiding this comment.
This is not to say that the code may not delete a record e.g. in a private only zone with the same DNS name as the public zone. But from my tests I cannot create a cluster where there is a private a public zone with the same DNS name.
I think we can probably not worry about shared ownership of Cloud DNS records, but I think it's possible to end up in a place where you have a shared Zone. Whether or not kops supports that right now for gce is an open question.
For zones, would it be possible to add a label like we have in many AWS resources? I was thinking that if a zone was specified that already existed, we could add label: "kubernetes.io/cluster/" + clusterName = "shared". Then we could skip deletion of that zone.
This seems like a great place for some tests to make sure that we're cleaning up when we need to and not deleting shared resources, but I'm not sure which route to follow without doing some more thinking. @rifelpet Do you have any suggestions?
There was a problem hiding this comment.
Using labels sounds optimal. Indeed for AWS resources we dont want kops to manage, kops supports detecting a shared label/tag and if it is present, it wont delete the resource. In AWS it is mostly around networking (VPC, subnets, etc) but I think it makes sense to use it for DNS zones as well.
mccare
force-pushed
the
gce-delete-dns-entries-for-cluster-delete
branch
5 times, most recently
from
2f9a26b
to
932be2b
Compare
mccare
force-pushed
the
gce-delete-dns-entries-for-cluster-delete
branch
from
932be2b
to
8f9e455
Compare
mccare
force-pushed
the
gce-delete-dns-entries-for-cluster-delete
branch
from
8f9e455
to
956d4b5
Compare
|
|
||
| for _, record := range r { | ||
| r := record.Obj.(*clouddns.ResourceRecordSet) | ||
| zoneName = record.Name |
There was a problem hiding this comment.
Using the groupKey would be great here
|
|
||
| if d.isKopsManagedDNSName(record.Name) { | ||
| resource := resources.Resource{ | ||
| Name: zone.Name, |
There was a problem hiding this comment.
I think this is shown to the user, so it might be nice to keep this as record.Name
|
Thanks @mccare this looks great. I had one idea about using the group key for the zone name, but I'm going to experiment in a follow-on PR (and will cc you if it works!). /approve |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb, mccare The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Fixes build problems caused by concurrent changes
justinsb
force-pushed
the
gce-delete-dns-entries-for-cluster-delete
branch
from
956d4b5
to
765fa36
Compare
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
Use the GroupKey to pass the zone name, meaning the name can be the user-facing value. Follow-on to kubernetes#8250
Kops delete clusterwill now also delete the GCE DNS entries.GCE DNS deletion is done by creating a Change object with resource record deletions/additions for one zone. So the implementation is using the GroupDeleter and the GroupKey.
For deletion the zone.name was needed and was not present in the dns.ResourceRecordSet. So I passed it along as the name of the ResourceRecord to be deleted.
Any hints or pointers on how to write tests for this change very much appreciated. Works in my use case (example cluster on GCE).