WIP: Support EndpointSlice in sdn and test handling terminating endpoints

[smarterclayton]

86ceaca (Clayton Coleman, 5 minutes ago)
DO NOT MERGE: Force EndpointSliceProxying on

bf1fd9b (Clayton Coleman, 12 minutes ago)
DO NOT MERGE: UPSTREAM: 97238: Handle terminating endpoints

This is a test cherry-pick based on the current vendor state containing
upstream 97238, which allows the proxier to handle terminating endpoints.
This is not sufficient by itself because we need to test endpoint slices,
but ensures the right code is in place.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: smarterclayton
To complete the pull request process, please assign rcarrillocruz after the PR has been reviewed.
You can assign the PR to them by writing /assign @rcarrillocruz in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[smarterclayton]

@Miciah this i where i'm testing it

[smarterclayton]

E0304 23:42:19.517393    2983 reflector.go:138] k8s.io/client-go@v0.18.6/tools/cache/reflector.go:167: Failed to watch *v1beta1.EndpointSlice: failed to list *v1beta1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:openshift-sdn:sdn" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope

openshift/cluster-network-operator#1003

[smarterclayton]

Panic from https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-launch-gcp/1367709628095270912

E0305 06:11:58.595222   21469 runtime.go:78] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
goroutine 311 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic(0x1c0e9c0, 0x2e01a50)
	k8s.io/apimachinery@v0.18.6/pkg/util/runtime/runtime.go:74 +0x95
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
	k8s.io/apimachinery@v0.18.6/pkg/util/runtime/runtime.go:48 +0x89
panic(0x1c0e9c0, 0x2e01a50)
	runtime/panic.go:969 +0x1b9
k8s.io/kubernetes/pkg/proxy.(*EndpointSliceCache).updatePending(0x0, 0xc0006e1000, 0x0, 0xc000608200)
	k8s.io/kubernetes@v1.20.0-rc.0/pkg/proxy/endpointslicecache.go:167 +0x22d
k8s.io/kubernetes/pkg/proxy.(*EndpointChangeTracker).EndpointSliceUpdate(0xc000437f80, 0xc0006e1000, 0x0, 0xc000520600)
	k8s.io/kubernetes@v1.20.0-rc.0/pkg/proxy/endpoints.go:260 +0x29f
k8s.io/kubernetes/pkg/proxy/iptables.(*Proxier).OnEndpointSliceAdd(0xc000873c80, 0xc0006e1000)
	k8s.io/kubernetes@v1.20.0-rc.0/pkg/proxy/iptables/proxier.go:628 +0x3d
github.com/openshift/sdn/pkg/network/proxyimpl/hybrid.(*HybridProxier).OnEndpointSliceAdd(0xc0006073b0, 0xc0006e1000)
	github.com/openshift/sdn/pkg/network/proxyimpl/hybrid/proxy.go:268 +0x522
github.com/openshift/sdn/pkg/network/proxy.(*OsdnProxy).OnEndpointSliceAdd(0xc0007d0360, 0xc0006e1000)
	github.com/openshift/sdn/pkg/network/proxy/proxy.go:332 +0x142
k8s.io/kubernetes/pkg/proxy/config.(*EndpointSliceConfig).handleAddEndpointSlice(0xc00050f120, 0x1e79cc0, 0xc0006e1000)
	k8s.io/kubernetes@v1.20.0-rc.0/pkg/proxy/config/config.go:244 +0x13b
k8s.io/client-go/tools/cache.ResourceEventHandlerFuncs.OnAdd(...)
	k8s.io/client-go@v0.18.6/tools/cache/controller.go:231

EDIT: Feature gate enablement was in wrong place

[smarterclayton]

https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-launch-gcp/1367988272344600576

clean install it looks like

[smarterclayton]

well, test went green except for an unidling test (i may have broken it just because of the use of the slice for annotations instead of endpoints). will kick some upgrade jobs and see how it plays out as well as a network stress test

[smarterclayton]

Ok, got one run of e2e two runs of upgrade with endpoint slices on, but the termination gate off, and behavior was similar to endpoints except for the idling bug. Now testing with termination gate on in https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-launch-aws/1368251013236002816 as an upgrade and https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-launch-aws/1368251449502339072 as an e2e

[openshift-ci]

@smarterclayton: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/verify-deps	c686cc0	link	/test verify-deps
ci/prow/e2e-gcp	c686cc0	link	/test e2e-gcp
ci/prow/e2e-aws	c686cc0	link	/test e2e-aws
ci/prow/e2e-aws-upgrade	c686cc0	link	/test e2e-aws-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[smarterclayton]

Passes on those (for the factors that matter) without EndpointSliceTerminating set on the server side (so we're safe to roll this out first to Kube-proxy).

