federation: Support cascading deletion

[nikhiljindal]

Problem: There are 2 related problems:

• When user deletes a federated object, corresponding objects created in underlying objects are not deleted. For ex: if user creates a federated service, we create a corresponding service in each cluster. When the federated service is deleted, these services in underlying clusters does not get deleted automatically.
• When a cluster is removed from federation, objects that the federation control plane created in that cluster are not deleted. For ex: if user creates a federated service, we create a corresponding service in each cluster. When a cluster is removed from federation, the service corresponding to the federated service in that cluster does not get deleted automatically.

Now that we have cascading deletion in kubernetes, we should support cascading deletion in federation as well. As in kubernetes, we will give users the option to disable it.

cc @kubernetes/sig-cluster-federation

[nikhiljindal]

We have 2 options:

• Use kubernetes Garbage Collector model; Or
• Let each controller delete the corresponding dependent objects

Garbage collector model

How it works in kubernetes

There is a separate Garbage Collector controller whose job is to ensure that all dependent objects are deleted when the "owner" object is deleted.
It watches for all resources and if it finds an object for which all objects referred by its ObjectMeta.OwnerReference do not exist, then it deletes that object.

Work required to extend it for federation:

• Garbage collector today assumes that a single apiserver knows about all resources. We will need to make it aware of cross cluster dependencies and how to fetch resources from multiple clusters.
• Will need to extend OwnerReference to represent cross cluster references.
• To prevent conflict with the kubernetes garbage collector, will need to limit the k8s garbage collector to objects with OwnerReferences in the same cluster, and limit federation garbage collector to objects with OwnerReferences in federation control plane.

Pros:

• Centralized cascading deletion logic, rather than spread across controllers.

Cons

• Requires an update to k8s garbage collector. federation garbage collector will conflict with cluster gc, if its not the latest.

Let each controller delete the corresponding dependent objects

How will this work

When a controller (for ex: the federation replica set controller) observes a new federated object (federated replicaset), it first adds a finalizer to it before creating any dependent objects (replicasets in underlying clusters).
When a federated object is deleted, federation-apiserver will just set the deletion timestamp instead of deleting it if the object has a finalizer.
When the controller sees an object with deletion timestamp set, it will delete all dependent objects it had created for that federated object and then delete the federated object after removing the finalizer.

Pros:

• The controller that is creating the dependent objects is responsible for deleting the same objects.
• These federation controllers are already cross-cluster resources aware.
• No conflict with k8s garbage collector.

Cons:

• Deletion logic is spread across controllers.

[nikhiljindal]

Based on discussion with @caesarxuchao and @lavalamp, the second model seems better.

The second model is similar to how namespace deletion works in kubernetes.

[lavalamp]

I think the second model is workable.

The first model seems to have dependencies going the wrong way at first
glance.

On Tue, Sep 27, 2016 at 5:12 PM, Nikhil Jindal notifications@github.com
wrote:

Based on discussion with @caesarxuchao https://github.com/caesarxuchao
and @lavalamp https://github.com/lavalamp, the second model seems
better.

The second model is similar to how namespace deletion works in kubernetes.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#33612 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAngliHHOTFDBX0pZ16k_lpB-8NmFUwmks5qubDkgaJpZM4KIOjF
.

[ghost]

Yes, agree. The second model seems much better/simpler/more reliable/less
prone to terrible failures.

On Tue, Sep 27, 2016 at 5:34 PM, Daniel Smith notifications@github.com
wrote:

I think the second model is workable.

The first model seems to have dependencies going the wrong way at first
glance.

On Tue, Sep 27, 2016 at 5:12 PM, Nikhil Jindal notifications@github.com
wrote:

Based on discussion with @caesarxuchao https://github.com/caesarxuchao
and @lavalamp https://github.com/lavalamp, the second model seems
better.

The second model is similar to how namespace deletion works in
kubernetes.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://github.com/kubernetes/kubernetes/issues/
33612#issuecomment-250035528>,
or mute the thread
<https://github.com/notifications/unsubscribe-
auth/AAngliHHOTFDBX0pZ16k_lpB-8NmFUwmks5qubDkgaJpZM4KIOjF>
.

—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
#33612 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AJ6NASmz24nm1v3_lxVBaLslz0Mfbvlxks5qubYigaJpZM4KIOjF
.

[caesarxuchao]

Some notes from our offline discussion: the k8s garbage collector is designed to handle dependencies among arbitrary resources. In the current federation use cases, the dependency is between an federation object and its k8s counterpart, so a generic garbage collector is an overkill. The second model is much easier, and the deletion logic spread in each controller is manageable.

[nikhiljindal]

Code for cascading deletion is now merged for namespaces. And now that we have the generic DeletionHelper class it should be relatively easy to extend it for all other federation resources which is what I am going to do next.
I am also refactoring namespaced resources deletion code to share the same common code in federation and kube namespace controllers: #35950
That fixes the first problem.

Cascading deletion for clusters (second problem in the original description of this issue) is a bit different. This involves deleting all resources from a kube cluster that were created by federation controllers when the cluster is removed from federation. Its different because now we are deleting different kind of resources than the one that was deleted by the user. The way I am planning to implement this is by cluster controller adding a finalizer to the cluster whenever it sees a new cluster. When user deletes a cluster, apiserver sets the deletion timestamp and adds the OrphanFinalizer depending on DeleteOptions. Cluster controller can then do the following for all clusters that have deletion timespace set:

• It checks if it has Orphan finalizer. If yes then it removes both the finalizers and deletes the cluster. Job done.
• If not, then cluster controller needs to ensure that all resources created by federation controllers are deleted from that cluster before removing its finalizer and deleting the cluster.

To track all resources created by federation controllers, I will update federation controllers to add a specific annotation when they create resources in underlying clusters. Cluster controller can use this annotation to list and delete these resources.
Will also update GetReadyClusters() to not return a cluster if it has deletion timestamp set, so that controllers dont create new resources in a cluster while it is being deleted.

[nikhiljindal]

Documenting discussion with @quinton-hoole

• There should be a clear way for users to find out what all will be deleted if they set orphanDependents = false.

The API documentation for that field is "Should the dependent objects be orphaned" without defining "dependents". For kubernetes its all resources with OwnerReferece pointing to this resource and for federation it is all resources of the same type and name in underlying clusters. This can clearly cause user confusion.

• In future, we might want another option that enables deleting dependents in federation control plane, but not in underlying clusters.

None of our resources have a dependent in federation control plane today. But good to keep in mind for future.

[nikhiljindal]

Status update for 1.5:
We support cascading deletion in Ingresses, Namespaces, Replica Sets, Secrets, Deployments and Daemon Sets. Config maps and services do not support this.
For services we were deleting all underlying resources by default, which was a bug. Fixing it in 1.5: #36799.

Next step is to support it in these 2 resources as well.

[nikhiljindal]

We also need to ensure that cascading deletion for federation resources works consistently with kubectl. Filed #38897 for that

[marun]

@nikhiljindal I see that cascade deletion was implemented for services.

I'm working on #40989, and as part of that work can enable cascade deletion for config maps.

[nikhiljindal]

@csbell has #40464 for adding cascading deletion support to configmaps.

[marun]

Ok, I won't work on refactoring the configmap controller until that merges.

[ghost]

@nikhiljindal it doesn't look like we've addressed the second part of this issue, namely what happens when clusters are removed from the federation. Can you confirm? Are you still working on this? If not, could you provide current status, and unassign yourself, so that we can find someone else to finish the required work please. Thanks.

[ghost]

Required for GA of federation.

[irfanurrehman]

This issue was labelled only for sig/multicluster and is thus moved over to kubernetes-retired/federation#75.
If this does not seem to be right, please reopen this and notify us @kubernetes/sig-multicluster-misc.
/close