Please don't add "retest-not-required" in such large PRs

Jenkins unit/integration failed for commit f8991c1. Full PR test history.

The magic incantation to run this job again is @k8s-bot unit test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

This generally LGTM - but please fix tests as the failure is related.

Test fixed.

@Kargakis Are you ok with merging this PR?

@Kargakis Are you ok with merging this PR?

At its current form, what you have is not going to work. There are two issues at play: 1) you need the eviction REST to increment pdb.Generation every time it updates the status of the PDB but 2) Generation is supposed to be incremented ONLY on spec changes so you essentially change its meaning. I am proposing a separate set of fields (EvictionGeneration / EvictionObservedGeneration) that will be specific to the Eviction update. I think @bgrant0607 has proposed somewhere that every component that updates an object and wants to observe its update, should have it's own generation/observedGeneration pair.

Ref #7328 (comment)

Honestly i don't understand why exactly it won't work. Object version (along with the policy) should guarantee that no two pdb status updates occur at the same time, because the second one would have an incorrect version. This is a Compare-And-Swap type of operation.

Any extra field/pair of fields that is required to be handled by both apiserver and controller on every update would basically mean a full round trip from APIserver to controller and back and would make PDB really slow.

should guarantee that no two pdb status updates occur at the same time

This should already be fixed in master (the eviction REST is not setting rv to zero so it never does an unconditional update for a PDB). You still don't guarantee that what the eviction REST sees at a given point in time for a PDB (specifically pdb.status.PodDisruptionsAllowed) is true iow. observed by the PDB controller.

Yes, there is no guarantee that what eviction handler sees is true because a change could occur just a second ago and is not yet noticed by PDB controller. The question is whether for perfect status setting by the controller would eviction handlers behave properly - in a sense that no unallowed disruption is made. I think that this PR makes it possible.

Yes, there is no guarantee that what eviction handler sees is true because a change could occur just a second ago and is not yet noticed by PDB controller.

Assuming all pod deletions go through eviction, generation/observedGeneration guarantees that what eviciton sees is true. If a change (meaning eviction) occurs, pdb.{status,spec}.evictionGeneration is incremented and the next eviction will need to wait for pdb.status.observedEvictionGeneration to match the new pdb.status.evictionGeneration. I can't think of any other way to synchronize the api server and the pdb controller.

The question is whether for perfect status setting by the controller would eviction handlers behave properly - in a sense that no unallowed disruption is made. I think that this PR makes it possible.

I am not sure of the additional value at this point.

1. Eviction subresource doesn't update unconditionally anyway.
2. pdb.Generation will always be 1 as the code is. The pdb.Generation != pdb.Status.ObservedGeneration will always be false once the controller notices the PDB for the first time.

@Kargakis When I'm talking about version I'm not referring to generation or observed generation but resource version that is inside of every object and which is increased by Etcd on every update that happens on the object.
So the scenario is like that:

1. You create a new pdb. PDB is in ResourceVersion 1.
2. PDB Controller checks the pods, updates pdb, ETCD checks if version is still 1 and sets ResourceVersion to 2.
3. The client tries to evict pod X. The Eviction handler gets the current version of PDB (2) checks if the eviction is allowed, updates allowedDisruptions, DisruptedPodMap and updates PDB. ETCD checks if the current ResourceVersion is 2 and updates ResourceVersion to 3.
4. PDB Controller gets notification about PDB change, checks the pods, updates the status and ETCD bumps ResourceVersion to 4.
5. Two parallel evictions occur.
   5A) First gets PDB in ResourceVersion 4. Checks whether the eviction is possible. It is allowed so the handler tries to update ETCD.
   5B) Second gets PDB in ResourceVersion 4. Checks whether the eviction is possible. It is allowed so the handler tries to update ETCD.

6A) ETCD receives the update. Checks what is the current version 4. Accepts the update and bumps version to 5. The corresponding pod is deleted.
6B) ETCD receives the update. The update is for version 4. The current version is 5. The update is rejected. A retry is needed. The pod is NOT deleted.

7B) Handler gets PDB in version 5. Checks whether the eviction is possible. It is not. The negative response is returned to the client.
8B) After a while PDB controller gets PDB and updates the number of allowed disruptions.

Observed Generation is only needed to ensure that the new/updated spec was noticed by the controller.

I would suggest to have @bgrant0607 or @lavalamp review this. I thought the idea of generation was that the PDB controller should set observed generation == current generation (TBH I don't remember how current generation is represented in general -- is it just the resource version on the controller?) when its status reflects the effects of its spec. So for example it prevents you from using Status.PodDisruptionsAllowed right after you change MinAvailable or Selector, until Status.PodDisruptionsAllowed reflects the new value of MinAvailable or Selector. That doesn't seem to be what you're doing here. But I admit I may be misunderstanding the observed generation stuff.

@davidopp
This is exactly what what is being done here. I introduce observed generation to ensure that status was created against the current spec. At the same time I set the registry policy to only accept updates if the version based on which the update was made matches to the current version in etcd. That ensures that parallel eviction executions don't use the same allowed disruption.

1. You create a new pdb. PDB is in ResourceVersion 1.
2. PDB Controller checks the pods, updates pdb, ETCD checks if version is still 1 and sets ResourceVersion to 2.
3. The client tries to evict pod X. The Eviction handler gets the current version of PDB (2) checks if the eviction is allowed, updates allowedDisruptions, DisruptedPodMap and updates PDB. ETCD checks if the current ResourceVersion is 2 and updates ResourceVersion to 3.
4. PDB Controller gets notification about PDB change, checks the pods, updates the status and ETCD bumps ResourceVersion to 4.
5. Two parallel evictions occur.
   5A) First gets PDB in ResourceVersion 4. Checks whether the eviction is possible. It is allowed so the handler tries to update ETCD.
   5B) Second gets PDB in ResourceVersion 4. Checks whether the eviction is possible. It is allowed so the handler tries to update ETCD.
   6A) ETCD receives the update. Checks what is the current version 4. Accepts the update and bumps version to 5. The corresponding pod is deleted.
   6B) ETCD receives the update. The update is for version 4. The current version is 5. The update is rejected. A retry is needed. The pod is NOT deleted.

This should already happen in master because in order to do an unconditional update you need also to pass a zero rv but the eviction REST does a normal (conditional) update.

I would suggest to have @bgrant0607 or @lavalamp review this. I thought the idea of generation was that the PDB controller should set observed generation == current generation (TBH I don't remember how current generation is represented in general -- is it just the resource version on the controller?) when its status reflects the effects of its spec. So for example it prevents you from using Status.PodDisruptionsAllowed right after you change MinAvailable or Selector, until Status.PodDisruptionsAllowed reflects the new value of MinAvailable or Selector. That doesn't seem to be what you're doing here. But I admit I may be misunderstanding the observed generation stuff.

Yes, this already happens in this PR. It doesn't fix #35324 though because the eviction REST cannot be sure about PodDisruptionsAllowed at any given point (spec updates to the PDB are not going to happen often anyway). I imagine that requiring from eviction to wait for every prior eviction to be observed by the controller will be really slow. We could potentially allow an amount of deviation (for example proceed with the eviction if evictionGeneration <= evictionObservedGeneration + minAvailable)

Could you please describe a scenario when PodDisruptionsAllowed is incorrect?

Unless all deletes go through the eviction REST, PodDisruptionsAllowed may end up out of sync easily because the PDB controller is using caches and it may lag behind (even a lot in some corner cases).

Example:

1. PDB selects 10 pods owned by rs/foo, minAvailable is 5, PodDisruptionsAllowed is 5.
2. rs/foo is scaled down to 5, PodDisruptionsAllowed will stay as 5 and the eviction REST will be able to evict pods until the PDB controller observes the rs update.

PodDisruptionBudget will not stay at 5 because PDB update is triggered also on pod status change.
See: https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/disruption/disruption.go#L117
https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/disruption/disruption.go#L356

Yes, for a brief moment PDB status will not be accurate but you have no way to prevent it.

PodDisruptionBudget will not stay at 5 because PDB update is triggered also on pod status change.

That's the part where I am talking about the caches the PDB controller is using. Replica set and pod caches are going to have a ton of objects so eventually they will start lagging.

What is the plan with the eviction api? I know it has already been added in kubectl drain. Is there any plan to switch controller managers like the replica set controller to use it too?

I guess that eventually everything will go through eviction handler. Until then there is absolutely no possibility for pdb controller to have super-current status, no matter how many extra fields we add there.

Right now we try to guarantee that if eviction handler is not bypassed (direct pod deletions, node crashes, etc) then PDB works as intended.

Ok, observedGeneration/generation changes in this PR LGTM.

Applying LGTM label as LGTM was given from both @wojtek-t and @Kargakis.

@davidopp I will ask @lavalamp to take a look at this PR as soon as he gets back to the office next week. We will do a follow-up fix if he finds something suspicious.

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

Automatic merge from submit-queue