Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add readiness & liveness probes to kube-proxy #75323

Closed
wants to merge 1 commit into from
Closed

Add readiness & liveness probes to kube-proxy #75323

wants to merge 1 commit into from

Conversation

stafot
Copy link
Contributor

@stafot stafot commented Mar 13, 2019
edited

Possible mitigation of #75189

What type of PR is this?

/kind bug

What this PR does / why we need it:
Add readiness & liveness probes to kube-proxy daemonset example.
Which issue(s) this PR fixes:

Fixes #75189

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

kube-proxy: Adds readiness and liveness probes.

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 13, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @stafot. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stafot
Copy link
Contributor Author

stafot commented Mar 13, 2019

/sig aws
/sig network

@k8s-ci-robot k8s-ci-robot added sig/aws sig/network Categorizes an issue or PR as relevant to SIG Network. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 13, 2019
@MrHohn
Copy link
Member

MrHohn commented Mar 13, 2019

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 13, 2019
@MrHohn
Copy link
Member

MrHohn commented Mar 13, 2019
edited

A previous attempt was #50118. Now give it another thought and it seems totally reasonable to have liveness/readiness probes on kube-proxy.

Would be great to add this change to below as well for consistency:

@kubernetes/sig-cluster-lifecycle-pr-reviews @kubernetes/sig-network-pr-reviews

@MrHohn
Copy link
Member

MrHohn commented Mar 13, 2019

One problem though is that in case of kube-apiserver being not available (e.g. during master upgrade). kube-proxy may become unhealthy and gets restarted, even if that won't help.

@stafot
Copy link
Contributor Author

stafot commented Mar 13, 2019

Thanks for the information. I 'll update accordingly. For master upgrade, this failure can cause any harm? I believe not, but if yes and is blocking issue let me know.

@stafot stafot force-pushed the kube_proxy_ds_healthprobes branch from 3a426fe to 22d586b Compare March 13, 2019 20:30
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. area/kubeadm and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 13, 2019
@stafot
Copy link
Contributor Author

stafot commented Mar 14, 2019

/assign @jingax10 @luxas

neolit123
neolit123 reviewed Mar 14, 2019
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stafot
please add a release note that explains the change in one sentence instead of NONE.
also we are in code freeze until "code thaw" in 1.14 https://github.com/kubernetes/sig-release/tree/master/releases/release-1.14

/priority backlog
/assign @timothysc
@kubernetes/sig-cluster-lifecycle-pr-reviews

@danwinship
Copy link
Contributor

do we need a KEP?

@dims dims removed their assignment Apr 29, 2020
airshipbot pushed a commit to airshipit/promenade that referenced this pull request May 28, 2020
@philsphicas
kube-proxy: use HTTP probes instead of exec
354deab 
The existing liveness and readiness probes for kube-proxy are in need of
adjustment. The current implementation is exec-based, which can be a
resource concern, and is tied heavily to iptables, so is incompatible
with ipvs.

This change removes the exec-based liveness and readiness probes from
the kube-proxy daemonset, and replaces them with HTTP probes of the
healthz endpoint, following the direction that kubernetes seems to be
taking.[0][1]

The values.yaml interface to enable and disable the probes and set various
parameters is also modified to use the helm-toolkit standard snippet.[2]
Notably, the settings previously configurable under livenessProbe.config
are now under pod.probes.proxy.proxy.liveness.params.

0: kubernetes/kubernetes#81630
1: kubernetes/kubernetes#75323
2: https://opendev.org/openstack/openstack-helm-infra/src/branch/master/helm-toolkit/templates/snippets/_kubernetes_probes.tpl

Change-Id: I99ccbc2270a1f8a204417aa410868d04788dc60f
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 28, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 27, 2020
@zouyee
Copy link
Member

zouyee commented Aug 28, 2020

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Aug 28, 2020
@cmluciano
Copy link

Do you think this is something that we should continue to pursue @MrHohn ?

@MrHohn
Copy link
Member

MrHohn commented Nov 10, 2020

Sorry for the delay. As @danwinship mentioned this probably needs a KEP to go forward due to the complication.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 8, 2021
@thockin
Copy link
Member

thockin commented Feb 19, 2021

Hi all,

This PR is very old - what do we want to do with it? It seems reasonable to to have a healthz handler and to use it. The handler for kube-proxy has undergone some changes and as I look at it now, it seems reasonable or even too weak. I don't think it will trigger if the apiserver is down (though maybe it should). I also don't think it will trigger if there's a chronic failure to sync rules (e.g. iptables error).

Do we want to revive this?

SergeyKanzhelev
SergeyKanzhelev reviewed Feb 19, 2021
View reviewed changes
cluster/addons/kube-proxy/kube-proxy-ds.yaml
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 2
readinessProbe:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there any need for readinessProbe matching livenessProbe exactly?

@aojea
Copy link
Member

aojea commented Feb 19, 2021
edited

Do we want to revive this?

I don't have clear what problems is solving this, at least is not my understanding from the bug referenced in the description.
so,if in 5 years or more, kube-proxy was running without probes and we didn't have any issue because of this ... is it worth to add a possibility to restart or declare as not ready, the component that configure the services, and that almost all the pods use to reach the internal apiserver endpoints?

@neolit123
Copy link
Member

neolit123 commented Feb 19, 2021
edited

as mentioned by @MrHohn here:
#75323 (comment)
#75323 (comment)
this change has seen a complication and may need a KEP.

if that's no longer the case, i'd defer to him whether we want to proceed merging this PR.

we should note that the original issue was closed without sufficient information why exactly we want to apply probes to kube-proxy:
#75189 (comment)

thus far i have not seen other requests about this.

unless someone objects, i propose that we close this PR ~ mid-next week.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MrHohn, ohbus, stafot, timothysc
To complete the pull request process, please assign neolit123 after the PR has been reviewed.
You can assign the PR to them by writing /assign @neolit123 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 4, 2021
@neolit123
Copy link
Member

closing until a KEP is written for this change.
thanks for the discussion.

/close

@k8s-ci-robot
Copy link
Contributor

@neolit123: Closed this PR.

In response to this:

closing until a KEP is written for this change.
thanks for the discussion.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@xinfengliu xinfengliu mentioned this pull request Sep 27, 2021
Closed
@SataQiu
Copy link
Member

SataQiu commented Aug 15, 2022

So is it safe to add readiness probe only for now? Readiness does not trigger Pod restart, but it is a good indicator of Pod health. It can help identify potential problems about kube-proxy faster.
cc @neolit123

@neolit123
Copy link
Member

@SataQiu not sure. readiness should be fine, but i think we should keep the kubeadm / kubeup kubeproxy addons in sync for better test coverage.

@SataQiu SataQiu mentioned this pull request Aug 15, 2022
Closed
@aojea aojea mentioned this pull request Feb 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

@detiber detiber detiber left review comments

@MrHohn MrHohn MrHohn left review comments

@SergeyKanzhelev SergeyKanzhelev SergeyKanzhelev left review comments

@timothysc timothysc timothysc approved these changes

@ohbus ohbus ohbus approved these changes

@bowei bowei Awaiting requested review from bowei

@SataQiu SataQiu Awaiting requested review from SataQiu

Assignees

@neolit123 neolit123

@bowei bowei

@luxas luxas

@MrHohn MrHohn

@jingax10 jingax10

Labels
area/kubeadm area/provider/aws Issues or PRs related to aws provider area/provider/gcp Issues or PRs related to gcp provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/backlog Higher priority than priority/awaiting-more-evidence. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/network Categorizes an issue or PR as relevant to SIG Network. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

kube-proxy related dns errors