Exercise etcd connectivity in the /healthz/ping endpoint #48215
Comments
k8s-ci-robot
added
the
kind/feature
|
@bjhaid There are no sig labels on this issue. Please add a sig label by: |
k8s-github-robot
added
the
needs-sig
|
/sig api-machinery |
k8s-ci-robot
added
the
sig/api-machinery
k8s-github-robot
removed
the
needs-sig
|
thanks @xiangpengzhao |
|
Checking to see if you can reach etcd makes sense. I don't think it should be part of ping though. How about a separate health check which is conditional on having a storage a config which speaks to etcd? |
It would be better to have an health check that exercises whatever storage backend is in use, however if that's too complex maybe having something etcd specific would be okay. |
I think those would be different health checks. It is possible to have multiple backends for a single server. Consider the arguments around events we're having now. |
|
@deads2k how about aggregating health checks for multiple backends into a single endpoint? |
|
|
if any constituent health check (see |
|
ah makes perfect sense, so how will this be turned into a work stream? ;) I also don't mind taking a stab at implementing it with some guidance |
|
@deads2k I got something working here: It's doesn't have tests, but I have tested it from the command line and it works as expected, I can maybe add tests and move the logic to a separate function if you think this makes sense |
Yeah, it looks close enough to be worth a pull and some tests |
|
Thanks ❤️ I'll clean it up and send in a PR |
|
/assign @jpbetz |
|
@lavalamp: GitHub didn't allow me to assign the following users: jpbetz. Note that only kubernetes members can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@lavalamp I actually have a WIP for this and was going to PR this tomorrow |
|
Loosely related to this- Etcd's own /health endpoint will start correctly reporting as unhealthy when any alarms are triggered: etcd-io/etcd#8272. This won't be available till etcd 3.3.0 |
|
@jpbetz that will not solve the motivation for this issue, the apiserver was fenced off from having a network communication with etcd and the healthz endpoints still reported healthy, even though all critical api requests were failing |
Automatic merge from submit-queue (batch tested with PRs 49989, 49806, 49649, 49412, 49512) This adds an etcd health check endpoint to kube-apiserver addressing #48215. **What this PR does / why we need it**: This ensures kube-apiserver `/healthz` endpoint fails whenever connectivity cannot be established to etcd, also ensures the etcd preflight checks works with unix sockets **Which issue this PR fixes**: fixes #48215 **Special notes for your reviewer**: This PR does not use the etcd client directly as the client object is wrapped behind the storage interface and not exposed directly for use, so I decided to reuse what's being done in the preflight. So this will only check fail for connectivity and not etcd auth related problems. I did not write tests for the endpoint because I couldn't find examples that I could follow for writing tests for healthz related endpoints, I'll be willing to write those tests if someone can point me at a relevant one. **Release note**: ```release-note Add etcd connectivity endpoint to healthz ``` @deads2k please help review, thanks!
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
What happened:
We fenced off an api-server from connecting to etcd, however the
/healthz/pingendpoint was returning 200What you expected to happen:
The
/healthz/pingendpoint to exercise connectivity to etcd and return a 500 type response code if it can't connect to etcd since the apiserver is useless without etcdThe text was updated successfully, but these errors were encountered: