network: pass pod UID to ocicni when performing network operations #5026
Conversation
Codecov Report
@@ Coverage Diff @@
## master #5026 +/- ##
=======================================
Coverage 41.73% 41.74%
=======================================
Files 108 108
Lines 10157 10158 +1
=======================================
+ Hits 4239 4240 +1
Misses 5470 5470
Partials 448 448 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dcbw, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
@saschagrunert: Overrode contexts on behalf of saschagrunert: ci/prow/e2e-gcp DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
kata-jenkins failure is: which seems unrelated |
|
e2e-gcp failure is: Also seems like a flake. |
4a56951 to
efd50f2
Compare
|
Updated with tests in network.bats |
efd50f2 to
ef97723
Compare
To allow passing pod UID to plugins. Signed-off-by: Dan Williams <[email protected]>
This allows plugins to more correctly cancel long-running sandbox operations when the pod is deleted/re-created in the Kube API while the call is ongoing. Signed-off-by: Dan Williams <[email protected]>
ef97723 to
6e8d370
Compare
|
/retest |
|
@dcbw: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
weird this sounds like a kubelet bug. I would expect cri-o to fail to create a duplicate pod while the first request is ongoing, and synchronously wait on cni plugin, thus preventing duplicate calls. this change is fine to me, but I fear we're putting a bandaid on a bigger wound /override ci/prow/e2e-gcp |
|
@haircommander: Overrode contexts on behalf of haircommander: ci/prow/e2e-gcp DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@haircommander the scenarios are something like this: Scenario 1: pod recreated during sandbox wait
Now in this scenario, the plugin could create a pod watch for delete events. But that's not race-proof since the pod could be deleted + recreated between steps 2 and 3 (see scenario 2) and the sandbox would be for an old pod (and be subsequently torn down by kubelet at some point in the future). Pod UID allows the plugin to notice the pod instance it gets in (3) or (5) is different and exit early. Scenario 2: pod deleted during sandbox init
in this scenario, the CNI plugin gets the new pod instance, which is still wrong for this sandbox setup. Pod UUID immediately tells the plugin that its pod is gone and it can exit early. In all cases, kubelet will just tear the sandbox down anyway, and what we're trying to prevent is waiting longer than necessary before noticing that this sandbox is useless. I also tried a variant of this that asks the CRI for the sandbox metadata during the call, but that fails because ListPodSandbox only lists completed sandbox setups, not in-progress ones :( I suppose the real fix would be to allow a sandbox delete + CNI DEL while an existing add was going on, or a CANCEL operation that kubelet could execute to tell the CRI and plugins to stop the request. But that's a much longer arc to make happen (but it should happen, and at least on the CNI side we are working on that via gRPC). |
|
/cherry-pick release-1.22 |
|
@dcbw: new pull request could not be created: failed to create pull request against cri-o/cri-o#release-1.22 from head openshift-cherrypick-robot:cherry-pick-5026-to-release-1.22: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"No commits between cri-o:release-1.22 and openshift-cherrypick-robot:cherry-pick-5026-to-release-1.22"}],"documentation_url":"https://docs.github.com/rest/reference/pulls#create-a-pull-request"} DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-1.21 |
|
@dcbw: #5026 failed to apply on top of branch "release-1.21": DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
thanks for the explaination @dcbw , makes sense! |
Ongoing sandbox requests cannot be (or are not) canceled by kubelet, leading to a situation where short-lived pods (especially Kubernetes e2e tests for stateful sets) cause overlapping sandbox requests. If the CNI plugin needs to wait for network state to converge, it's pointless to wait for a sandbox who's pod has been deleted so the plugin should cancel the request and return to the runtime. However, it's impossible to do that race-free without the pod UID the sandbox was created for, since the there is a gap between when kubelet requests the sandbox creation and when the plugin gets the pod object from the apiserver when the pod could have been deleted and recreated, and the CNI plugin would retrieve information for the new pod, not the pod the sandbox was created for.
Passing the pod UID to the plugin allows the plugin to cancel the operation when the pod UID retrieved from the apiserver during plugin operation does not match the one the sandbox was created for.
@trozet @haircommander @mrunalp
/kind feature