Graceful deletion of a VirtualMachineInstance

[nunnatsa]

When a host node is deleted, the guest VMIs are evicted, killing the
running tenant node in this VMI.

This PR gracefully delete the VMI, by first drain the guest node. Only
if the drain successful, CAPK will delete the VMI.

The PR is based on a feature in KubeVirt, where by setting the eviction
strategy to "external" KubeVirt will not delete the VMI, but will set
the vmi.Status.EvacuationNodeName field to signal to the external
controller (CAPK in this case) that the VMI should be evicted.

Known Issues

• does not support external clusters (CAPK depends on KubeVirt running on the management cluster #100)

Signed-off-by: Nahshon Unna-Tsameret nunnatsa@redhat.com

Release notes:

Added graceful eviction of a VMI

[coveralls]

Pull Request Test Coverage Report for Build 2785024320

• 119 of 174 (68.39%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+1.8%) to 51.311%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
controllers/vmi_eviction_controller.go	119	174	68.39%

Totals
Change from base Build 2776254636:	1.8%
Covered Lines:	939
Relevant Lines:	1830

---

💛 - Coveralls

[davidvossel]

great start!

I left a few comments in line and have one kind of higher level comment.

We need a drain timeout, where if a drain doesn't complete after x minutes (regardless of how many times drain is retried), we delete the VMI regardless. This timeout is meant to ensure that we won't block the removal of a VMI indefinitely when a infra node is being drained.

[davidvossel]

In addition to the nodeName != "" check here, we should also have EvictionStrategy == External.

This is kind of a forward looking check that ensures in the future we only attempt to drain nodes that aren't live migratable.

[davidvossel]

I think it would make sense to wrap this section in a if vmi.DeletionTimestamp == nil and only delete if the VMI is not already marked for deletion.

[nirarg]

Agree, can be validated even before calling to drainNode

[davidvossel]

if we check for the DeletionTimestamp, we shouldn't have to qualify what error occurred here. We also shouldn't need the RequeueAfter.

[nirarg]

I think need to give more meaningful name to this file, something like 'vmievacuation_controller.go

[nirarg]

Why there should be cases returning nodeDrained=false instead of just returning the error?

[nunnatsa]

Why there should be cases returning nodeDrained=false instead of just returning the error?

Because for most cases (but not all of them), we don't want to retry. returning error with the result will cause retry. The calling function can't know which error to return with the result and which error to ignore.

[nirarg]

Agree, can be validated even before calling to drainNode

[davidvossel]

great stuff, i left one comment in line.

Have you thought about how to e2e test this?

[davidvossel]

we need a global timeout for drain as well. Something that ensures we eventually give up attempting to drain and delete the VMI after x minutes. 10 minutes would likely be a pretty conservative number to use.

[davidvossel]

an annotation on the VMI could be used to track when the drain begins. The timeout could be anchored to the start time recorded in the annotatino.

[nunnatsa]

/ok-to-test

[davidvossel]

it's okay for eviction to fail, this is what we check for in the kubevirt e2e test that exercises similar behavior

			err = virtClient.CoreV1().Pods(vmi.Namespace).EvictV1beta1(context.Background(), &policyv1beta1.Eviction{ObjectMeta: metav1.ObjectMeta{Name: pod.Name}})
			// The "too many requests" err is what get's returned when an
			// eviction would invalidate a pdb. This is what we want to see here.
			Expect(errors.IsTooManyRequests(err)).To(BeTrue())

https://github.com/kubevirt/kubevirt/blob/835683a546d123774c99787c55aa6cdf28d5fabd/tests/vmi_lifecycle_test.go#L227

[davidvossel]

I found it confusing to declare a value for this vmiUID and then have it immediately overwritten 3 lines down.

[davidvossel]

to be accurate, we're looking for a specific error here, Expect(errors.IsTooManyRequests(err)).To(BeTrue()).

[davidvossel]

Since we have a controller that is deleting a VMI when evacuation node name is set, I think you should put a finalizer on the vmi in order to reliably observe EvacuationNodeName. otherwise it's possible the VMI could disappear before we see it in the functional test.

[davidvossel]

i think it would make sense to move this to a helper function

[davidvossel]

The drain can block indefinitely due to the way this logic is structured. The timeout needs to be checked either regardless if the drainNode() function returns an error or before drainNode is even called. If the global timeout occurs, the VMI should be deleted.

We don't want anything within the guest cluster to indefinitely block an infra cluster node from being drained.

[davidvossel]

/lgtm
/approve

excellent work 👍

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davidvossel, nunnatsa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [davidvossel,nunnatsa]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment