kubelet: respect exec probe timeouts

[andrewsykim]

Signed-off-by: Andrew Sy Kim kim.andrewsy@gmail.com

What type of PR is this?

/kind bug

What this PR does / why we need it:
This PR fixes exec timeout issues for both dockershim and containerd.

When using kubelet dockershim, the exec timeout is not respected which results in timeouts for exec readiness/liveness probes to not be respected as well. This PR ensures the timeout passed into RunInContainer for dockershim is respected. The timeout value passed into RunInContainer is derived from the probe timeout in the case of readiness/liveness probes.

For containerd, the prober ignores timeout errors from remote runtime's ExecSync since it expects utilexec.ExitCodeError for any failed probes. Any other error ends up being ignored by the prober. This PR updates ExecSync to return utilexec.ExitCodeError when the grpc error from CRI is DeadlineContextExceeded.

Which issue(s) this PR fixes:

Fixes #94080

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

ACTION REQUIRED: a bug was fixed in kubelet where exec probe timeouts were not respected. Ensure that pods relying on this behavior are updated to correctly handle probe timeouts.

This change in behavior may be unexpected for some clusters and can be disabled by turning off the ExecProbeTimeout feature gate. This gate will be locked and removed in future releases so that exec probe timeouts are always respected.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[andrewsykim]

I was able to reproduce this on a GKE cluster.

Deployed a pod where the exec probe takes 10s to pass and the timeout is set to 1. On nodes with existing kubelet, the probe passes since the timeout is not respected.

I manually updated one of the kubelets with this change and now the timeout is respected and the readiness probe fails.

$ kubectl get po -o wide
NAME                               READY   STATUS    RESTARTS   AGE     IP         NODE                                       NOMINATED NODE   READINESS GATES
slow-deployment-6989cc5777-bc92t   1/1     Running   0          4h26m   10.4.2.5   gke-cluster-1-default-pool-9c83cf52-q55l   <none>           <none>
slow-deployment-6989cc5777-cvhhz   1/1     Running   0          4h26m   10.4.0.7   gke-cluster-1-default-pool-9c83cf52-nchv   <none>           <none>
slow-deployment-6989cc5777-f4vhj   0/1     Running   0          4h26m   10.4.1.6   gke-cluster-1-default-pool-9c83cf52-n6x4   <none>           <none>

Deployment:

$ cat slow.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: slow-deployment
  labels:
    app: slow
spec:
  replicas: 3
  selector:
    matchLabels:
      app: slow
  template:
    metadata:
      labels:
        app: slow
    spec:
      containers:
      - name: slow
        image: jugosag/slow:1.0.0
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
        env:
        - name: healthCheckSlowness
          value: "10"
        readinessProbe:
          exec:
            command:
            - curl
            - -f
            - localhost:8080/slow?timeInSecs=10
          initialDelaySeconds: 2
          periodSeconds: 1
          timeoutSeconds: 1

Thanks @jgoeres for the test deployment.

[andrewsykim]

I think this count check should be removed now since we're checking the timeout now, but I'll defer to kubelet maintainers since I don't have context on why this is here originally.

[dims]

looks like earlier we just had an infinite loop until InspectExec can tell us that the process we started exited... the count was added to break out of it in 7748a02

[andrewsykim]

Nvm, I think we need to keep this since it's expected behavior for kubelet to exit at some point with a nil error and allow the exec'd command to continue running.

[andrewsykim]

That or there should be some default timeout here, but don't want to introduce new changes here.

[dims]

/assign @dashpole @sjenning

[dims]

@andrewsykim also additional context, see #50176

[SergeyKanzhelev]

is it an alternative to this PR: #58925?

[andrewsykim]

/retest

[andrewsykim]

e2e failures look legit, will dig into it

/hold

[andrewsykim]

need to check for 0 timeout, since exec outside of probes will have 0 timeout

[dionysius]

Doesn't this mean that any probe, without timeout, taking longer than 10 seconds will automatically be no error, independent of what the actual exit of the command is?

[ehashman]

There have been a number of follow-ups to this PR since it landed so I suggest you take a look at what's committed on the master branch.

[dionysius]

Ignore my question - interpretation error from my side, on master (and probably on this commit as well) client.StartExec() is blocking and thus this code block happens after the command has finished in some form. It is 10 seconds maximum for gathering the exit info, although the code on master is slightly different with the same effect.

[PrabhuMathi]

Facing same issue in 1.19.7 (AKS) with containerd(1.5.0-beta) as cri. Could you please advise in which version of containerd or kubernetes patch this was fixed?

Pod stuck in running 0/1 status

readinessProbe: exec: command: - sleep - "15" failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 2

Readiness probe errored: rpc error: code = DeadlineExceeded desc = failed to exec in container: timeout 2s exceeded: context deadline exceeded

[matthyx]

@PrabhuMathi I don't think this commit has been cherry-picked in 1.19 - you'll have to use 1.20 or above

[PrabhuMathi]

@PrabhuMathi I don't think this commit has been cherry-picked in 1.19 - you'll have to use 1.20 or above

@matthyx thanks for the update, Let me give timeout in the command itself as mentioned and proceed. Also started facing readiness probe failure after migrating to Containerd any ref on this please?

[SergeyKanzhelev]

@PrabhuMathi I don't think this commit has been cherry-picked in 1.19 - you'll have to use 1.20 or above

@matthyx thanks for the update, Let me give timeout in the command itself as mentioned and proceed. Also started facing readiness probe failure after migrating to Containerd any ref on this please?

As far as I remember, with Containerd before 1.19, probe will timeout, but it will not be treated as an error. With Docker there will be no timeout. Is it what you experience?

[PrabhuMathi]

@PrabhuMathi I don't think this commit has been cherry-picked in 1.19 - you'll have to use 1.20 or above

@matthyx thanks for the update, Let me give timeout in the command itself as mentioned and proceed. Also started facing readiness probe failure after migrating to Containerd any ref on this please?

As far as I remember, with Containerd before 1.19, probe will timeout, but it will not be treated as an error. With Docker there will be no timeout. Is it what you experience?

Yes true in docker same pod runs fine, but when i move it to contained node facing this issue, but actual problem i'm facing is not about timeout but readiness probe is failing with command (sleep 15)

[matthyx]

@PrabhuMathi can you share your podspec?