Wait for APIServer 'ok' forever during CSINode initialization during Kubelet init

[jsafrane]

This is fixed version of #88000 when @davidz627 is out.

• fixed unit test speed
• added logs
• probe API server by getting a dummy CSINode object. Kubelet may have limited permission during TLS bootstrap and we need kubelet with real permission to publish CSINode.

I kept David's commit there, so he gets credit for the fix.

---

If APIServer takes a long time to initialize (faster than the timeout for CSI Node intialization) the Kubelet may kill itself before the APIServer has time to come up. This PR makes it so that the goroutine that initializes CSINode will poll and wait for APIServer initialization before starting the exponential backoff to create CSINode objects.

Fixes: #87964

/cc @misterikkit @msau42 @rphillips @marun @tedyu
/kind bug

CSINode initialization does not crash kubelet on startup when APIServer is not reachable or kubelet has not the right credentials yet.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/volume/csi/OWNERS [jsafrane]
• pkg/volume/testing/OWNERS [jsafrane]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jsafrane]

/priority important-soon

[jsafrane]

cc @liggitt to check CSINode probe. Is here a better way how to check TLS bootstrap is finished and kubelet is ready to start for real?

[tedyu]

Please modify this comment to be consistent with the node retrieval on line 934

[jsafrane]

fixed

[tedyu]

lastErr shouldn't be nil if the node is non-existent :-)

[jsafrane]

you never know :-)

[jsafrane]

One could crash break whole cluster by creating a node with nonExistingNodeName.

[tedyu]

Since the node may exist, we can give it name such as possiblyExistingNodeName

[jsafrane]

Trick with getting CSINode does not work:

Failed to contact API server when waiting for CSINode publishing: csinodes.storage.k8s.io "nonExistingNodeName" is forbidden: User "system:node:e2e-29112e7941-674b9-minion-group-1djj" cannot get resource "csinodes" in API group "storage.k8s.io" at the cluster scope: can only access CSINode with the same name as the requesting node

[tedyu]

With the following change to csi_plugin (nonExistingNodeName is no longer used), test suites pass:

		err := waitForAPIServerForever(kubeClient, host.GetHostName())
...
func waitForAPIServerForever(client clientset.Interface, host string) error {
...
		_, lastErr = client.StorageV1().CSINodes().Get(context.TODO(), host, meta.GetOptions{})

[jsafrane]

Updated to get CSINode of the current node.

[k8s-ci-robot]

@jsafrane: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-kubernetes-e2e-kind-ipv6	8bdbd4d	link	/test pull-kubernetes-e2e-kind-ipv6

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[tedyu]

/lgtm

[jsafrane]

Edited the release note a bit to emphasize kubelet panic.