kube/controller: Prevent leaking stale endpoints #55171
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Skipping CI for Draft Pull Request. |
istio-testing
added
the
do-not-merge/work-in-progress
istio-policy-bot
added
area/networking
area/perf and scalability
feature/Multi-cluster
|
😊 Welcome @dwj300! This is either your first contribution to the Istio istio repo, or it's been You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
istio-testing
added
the
size/M
|
/test all |
dwj300
force-pushed
the
dwj--stale-endpoints
branch
from
f508451 to
e3b0ba5
Compare
hzxuzhonghu
reviewed
Feb 19, 2025
hzxuzhonghu
reviewed
Feb 19, 2025
| @@ -148,8 +148,18 @@ func (pc *PodCache) onEvent(old, pod *v1.Pod, ev model.Event) error { | |||
| ip := pod.Status.PodIP | |||
| // PodIP will be empty when pod is just created, but before the IP is assigned | |||
| // via UpdateStatus. | |||
| // In the case of a pod being created, we should not add it to the cache until it is ready. | |||
| // However, if the pod *used to* have an IP, we do need to actually delete it. | |||
| if len(ip) == 0 { | |||
There was a problem hiding this comment.
IIUC, the ip is missing when being evicted. Then you can allow ip unset if this is a deletion event
There was a problem hiding this comment.
But the problem is that all the caches (podCache, and endpointShardz) are indexed by podIP, not pod name.
There was a problem hiding this comment.
Isn't there a map ipByPods map[types.NamespacedName]string
There was a problem hiding this comment.
Whatever this effect is same, but checking delete may reduce map quering
There was a problem hiding this comment.
Sorry, missed this! But yes, this PR checks in ipByPods, but even for "non deletions" (i.e. Failed), we need to check in the map. So we only do so if len(ip) == 0 already.
Change-Id: Ibe1264bfc48b4dee7e52964ad19cee9659631f1c
dwj300
force-pushed
the
dwj--stale-endpoints
branch
3 times, most recently
from
b92c37b to
adf530a
Compare
panchr
reviewed
Feb 19, 2025
dwj300
force-pushed
the
dwj--stale-endpoints
branch
from
adf530a to
71de47f
Compare
istio-testing
removed
the
do-not-merge/work-in-progress
dwj300
force-pushed
the
dwj--stale-endpoints
branch
from
71de47f to
14e3aa6
Compare
howardjohn
reviewed
Feb 19, 2025
| @@ -149,7 +149,14 @@ func (pc *PodCache) onEvent(old, pod *v1.Pod, ev model.Event) error { | |||
| // PodIP will be empty when pod is just created, but before the IP is assigned | |||
| // via UpdateStatus. | |||
| if len(ip) == 0 { | |||
| return nil | |||
| // However, in the case of an Eviction, the event that marks the pod as Failed may *also* have removed the IP. | |||
| // If the pod *used to* have an IP, then we need to actually delete it. | |||
There was a problem hiding this comment.
Talking to myself...
So the event may be "update" but then we hit deleteIP anyways due to shouldPodBeInEndpoints and translate to a delete.
deleteIP already handles the case of "IP was removed" since its a map of ip->[]pods.
We then fallthrough to notifyWorkloadHandlers, build an EP with no IP but WorkloadInstance is identified by name not IP. This looks good ✔️
dwj300
force-pushed
the
dwj--stale-endpoints
branch
from
14e3aa6 to
250ea78
Compare
Fixes istio#54997 Change-Id: I59d90f775d86821060588f446e4d50d77ab97921
dwj300
force-pushed
the
dwj--stale-endpoints
branch
from
250ea78 to
c3bfbc0
Compare
istio-testing
added
size/L
dwj300
added a commit
to airbnb/istio
that referenced
this pull request
Feb 20, 2025
Backported from istio#55171 * pod.go: unexport ipByPods * kube/controller: Prevent leaking stale endpoints Fixes istio#54997 Change-Id: If9d45d7563e9e94ec0bbd477dfb0f57e7608e9a9
dwj300
added
cherrypick/release-1.23
|
In response to a cherrypick label: #55171 failed to apply on top of branch "release-1.23": |
|
In response to a cherrypick label: new issue created for failed cherrypick: #55195 |
|
In response to a cherrypick label: #55171 failed to apply on top of branch "release-1.23": |
|
In response to a cherrypick label: new issue created for failed cherrypick: #55196 |
|
In response to a cherrypick label: #55171 failed to apply on top of branch "release-1.24": |
|
In response to a cherrypick label: new issue created for failed cherrypick: #55197 |
dwj300
added a commit
to airbnb/istio
that referenced
this pull request
Feb 20, 2025
* pod.go: unexport ipByPods Change-Id: Ibe1264bfc48b4dee7e52964ad19cee9659631f1c * kube/controller: Prevent leaking stale endpoints Fixes istio#54997 Change-Id: I59d90f775d86821060588f446e4d50d77ab97921
dwj300
added a commit
to airbnb/istio
that referenced
this pull request
Feb 20, 2025
Backported from istio#55171 * pod.go: unexport ipByPods * kube/controller: Prevent leaking stale endpoints Fixes istio#54997 Change-Id: If9d45d7563e9e94ec0bbd477dfb0f57e7608e9a9
dwj300
added a commit
to airbnb/istio
that referenced
this pull request
Feb 21, 2025
* pod.go: unexport ipByPods Change-Id: Ibe1264bfc48b4dee7e52964ad19cee9659631f1c * kube/controller: Prevent leaking stale endpoints Fixes istio#54997 Change-Id: I59d90f775d86821060588f446e4d50d77ab97921
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please provide a description of this PR:
When selecting pods via a ServiceEntry, there are times when the pod may not have an IP address:
The code today handles (1), however there exists a case when the IP is removed from the Pod in the same event that marks it with a terminal (Failed) status. Due to the cross-controller interaction (between the kube registry and serviceentry registry), the WorkloadInstance needs to have a valid IP, as the podCache and endpointShards are both keyed by address. This PR adds logic to fetch the oldIP from the ipByPods cache, and uses that when building the WorkloadInstance.
Fixes #54997