Apiserver lease garbage collector

[roycaihw]

Implements KEP. Split off from #95222.

Does this PR introduce a user-facing change?:

kube-apiserver now deletes expired kube-apiserver Lease objects:
- The feature is under feature gate `APIServerIdentity`.
- A flag is added to kube-apiserver: `identity-lease-garbage-collection-check-period-seconds`

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/1965-kube-apiserver-identity/README.md

/sig api-machinery
/assign @caesarxuchao

[fejta-bot]

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

[fedebongio]

/triage accepted

[lavalamp]

Actually, even in that case. I don't think the identity system should have external-to-apiserver dependencies.

[roycaihw]

It only manages apiserver leases. The reason for running the GC in KCM was that nothing in KAS today runs leader election-- but that's totally achievable.

Leases of apiservers other than KAS:

1. aggregated server: aggregated servers always require KAS to exist
2. extensions server: extensions server running standalone is a non-goal, and it won't work with KCM today. If we ever want to do that, it would be a beta/GA requirement.

I like the idea that identity system should have external-to-apiserver dependencies. I will update the PR to do that.

[roycaihw]

nothing in KAS today runs leader election

Actually I won't add leader election to KAS. This GC has no retry logic, since all it does is a few GET and DELETE every hour. Adding leader election to KAS will cost more leader election traffic.

[lavalamp]

Yeah we shouldn't need leader election for this, it is (or should be) safe to be run multiple times concurrently.

[caesarxuchao]

Do we need to resync?

[roycaihw]

no. Changed to 0

[caesarxuchao]

The informer has already filtered with the labelselector, do you need the selector here?

[roycaihw]

removed the selector and added test cases to make sure we don't GC leases that we don't intend to manage

[caesarxuchao]

Is there any component other than this GC expected to delete a lease? If not, let's log a warning.

[roycaihw]

multiple GC controllers can delete the lease simultaneously. Added comments

[caesarxuchao]

Can we move them to a common package?

[roycaihw]

made both the label selector and the namespace parameters to the gc controller. I think this way better reflects what the controller is capable of-- it operates on Leases in one namespace with a specific label set. Not saying we will make the code public/reusable, but we could if we want in future.

[spiffxp]

possible github issue, please link if you run into this on other PR's kubernetes/test-infra#19910

[roycaihw]

@spiffxp Got it. Thanks

[lavalamp]

Does this need to be separate from IdentityLeaseDurationSeconds?

[roycaihw]

good point. If we know all leases have the same duration (which is the case here), there is no point to configure the check period differently. Reverted

the knob made sense when/if:

1. the controller lived in KCM-- not true anymore
2. we want the controller to manage leases from aggregated servers (with different duration)-- the more I think about it, aggregated servers shouldn't rely on this GC controller:
   a. they don't need heartbeat-based identity at all-- downward API plus owner reference is more efficient
   b. if they really want, they can start a similar GC controller that operates their leases in a user namespace

[roycaihw]

(just adding some thoughts why we don't need a separate flag) another benefit of having this flag is to make the GC more responsive-- the controller deletes a lease if the apiserver failed to refresh its lease in:

• (leaseDuration, leaseDuration+checkPeriod] seconds

instead of (without the flag)

• (leaseDuration, 2*leaseDuration] seconds

but that is not our goal. We prefer that expired Leases remain for a longer duration as opposed to collecting them quickly. That's why we choice a super long leaseDuration by default (1h, compared with 10s renewInterval). If people want to GC leases sooner after an apiserver is not active, they should start with shortening the leaseDuration. Having a separate flag for this level of control seems like an overkill for an alpha feature.

[lavalamp]

It's probably not needed to call IsNotFound twice :)

[roycaihw]

now I see why @caesarxuchao asks me to break the long lines.. this is what happens :)

[lavalamp]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lavalamp, roycaihw

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/controlplane/OWNERS [lavalamp]
• test/OWNERS [lavalamp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[caesarxuchao]

One nit. Otherwise lgtm.

/lgtm

[caesarxuchao]

nit: can you state this could be the case if it's an HA-master? Also state that we don't expect other components to delete the lease?

[caesarxuchao]

Can you add a klog.V(4)?

[roycaihw]

done. Also squashed the commits

[caesarxuchao]

/lgtm