New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replicaset and Deployment are out-of-sync #117008
Comments
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig apps |
I work with @akunszt and we have been continuing to try and figure this issue out. We're still unsure of what exactly is causing this behavior, but we have some new observations:
|
With more investigation we have learned that this behavior is specifically tied to watch requests. With a cluster in the degraded state, get requests for a test resource returns up-to-date information, but watch requests for the same resource returns stale data. I believe that somehow kube-apiserver ended up in a state where is stopped updating its watch cache. We don't have any custom configuration of the watch cache. I'm surprised that others are not running into this issue, so I suspect there must be something about our environment that is triggering some rare edge case. |
We've now seen the behavior with Secrets as well. Further investigation seems to point to our load balancer between kube-apiserver and etcd making a big difference. We use an AWS ALB in between these components. This stackoverflow thread has reports that ALBs don't forward HTTP/2 pings, and we suspect that this is the mechanism responsible for keeping the watches to etcd alive when they are otherwise idle. When we do an etcd watch from our dev machines via a direct connection the an etcd instance, via an ALB, and via an NLB, only the ALB drops the connection after 10 minutes or so. With the direct connection and with the NLB, the watch is alive for hours despite there being no data to send through the connection. Normally this doesn't seem to be a problem. It seems like when the connection closes, kube-apiserver will recognize this and recreate the connection. However, in some rare scenarios this doesn't happen. This could be a networking issue (the client doesn't see the connection being closed) or some kind of bug in kube-apiserver where it doesn't recreate the connection. I'm not sure which is the real scenario. However, I suspect it is a bug in kube-apiserver because we started observing this behavior when we upgraded to Kubernetes v1.26. We didn't upgrade etcd or change anything about the networking in between kube-apiserver and etcd. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen |
@HirazawaUi: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig api-machinery |
/remove-lifecycle rotten |
/remove-sig api-machinery |
What happened?
This is a very elusive bug we started to see after we upgraded to 1.26. Everything works great but after a a few days the kube-controller-manager stop syncing/reconciling(?) the current replicas between the Deployment and the Replicaset. When this happens it affects all the Deployments in the cluster and our only workaround is to kill the active kube-controller process on the master node. The new active kube-controller which takes over sync the values and everything is fine, for a few days.
It affects all of our clusters running Kubernetes 1.26 but we don't know how to reproduce and how much we need to wait for it to happen.
What did you expect to happen?
The Replicaset and Deployment replica values are in-sync and we can scale our Deployments safely.
How can we reproduce it (as minimally and precisely as possible)?
It looks like a race condition issue which we cannot reproduce.
Anything else we need to know?
We are using HPA with external metrics, this might be totally unrelated though.
The kube-controller-manager logs related to a Deployment which failed to scale.
As a test we deleted the HPA but it didn't resolve the issue. We still had to terminate the kube-controller process. Although this can be explained with that this point the kube-controller-manager was already in a bad state.
This is how the Deployment status looked like:
While the ReplicaSets showed a different number of replicas.
And there were 3 running pods too.
As a test I scaled another Deployment in a different namespace which also failed and I didn't find any logs related to the scale operation I initiated in the kube-controller-manager logs. Which is strange.
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
I don't think these are relevant:
The text was updated successfully, but these errors were encountered: