Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GC might delete objects during kube-apiserver startup #104342

Closed
tkashem opened this issue Aug 12, 2021 · 7 comments · Fixed by #104281, openshift/kubernetes#889 or #104748
Closed

GC might delete objects during kube-apiserver startup #104342

tkashem opened this issue Aug 12, 2021 · 7 comments · Fixed by #104281, openshift/kubernetes#889 or #104748
Assignees
@tkashem
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@tkashem
Copy link
Contributor

tkashem commented Aug 12, 2021

What happened:

GC may delete objects during startup while the apiserver has not fully initialized yet.

One potential case where it can happen: CRDs are available through informers

  • kube-apiserver is starting, its informers have not synced yet
  • GC sends a query (GET a CR)
  • since the informers have not synced yet, GC may get a 404
  • This may potentially lead GC to delete objects

What you expected to happen:

kube-apiserver should respond with a Retry-After until it has fully initialized. GC will get a 429 with a Retry-After response header in this case.

How to reproduce it (as minimally and precisely as possible):

With an HA cluster it's hard to reproduce.

Anything else we need to know?:

Environment:
@tkashem tkashem added the kind/bug Categorizes issue or PR as related to a bug. label Aug 12, 2021
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 12, 2021
@tkashem
Copy link
Contributor Author

tkashem commented Aug 12, 2021

/assign @tkashem

cc @sttts

@tkashem
Copy link
Contributor Author

tkashem commented Aug 12, 2021

/sig api-machinery

@tkashem tkashem mentioned this issue Aug 12, 2021
Merged
@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 12, 2021
@tkashem tkashem changed the title GC might delete objects during startup GC might delete objects during kube-apiserver startup Aug 12, 2021
@caesarxuchao
Copy link
Member

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 12, 2021
@tkashem tkashem mentioned this issue Aug 17, 2021
Merged
@caesarxuchao
Copy link
Member

Hi @tkashem, I'm curious on the details of this bug.

GC ignores the CR if the CRD is not listed in the apiserver's API discovery doc (see this comment).
So is this bug happening because the CRD is listed in the API discovery doc, but the apiserver isn't ready to actually serve the CR? If that's the case, can we fix it in the apiserver by avoiding listing the CRD in the discovery doc until the server is ready to serve it?

@tkashem tkashem mentioned this issue Aug 27, 2021
Merged
@p0lyn0mial p0lyn0mial mentioned this issue Sep 3, 2021
Merged
@MikeSpreitzer
Copy link
Member

MikeSpreitzer commented Sep 8, 2021
edited

@caesarxuchao : remember there are multiple processes that can restart here. I have not studied the GC code myself, but colleagues reported to me that they had done root cause analysis on some incorrect deletions of child objects. If I understood and recall correctly, they said to me that the failure scenario is a restart of a kube-apiserver --- long after the controller manager had started up GC --- and the parent object (as well as the falsely orphaned child) being served from an aggregated custom apiserver, and the garbage collector specifically querying for the parent in the startup time when the corresponding APIService had not yet been fully processed. This would be release 1.18 at the latest, possibly 1.16 or 1.17.

@tkashem
Copy link
Contributor Author

tkashem commented Sep 8, 2021

So is this bug happening because the CRD is listed in the API discovery doc, but the apiserver isn't ready to actually serve the CR? If that's the case, can we fix it in the apiserver by avoiding listing the CRD in the discovery doc until the server is ready to serve it?

@caesarxuchao yes, i guess there is an inherent race between the CRD being available in discovery and serving the CR. I am not very familiar with the CRD logic, @p0lyn0mial is working on a PR #104748 to fix this race.

@roycaihw roycaihw mentioned this issue Oct 15, 2021
Merged
@MikeSpreitzer
Copy link
Member

  1. There may be some confusion here around the term "CRD". The opening comment of this issue uses that term where I think "CR" is meant. In the case my colleagues found, the problem concerned a custom resource served from an aggregated custom apiserver NOT an object defined by a CRD.
  2. The scenario that troubled my colleagues involved a restart of a kube-apiserver between the time when the GC read discovery and when GC queried about a particular parent object.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tkashem tkashem

Labels
kind/bug Categorizes issue or PR as related to a bug. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
4 participants
@caesarxuchao @tkashem @MikeSpreitzer @k8s-ci-robot