Marked this as release-blocker as at least some part of it seems like a correctness issue (i.e fluentd pods dying and getting recreated).
Note also that this is causing increased mem-usage with daemonset-controller (depicted here - #60500 (comment))

Thanks for filing this!

• Is the daemonset object continuously toggling b/w 2 states? (we know here that it's RV is increasing continuously)
• If yes, what field(s) in the object are changing? IIRC value of some label/annotation (I think 'UpdatedPodsScheduled') is changing (probably related to 2 below)

The only thing that was changing (apart from ds/fluentd-gcp status) was the resource version.

I modified fluentd scaler to use --dry-run in kubectl set resources to check whether there would be a change, but this still keeps on updating, even though there is no change. Apparently, the logic inside kubectl is broken...

Btw, addon manager sends tons of PATCH requests for all resources every minute anyway, so even though I will fix fluent-scaler not to send them, it won't solve everything.

Should this issue actually be closed? It was auto-closed by the bot, but nobody has confirmed that the actual issue is fixed.

I'll let @shyamjvs to confirm (looks like he'll be back on Monday)

/status in-progress

Yes, we should keep this issue open until we fully understand what's going wrong and fix the root-cause.
I believe much of the discussion wrt this is happening under related issue #61189.

Ok.. Seems like I missed Wojtek's comment above.

So I just checked the ds-controller code and it seems like we're updating the ds status only if this condition is being violated:

Which means one of those fields is probably mismatching. I'll try to add some logs and run the test at --v=4 to get more info.

This is the code that is supposed to protect us from situation that something must change when we write object to etcd (resource version is not stored in etcd):
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go#L325

So there should never be a situation that only resource version is changing. If it is, there is bug and need to be fixed. @liggitt - FYI

anything is possible, but we do have tests ensuring this works properly (no-op updates do not actually result in an update+resourceVersion bump in etcd): https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store_test.go#L674-L728

So I ran some 100-node experiments against #61472 with more debug logs and I think I now understand the reason for this. The controller-manager logs with the scaler and without the scaler mainly show the following difference:

I0321 14:26:34.315600       1 daemon_controller.go:986] Pods to delete for daemon set fluentd-gcp-v3.0.0: [fluentd-gcp-v3.0.0-j5vvh], deleting 1
I0321 14:27:26.218875       1 daemon_controller.go:986] Pods to delete for daemon set fluentd-gcp-v3.0.0: [fluentd-gcp-v3.0.0-jl74c], deleting 1
I0321 14:28:26.005293       1 daemon_controller.go:986] Pods to delete for daemon set fluentd-gcp-v3.0.0: [fluentd-gcp-v3.0.0-89dvm], deleting 1
I0321 14:29:24.596255       1 daemon_controller.go:986] Pods to delete for daemon set fluentd-gcp-v3.0.0: [fluentd-gcp-v3.0.0-l4qtp], deleting 1

This logs show-up when the scaler is active. And these pod deletions are happening as part of rolling-upgrade of daemonset to newer version (the one having resources set). You can see they're getting deleted one-by-one, which also explains why it takes so long (and so are happening even 30 mins after the cluster creation). And the reason why they're deleted one-by-one is because ds-controller has a rolling-upgrade strategy where maxUnavailable=1 by default. Proof:

I0321 15:29:42.284073       1 update.go:431]  DaemonSet kube-system/fluentd-gcp-v3.0.0, maxUnavailable: 1, numUnavailable: 0
I0321 15:29:43.490056       1 update.go:431]  DaemonSet kube-system/fluentd-gcp-v3.0.0, maxUnavailable: 1, numUnavailable: 1

And the increased mem-usage FMU is because of the rolling-upgrade performed by ds-controller (over the prolonged period) - as it's the only difference I observe from logs
Further, the reason why the RV was increasing was because of few fields 'NumUnavailable', 'NumAvailable', etc fluctuating while the rolling-upgrade

I spoke offline with @x13n and suggested that we should increase maxUnavailable for the fluentd daemonset to a large enough value so that we're not bottlenecked by it. My reasoning is:

• fluentd is not some user workload which will have some service downtime in case there are many unavailable at once
• fluentds on nodes are independent of each other (i.e one fluentd shouldn't need to wait for another node's fluentd to come up)
• we should try to make the scaling happen as fast as possible - otherwise it may be too late before they cope-up with increased log-load in the cluster

I'm going to make that change and test it against my PR (thanks @x13n for pointing that we can change maxUnavailable directly in ds config).

So increasing maxUnavailable indeed seems to help (ref: c-m logs):

I0322 12:18:37.297447       1 daemon_controller.go:986] Pods to delete for daemon set fluentd-gcp-v3.0.0: [fluentd-gcp-v3.0.0-6hvnl ... fluentd-gcp-v3.0.0-fcpwz], deleting 101

All the 101 replicas were deleted at once instead of one-by-one and happened pretty much within 2 mins of the original fluentd-ds seen by the controller:

I0322 12:16:49.538882       1 daemon_controller.go:164] Adding daemon set fluentd-gcp-v3.0.0

We should get that PR into 1.10.

Thanks for confirming this! Did increasing maxUnavailable also reduce c-m memory usage?

So the run was still over the threshold, but I was expecting it as I ran c-m with increased verbosity (which can cause that).
That said, I'll observe how the usages are once that PR gets in - and FMU it's still possible to have higher values due to the rolling-upgrade potentially happening during the test.

@shyamjvs Is there anything else to do here or should this be closed now?

So bumping maxUnavailable for fluentd rolling-upgrade in #61472 is causing couple of issues:

• Our latest 5k-node performance run failed as part of BeforeSuite where we're checking that ~all kube-system pods are running or ready. The reason is because quite some fluentd pods were killed as part of the rolling-upgrade and we timed out before all those pods could come up
• Our 100-node performance runs are flaking due to high CPU/mem-usage of c-m observed during density test, in cases when the fluentd upgrade happens during the test - which is kind of expected

So at this point, we might want to choose among one of the 2 options:

• Rollback Increase fluentd rolling-upgrade maxUnavailable to large value #61472, which comes at the cost of tradeoffs I explained in Increase fluentd rolling-upgrade maxUnavailable to large value #61472 (comment)
• Increase our CPU/mem thresholds to eliminate those flakes in 100-node job and increase the "max-allowed-not-ready-pods" in kube-system ns to a higher value, so that our 5k-node test doesn't fail in BeforeSuite

Thoughts?

TBH, I don't know why it was merged without waiting for opinions...

I really vote for reverting that.

Increase our CPU/mem thresholds to eliminate those flakes in 100-node job and increase the "max-allowed-not-ready-pods" in kube-system ns to a higher value, so that our 5k-node test doesn't fail in BeforeSuite

We don't want this - this may mean making cluster "not fully usable" from user perspective.Which is not really what we want to test.

SGTM. Let's revert it and increase our thresholds for the time-being. The discussion about changing fluentd rolling-upgrades can continue to happen in the background.

[MILESTONENOTIFIER] Milestone Issue Needs Approval

@shyamjvs @x13n @kubernetes/sig-instrumentation-misc

Action required: This issue must have the status/approved-for-milestone label applied by a SIG maintainer. If the label is not applied within 5 days, the issue will be moved out of the v1.11 milestone.

This issue is now fixed after my above PRs. We're having continuous green runs for the job