[aojea]

I'm not familiar at all with the sdn/proxy implementation, maybe this information is redundant, but can be multiple slices for the same service, and each slice can have duplicate endpoints, kube-proxy uses a cache
https://github.com/kubernetes/kubernetes/blob/2bcbc527a760106ec89647fcf6852f37c804f4ed/pkg/proxy/endpointslicecache.go#L43-L49

[aojea]

the limit of endpoints per slice is 100, so if you have more than 100 endpoints, let's say 110 for service X you'll receive two slices Y1 and Y2, maybe with 100 and 10 endpoints each

[smarterclayton]

We really should have an e2e test in upstream that creates a service with > 100 endpoints then to exercise this. Is there one you know of I can crib?

[smarterclayton]

Actually, for idling, wondering whether we even need to support > three or four endpoints. The only time the user space proxy should be in play is on an idle service which has no endpoints.

[aojea]

her we even need to support > three or four endpoints.

as I said, I'm not familiar with this code, just raising some points that I think may be taking into consideration, if that is the case, it seems we should't worry about this

We really should have an e2e test in upstream that creates a service with > 100 endpoints

this is well tested upstream

[danwinship]

The unidling proxy can just ignore the endpointslices and work with the endpoints like it always did. Endpoints objects always contain the full set of endpoints, even in cases where the EndpointSlice controller would start splitting things up; it just means that code working with the Endpoints objects doesn't get the efficiency wins that code working with the EndpointSlice objects would get.

[danwinship]

Idling is broken because this flips us to only using EndpointSlice, but the userspace proxy (which is used by idling) doesn't support EndpointSlice.

[danwinship]

You need to revert 12b21f8 from #227.
(That will result in EndpointSlice and EndpointSliceProxying being enabled since they're enabled by default.) For EndpointSliceTerminatingCondition we should eventually handle that like other feature gates, but CNO doesn't watch the FeatureGate resource yet (https://issues.redhat.com/browse/SDN-1325).

[danwinship]

oh, wait, no, Aniket already reverted that a while back; we'll need to revert the relevant part of openshift/cluster-network-operator#905

[danwinship]

The HybridProxier can't no-op Endpoints handling; it has to pass EndpointSlice events down to the iptables proxier and Endpoints events to the userspace proxier. And since OsdnProxy acts as a filter on top of HybridProxier, it needs to also pass both sets of events down to the proxier it's wrapping.

[smarterclayton]

I updated userspace proxier to use EndpointSlice, I thought we were already going to have to switch to use Service instead of Endpoints for idling.

[smarterclayton]

Oops, I see what you mean. Why wasn't userspace proxier updated? Just no one signed up for it?

[danwinship]

Why wasn't userspace proxier updated? Just no one signed up for it?

Upstream doesn't care about the userspace proxier any more (Tim would probably have already deleted it if OCP wasn't using it for unidling) and Red Hat had thought we weren't going to have to use EndpointSlice in openshift-sdn, so we didn't care about updating it either.

At any rate, I think we don't actually need to update userspace to use EndpointSlice; we just need to make HybridProxier and OsdnProxy pass both endpoint events and endpointslice events down to their wrapper proxiers, and then eventually the iptables proxy will act on the endpointslice events and the userspace proxy will act on the endpoint events.

[danwinship]

FYI #296 is a more complete EndpointSlice PR

[openshift-ci]

@smarterclayton: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[danwinship]

/close
sdn now uses EndpointSlices, and is rebased to 1.22-rc.0, which has 97238

[openshift-ci]

@danwinship: Closed this PR.

In response to this:

/close
sdn now uses EndpointSlices, and is rebased to 1.22-rc.0, which has 97238

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.