kubelet is not able to delete pod with mounted secret/configmap after restart #96635
Comments
k8s-ci-robot
added
sig/node
|
It looks like kubelet is continuously trying to mount secret that has been deleted in the meantime: Is it possible to delete configmap or secret that is still mounted somewhere? |
|
mark |
|
The secret and configmap have been deleted at 08:13:17.372114 and 08:13:17.407192: The pod has been deleted at 08:13:17.496033: So the secret and configmap have been deleted before pod. This seems to be incorrect. So most likely the question is: Should we support pod deletion after mounted secret/configmap has been deleted? I don't have that much kubelet context, but I think we should (e.g. if some user accidentally removes configmap before pod, then the user should have a way to delete pod without recreating configmap) and this is the bug that it's not always the case. |
mborsz
changed the title
Yes, the kubelet should not block cleanup of the pod on unavailability of secret/configmap resources /sig storage |
k8s-ci-robot
added
the
sig/storage
|
/assign I have found the reason, i will fix it. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten This time pod "test-vil5th-43/small-deployment-227-5cd8b577c9-mfhx5" was not deleted. Example kubelet errors while trying to read deleted configmap/secret for this pod: |
k8s-ci-robot
removed
the
lifecycle/rotten
|
Ping, any updates? |
|
Friendly ping for the update. We came across this issue one again in a recent scale test job run: https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-scale-performance/1390713430448541696. |
Mitigate kubernetes/kubernetes#96635 in load test
|
/triage accepted I think this bug was known (we've been tracking similar issues in OpenShift) but no one had seen this issue. Let's get it on our CI board. |
k8s-ci-robot
added
triage/accepted
|
This looks like a "duplicate" of the issue here: #70044 |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten A similar failure scenario exists for CSI volumes. |
k8s-ci-robot
removed
the
lifecycle/rotten
|
FTR - it seems that #96790 is dead, so it's still an issue. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Is this still an issue?(see below - yes it is still reproducible) I wonder if fixes @liggitt made in #105204 helped solve the issue. I wrote following script to try and reproduce it and I let it run for 3-4 hours and I could not see an single instance of pod stuck in terminating state: #!/bin/bash
/home/hekumar/redhat/kubernetes/_output/local/bin/linux/amd64/kubelet --v=3 --vmodule= --container-runtime=remote --hostname-override=127.0.0.1 --cloud-provider= --cloud-config= --bootstrap-kubeconfig=/var/run/kubernetes/kubelet.kubeconfig --kubeconfig=/var/run/kubernetes/kubelet-rotated.kubeconfig --container-runtime-endpoint=unix:///var/run/crio/crio.sock --config=/tmp/kubelet.yaml > /tmp/kubelet.log 2>&1 &
kubelet_pid=$!
sleep 20
echo "Kubelet is running with pid ${kubelet_pid}"
while true
do
echo "creating pods"
kubectl create -f config_map_path_pod.yaml
kubectl wait --for=condition=ready pod -l app=test
# wait for 10s
sleep 10
# stop kubelet
echo "Killing kubelet with pid ${kubelet_pid}"
kill -9 "${kubelet_pid}"
kubectl delete -f config_map_path_pod.yaml --wait=true --timeout=2s
echo "Starting Kubelet backup"
/home/hekumar/redhat/kubernetes/_output/local/bin/linux/amd64/kubelet --v=3 --vmodule= --container-runtime=remote --hostname-override=127.0.0.1 --cloud-provider= --cloud-config= --bootstrap-kubeconfig=/var/run/kubernetes/kubelet.kubeconfig --kubeconfig=/var/run/kubernetes/kubelet-rotated.kubeconfig --container-runtime-endpoint=unix:///var/run/crio/crio.sock --config=/tmp/kubelet.yaml > /tmp/kubelet.log 2>&1 &
kubelet_pid=$!
echo "Kubelet is running with pid ${kubelet_pid}"
kubectl delete pod dapi-test-pod --wait=true --timeout=40s
if [ $? -eq 0 ]
then
echo "Pod deleted successfully"
else
echo "Failed to delete pod"
exit -1
fi
doneThe job history looks clean too - https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-scale-performance |
|
Hmm, I take my previous comment back. It appears that the error condition is still a valid bug and reproducible. |
|
I was taking a look at reproducing and fixing this issue and wanted to post my findings. Basically what is happening is:
The problem is - we simply can't choose to skip adding volumes to DSOW if pod has deletionTimestamp, because that will result in volume never getting cleaned up. So fix proposed #96790 is not full proof. A real solution IMO is to add all pods+volumes in uncertain state during reconstruction, so as volumes can be removed from DSOW and volumes are still required to be cleaned up before pod can be terminated. @jsafrane has a PR that implements part of this solution - #108180 . I am looking in using it to fix this bug. |
|
/assign |
From #96038 (comment)
What happened:
In https://prow.k8s.io/view/gcs/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-scale-performance/1328563866136743936 one of the nodes (gce-scale-cluster-minion-group-bddx) restarted for some reason (some kernel panic).
The last kubelet log entry is at 08:13:05.362859 and the first one after restart is 08:15:40.361826.
In the meantime (at 08:13:17.496033), one of the pods (small-deployment-167-56c965c4cf-9pw8k) running on that kubelet has been deleted by generic-garbage-collector (i.e. deletionTimestamp has been set).
Kubelet after restart was never able to mark this pod as deleted (i.e. object has been never actually deleted).
What you expected to happen:
After kubelet's restart, the pod object will be deleted from etcd.
How to reproduce it (as minimally and precisely as possible):
Based on our logs, stopping kubelet for a while, deleting pod running on it and restarting kubelet should trigger this issue.
Potentially, it may be important that the pod was using configmap (that has been already deleted).
Anything else we need to know?:
Link to the test run: https://prow.k8s.io/view/gcs/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-scale-performance/1328563866136743936
Kubelet's logs: http://storage.googleapis.com/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-scale-performance/1328563866136743936/artifacts/gce-scale-cluster-minion-group-bddx/kubelet.log
Pod name: test-sk0eco-5/small-deployment-167-56c965c4cf-9pw8k
More logs (like all kube-apiserver's logs for that pod can be found here): #96038 (comment)
Environment:
kubectl version): v1.20.0-beta.1.663+147a120948482ecat /etc/os-release):uname -a):/cc @kubernetes/sig-node-bugs
The text was updated successfully, but these errors were encountered: