KEP-5647: Initial KEP for Stale Controller Detection

[michaelasp]

• One-line PR description: Add initial KEP for stale controller metrics

• Issue link: Stale Controller Detection and Mitigation #5647

• Other comments:

[michaelasp]

/cc @serathius

[serathius]

While staleness usually happens in scale, it's not exclusive to it. It's a consequence of building reconciliation on watch protocol which is an eventually consistent. There is not guarantee of how far behind the watch is, next event might arrive in a second, or in an hour. The problem is that currently don't have any way to measure it.

[michaelasp]

Makes sense, removing the section about scale and just generally talking about eventual consistency

[serathius]

I would expand this more, the problem of controller acting on outdated information, which in best cases can cause conflicts on writes increasing error rates or in worst case invalid behaviors like duplicating objects that overwhelmed control plane.

[michaelasp]

Done!

[serathius]

Let's expand the goals to be able to measure the staleness of controller reconcilation to allow administrators and controllers to take an action if a threshold is reached.

[serathius]

I don't think we should have just a KEP for a metric, when I suggested cutting scope to metrics I meant that it's a good first step and we can expand it.

[michaelasp]

Ack, added overall metrics and detection as two parts of the overall KEP.

[serathius]

Again, overloading is not the only cause staleness and increasing resources is not the only mitigation. I would skip describing a specific mitigation, just focus on being able to monitor and alert on the issue so an oncall can take an action.

[michaelasp]

Yep, just focused on staleness monitoring and mitigation

[serathius]

Not sure I understand the story. What user can do here?

[michaelasp]

Yeah removed this for now, too similar to the admin and there's not a great story.

[serathius]

Please add a story for a controller developer that wants to ensure reliable behavior of controller regardless of watch delay.

[serathius]

Don't think exact metric definition here is needed, the important parts are describing thresholds we want to detect and what sampling resolution (buckets) we need to detect it.

When working on kubernetes/kubernetes#123448 I used the following watch latency thresholds to distinquish state of watch:

• < 100ms - GREAT,
• <1s - GOOD
• < 10s - SLOW but acceptable for large clusters
• >10s - STALE

They might need to be adjusted for controllers reconciliation which is further in the stack, and use those values to decide how often we should sample RV and what metric buckers we should pick.

[michaelasp]

Added to the design section, we can iterate off that.

[serathius]

Risk: Measuring latency on watch requires knowing current RV in etcd, that means periodic polling of RV from apiserver. Making a LIST request every X seconds per each controller/resource is too much load.
Mitigation: Start with only pods for KCM controller as the most problematic one.

[serathius]

Maybe mention your KEP for comparing RV that now finally have a way to measure delay that is experienced by controllers.

[michaelasp]

Added to motivation.

[serathius]

When trying to address a open issue like this, it's good to structure the proposal in 3 themes: Prevent, Detect, Mitigate.

Preventing controller staleness issues would require performance improvements, that would be outside the scope of this KEP. So it would be good to discuss in Detect and Mitigate:

• Detect: Monitor controller reconciliation delay to allow administrators configure alerting and act when staleness appears. Solved by adding a metric
• Mitigate: Simplify controller resilience to staleness by preventing reconciliation on stale data. Here the idea proposed by @liggitt to not sync when actions from previous attempt were not not observed.

[serathius]

Idea for Prevent: use the metric to measure the latency in K8s scalability tests, define a thresholds to detect regressions and and define it as SLO for K8s project.

We don't need to design everything in detail for Alpha, just specify this a steps that are needed to address the issue comprehensively. Let's propose a plan that makes high level sense and tackle first step.

[serathius]

Don't understand which "first object" you mean?

[michaelasp]

Updated the description to be clearer, lmk if it makes more sense now.

[serathius]

Please structure the proposal in high level changes you want to do and only go to details when needed. For me there are 3 changes:

• Sample a RV from apiserver. A periodic loop that requests LIST on a resource to get current RV and store it in queue.
• Update the informer code to store latest RV.
• For set of controllers measure the latency by comparing RV returned by pod informer to RV sampled from apiserver.

[michaelasp]

Yeah essentially the same with my update, the prober samples the RVs on high churn resources and the informer updates it. Made it much higher level. Lmk what you think.

[serathius]

Think the KEP number should come from number of issue used for tracking progress across releases, not PR number. Please open enhancement tracking issue.

[serathius]

Status provisional is not enough start work on in the release. We could quickly merge it as provisional, but it would need another iteration to get it into "implementable".

[michaelasp]

Keeping it provisional, we have agreement that these initial fixes are not tied to the KEP.

[jpbetz]

Please add me as PRR review (in the requisite files) and I'll do a pass.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: michaelasp
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS
• keps/sig-api-machinery/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment