Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubelet: CAdvisor sometimes injects old Pod metrics from an old namespaces #85852

Closed
wants to merge 2 commits into from
Closed

kubelet: CAdvisor sometimes injects old Pod metrics from an old namespaces #85852

wants to merge 2 commits into from

Conversation

rphillips
Copy link
Member

What type of PR is this?
/kind bug

What this PR does / why we need it:
The CAdvisor stats backend has a bug where it does not reflect pods terminating in an initial namespace and then being created in a new namespace. This is due to cinfoID.podRef.UID being used within the map key {PodName, PodNamespace, PodUID}. This tuple for the map key will erroneously inject a newly created pod in a different runtime namespace (UID) and the terminated pod in the initial namespace into the list causing duplicate metrics to be returned.

Which issue(s) this PR fixes:
500 errors in /metrics endpoint
https://bugzilla.redhat.com/show_bug.cgi?id=1748073

Special notes for your reviewer:
/cc @kubernetes/sig-node-pr-reviews
/cc @Random-Liu @derekwaynecarr @sjenning

Does this PR introduce a user-facing change?:

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Dec 3, 2019
@rphillips rphillips changed the title Fixes/duplicate pods in different namespaces CAdvisor duplicate Pod metrics in different namespaces Dec 3, 2019
derekwaynecarr
derekwaynecarr reviewed Dec 3, 2019
View reviewed changes
pkg/kubelet/stats/cadvisor_stats_provider.go
@@ -317,6 +317,8 @@ func removeTerminatedContainerInfo(containerInfo map[string]cadvisorapiv2.Contai
podRef: buildPodRef(cinfo.Spec.Labels),
containerName: kubetypes.GetContainerName(cinfo.Spec.Labels),
}
// Clear the UID since the container can be created in a new namespace.
cinfoID.podRef.UID = ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so buildPodRef will have set the podRef.UID , we then strip it, wont every result in infos in ListPodCPUAndMemoryStats have an empty UID?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

which if i look at this code, makes me think the pod ref in pod stats will always have an empty uid.

Copy link
Member Author

@rphillips rphillips Dec 3, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is ok since removeTerminatedContainerInfo only sets up the slice to iterate around. This line iterates around the active containers, and initializes podToStats which contains the correct UID to the container namespace.

kubernetes/pkg/kubelet/stats/cadvisor_stats_provider.go

Line 93 in c677061

for key, cinfo := range infos {

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah ok, i missed that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah missed that! thanks for clarifiying.

@rphillips rphillips changed the title CAdvisor duplicate Pod metrics in different namespaces kubelet: CAdvisor sometimes injects old Pod metrics from an old namespaces Dec 3, 2019
@sjenning
Copy link
Contributor

sjenning commented Dec 3, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 3, 2019
@derekwaynecarr
Copy link
Member

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, rphillips

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 3, 2019
@sjenning
Copy link
Contributor

sjenning commented Dec 3, 2019

fyi @dashpole

@rphillips rphillips mentioned this pull request Dec 3, 2019
Closed
@dashpole
Copy link
Contributor

dashpole commented Dec 3, 2019

Why does creating a container in a new runtime namespace change the pod UID?

@rphillips
Copy link
Member Author

rphillips commented Dec 3, 2019
edited

@dashpole that isn't the pod uid... it is the container namespace UID.

@rphillips
Copy link
Member Author

Same logic that is in the cri stats provider:

kubernetes/pkg/kubelet/stats/cri_stats_provider.go

Line 712 in c677061

// UID is intentionally left empty.

@dashpole
Copy link
Contributor

dashpole commented Dec 3, 2019

@rphillips I can't seem to figure out why that would be the case... I sshed into a node in a running cluster, and verified with docker inspect that the label io.kubernetes.pod.uid contains the pod UID. When we create container labels in kuberuntime, we use pod.UID for that label, and we are retrieving labels using GetPodUID, which inspects that same label. In what case would it contain the namespace UID?

/hold
Bear with me while we figure this out.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 3, 2019
@rphillips
Copy link
Member Author

No problem. Looking into this.

note: we are running crio.

@rphillips rphillips closed this Dec 6, 2019
@rphillips rphillips mentioned this pull request Dec 6, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekwaynecarr derekwaynecarr derekwaynecarr left review comments

@Random-Liu Random-Liu Awaiting requested review from Random-Liu

@sjenning sjenning Awaiting requested review from sjenning

Assignees

@sjenning sjenning

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@rphillips @sjenning @derekwaynecarr @k8s-ci-robot @dashpole