apiserver: terminate watch with rate limiting during shutdown

[tkashem]

What type of PR is this?

/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #111886 (it addresses termination of active watches during shutdown)

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[tkashem]

/ok-to-test

[tkashem]

/cc @wojtek-t @marseel

[wojtek-t]

@tkashem - I think this is achieving roughly the same thing as: #113546

If so - I think I would prefer Marcel`s one as this is more consistent with our existing shutdown sequence, no?

[wojtek-t]

/hold

[wojtek-t]

Or actually wait - you're not storing additional info here, so that is more efficient in terms of memory. Let me take a deeper look.

[wojtek-t]

@tkashem I have a feeling that it should be possible to do that more consistently with the current support for short-running requests.

Currently we have WithWaitGroup that is waiting for short-running requests. And only that is a signal for further steps of graceful shutdown. I think that we should be consistent with that for long-running.

So what I would try is to:

• plumb to exact same place (just introduce a second SafeWaitGroup for long-running requests
• expose a channel of IsShuttingDown() from the SafeWaitGroup that will trigger exactly this code path
• introduce the late-limiter into this SafeWaitGroup and change here to sth like:

  s.AcquireToken()`
  return

[The above suggests that it shouldn't be SafeWaitGroup but a new type being a wrapper around it.]

Now - you additionally don't need to pass the ServerTerminationWindow across the codebase - all you need is to add that to the context in the WithWaitGroup filter.

So finally, this probably no longer belongs to WithWaitGroup, it should be a separate filter doing that.

I think that would be cleaner both than this PR and than @marseel PR...

@tkashem @marseel
thoughts?

[wojtek-t]

I think it would make sense to POC that anyway - I would love to try it, though I probably won't get to it for at least next two weeks...

[tkashem]

all you need is to add that to the context in the WithWaitGroup filter.

This sounds good to me, i wired the context

plumb to exact same place (just introduce a second SafeWaitGroup for long-running requests

do we need to keep track of the active watches? currently all active watches return at the same moment when net/http server closes, I thought the goal was to make sure these active watches return with a rate limiter or random sleep.

I think it would make sense to POC that anyway - I would love to try it, though I probably won't get to it for at least next two weeks...

I am happy to tackle it, if you and @marseel think this approach is in the right direction

[wojtek-t]

do we need to keep track of the active watches? currently all active watches return at the same moment when net/http server closes, I thought the goal was to make sure these active watches return with a rate limiter or random sleep.

Yes - the goal is to rate-limit them.
But if there are very few watches and I'm setting a window of say 1m (I expect setting around this number to be most common), I don't want to wait 1m, but rather shut them down quicker, because that would be safe.

So while i don't need to know the exact watches, I need to know their number to know when they are done.

I am happy to tackle it, if you and @marseel think this approach is in the right direction

I'm not 100% convinced because I'm not sure if we won't find something unexpected in the code that would make this harder. But we also won't know until we POC it.

[marseel]

But if there are very few watches and I'm setting a window of say 1m (I expect setting around this number to be most common), I don't want to wait 1m, but rather shut them down quicker, because that would be safe.

Yea, I think it makes sense. We could just rate limit to max(some constant like 100, #watches/timeout) QPS.

I am happy to tackle it, if you and Marcel Zięba think this approach is in the right direction

I personally like your approach more than mine :). Once we have working POC I can run some scale tests to see if everything works as expected on large scale.

[wojtek-t]

I personally like your approach more than mine :). Once we have working POC I can run some scale tests to see if everything works as expected on large scale.

I think due to the fact of not maintaining a single cache of all connections I like it more too. And by addressing my comments, I think we can make it even cleaner, I hope.

So yes - if you have some time Abu, if you could POC it, it would be great !

[tkashem]

Thanks @wojtek-t @marseel

Yes, I am going to work on it, I am also going to add active watch requests to the graceful termination unit tests we have and and make sure it works as expected. Once the new unit tests pass you can test it at scale.

[sttts]

out of curiosity, why is this global?

[sttts]

Or even just set nil as the shutdown channel. Nil blocks on select.

[tkashem]

yeah, i don't thin we need it, i removed it, thanks

[sttts]

nit: ServerShuttingDownCh

[tkashem]

fixed

[sttts]

what does "maximum" mean here? Is there another grace period that might overrule this?

[tkashem]

i updated the comments, let me know if it's more clear now

[sttts]

what's written on the envelop? What's the oneliner of intuition here?

[tkashem]

comment fixed

[sttts]

nit: // much smaller than normal 30s grace period for other non-long running requests

[tkashem]

we just need to enable watch draining here, so any positive value is fine here, added a comment

[sttts]

few nits. Sgtm overall.

[tkashem]

@sttts I addressed the feedback, please take a look when you have a moment

[wojtek-t]

This looks great.
I was chatting with Stefan in the morning and he confirmed that all of his comments where nits.

So I'm going ahead and tagging it so merge it as soon as possible to get some reasonable soak time.
If needed, we can always adjust things in a follow up if he will consider that the comment updates (which is the only potentially unresolved thing) requires further tweaking.

/lgtm
/approve

/hold cancel

/priority important-soon

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 380cd25e56fe248241b3bbb2d9b8e67f732d3f68

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tkashem, wojtek-t

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/apiserver/OWNERS [wojtek-t]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tkashem]

I had to fix a failing unit test from my rename operation, this is the diff:

--- a/staging/src/k8s.io/apiserver/pkg/endpoints/watch_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/watch_test.go
@@ -647,9 +647,8 @@ func TestWatchHTTPErrors(t *testing.T) {
                Encoder:         newCodec,
                EmbeddedEncoder: newCodec,
 
-               Fixup:                func(obj runtime.Object) runtime.Object { return obj },
-               TimeoutFactory:       &fakeTimeoutFactory{timeoutCh, done},
-               ServerShuttingdownCh: make(chan struct{}),
+               Fixup:          func(obj runtime.Object) runtime.Object { return obj },
+               TimeoutFactory: &fakeTimeoutFactory{timeoutCh, done},
        }

[wojtek-t]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 7bd7e81c1b315de3226b196b358a6a7842a5212e