Set reason and message on Pod during nodecontroller eviction

[foxish]

What this PR does / why we need it: Pods which are evicted by the nodecontroller due to network partition, or unresponsive kubelet should be differentiated from termination initiated by other sources. The reason/message are consumed by kubectl to provide a better summary using get/describe.

Which issue this PR fixes (optional, in fixes #<issue number>(, #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #35725

Release note:

Pods that are terminating due to eviction by the nodecontroller (typically due to unresponsive kubelet, or network partition) now surface in `kubectl get` output 
as being in state "Unknown", along with a longer description in `kubectl describe` output.

---

This change is

[foxish]

/cc @kubernetes/sig-apps @erictune @janetkuo

[soltysh]

One nit, otherwise LGTM.

[soltysh]

It would be nice to have a test case covering this method and that action.

[foxish]

@soltysh Added test

[smarterclayton]

This would block eviction. Do we want to do that?

[smarterclayton]

Maybe we should keep the error and return it after deletion. Alternatively we can just hope we'll retry here (will we retry?)

[foxish]

Yes, when we return false, we retry right away with 0 delay.

[foxish]

@smarterclayton I can't think of a scenario where the update fails when the delete could have proceeded. However, like you said, it would be more defensive to keep the error and not block the eviction, I'll go ahead and do that. At worst, it could lead to multiple delete calls due to the retry loop.

[soltysh]

LGTM

[foxish]

@smarterclayton Updated. PTAL.

[gmarek]

I you think that such 'best effort' behavior is better, then I'm not going to block this PR. I just think it may cause more harm than good, and it might be a cause of some red herrings when debugging NC issues (so whatever you do, just please at least add a retry loop).

[smarterclayton]

The retry loop is the evictor:

remaining, err := deletePods(nc.kubeClient, nc.recorder, value.Value,
nodeUid, nc.daemonSetStore)
if err != nil {
utilruntime.HandleError(fmt.Errorf("unable to evict node %q: %v",
value.Value, err))
return false, 0
}

​
If we fail with error, we retry with no additional delay.

[gmarek]

Oh, that one, yes. But this is actually bad - if we succeed in deleting then there's nothing to update in another round (e.g. if Node is not existing and Pod will be force deleted by PodGC).

[smarterclayton]

Good point. So either we force the loop to run again if we get a conflict,
or we don't worry about retry at all. I'd prefer the former - queue the
error, don't delete the pod, return all errors, expect to get run again,
then succeed again. For maximum safety, we could only do that for Conflict
errors, and in all other cases just continue to delete (i.e. if you don't
grant the node controller permission to update pod status then we should
still delete the pod.

So:

for pods {
...
if updateStatus(); err != nil {
if errors.IsConflict(err) {
updateErrs = append(updateErrs, err)
continue
}
utilruntime.HandleError("unable to update pod status to indicate
unreachable")
}
deletePod()
}
if len(updateErrs) > 0 {
return false, NewAggregate(updateErrs)
}

On Thu, Nov 3, 2016 at 11:30 AM, Marek Grabowski notifications@github.com
wrote:

Oh, that one, yes. But this is actually bad - if we succeed in deleting
then there's nothing to update in another round (e.g. if Node is not
existing and Pod will be force deleted by PodGC).

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#36017 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_p4FZ5Axm_-E0AT3Ta3WwiRtfXrjZks5q6f4pgaJpZM4Kmq7x
.

[foxish]

Is the concern that we wouldn't have updated status and deleted it too soon?

[gmarek]

I'm fine with @smarterclayton proposal.

[foxish]

@smarterclayton @gmarek Do we also want to cover other failure reasons. For example: ServerTimeout seems like something we should account for, and retry in addition to Conflict.

[smarterclayton]

The client should already retry those for you.

On Thu, Nov 3, 2016 at 3:34 PM, Anirudh Ramanathan <notifications@github.com

wrote:

@smarterclayton https://github.com/smarterclayton @gmarek
https://github.com/gmarek Do we also want to cover other failure
reasons. For example: ServerTimeout

kubernetes/pkg/api/unversioned/types.go

Line 227 in 25afcc5

StatusReasonServerTimeout StatusReason = "ServerTimeout"

seems like something we should account for, and retry in addition to
Conflict.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#36017 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_pw3XDa1GlVH1g35X1IyuDeLB6PBYks5q6jdQgaJpZM4Kmq7x
.

[foxish]

@smarterclayton SG. I've updated the PR with the special retry in case of update conflict.

[foxish]

Oops, there is an issue with it. Will push an update shortly.

[foxish]

@smarterclayton Updated. PTAL.

[smarterclayton]

/lgtm

[foxish]

Bumping priority to P2 as #34825 will need to be rebased afterwards.

[k8s-ci-robot]

Jenkins GCI GCE e2e failed for commit 6d7213d. Full PR test history.

The magic incantation to run this job again is @k8s-bot gci gce e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

[k8s-github-robot]

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

[foxish]

@k8s-bot gci gce e2e test this

[k8s-github-robot]

Automatic merge from submit-queue