cilium icon indicating copy to clipboard operation
cilium copied to clipboard

Published 20 hours ago verified publisher icon cilium

OwnerReferences removal by Cilium Operator

Open IvanProdaiko94 opened this issue 3 months ago • 7 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

What happened?

All of the commands below are executed on top of the cluster with cilium-operator running.

Creating a POD:

kubectl apply -f ./tmp.yaml

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod
  namespace: test
  labels:
    app: nginx
spec:
  containers:
    - name: nginx-container
      image: nginx:latest
      ports:
        - containerPort: 80

Creating a Service (knowing UID of the pod):

kubectl apply -f ./tmp_service.yaml

apiVersion: v1
kind: Service
metadata:
  name: nginx-loadbalancer-service
  namespace: test
  ownerReferences:
    - apiVersion: v1
      blockOwnerDeletion: true
      controller: true
      kind: Pod
      name: nginx-pod
      uid: ${uid}
spec:
  selector:
    app: nginx
  type: LoadBalancer
  ports:
  - name: http
    port: 80
    targetPort: 8080
    protocol: TCP

Execute:

kubectl get src -n test -o yaml

One will end up with no ownerReferences in place.

If we will do the same thing without cilium-operator running the ownerReferences would be there.

Cilium Version

v.1.13.3

Kernel Version

Linux node-u2bnattm.data.stable.pndrs.de 4.18.0-425.3.1.el8.x86_64 #1 SMP Fri Sep 30 11:45:06 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

kubectl version

WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.15+rke2r1", GitCommit:"2c67202dc0bb96a7a837cbfb8d72e1f34dfc2808", GitTreeState:"clean", BuildDate:"2023-06-14T21:17:38Z", GoVersion:"go1.19.10 X:boringcrypto", Compiler:"gc", Platform:"linux/amd64"}

Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.15+rke2r1", GitCommit:"2c67202dc0bb96a7a837cbfb8d72e1f34dfc2808", GitTreeState:"clean", BuildDate:"2023-06-14T21:17:38Z", GoVersion:"go1.19.10 X:boringcrypto", Compiler:"gc", Platform:"linux/amd64"}

Regression

No response

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Cilium Users Document

  • [ ] Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

IvanProdaiko94 avatar May 03 '24 10:05 IvanProdaiko94

Thanks for this issue @IvanProdaiko94, this is most likely associated with either the code that handles L2 announcements (and so handles Loadbalancer services) or the Ingress and Gateway code being aggressive in trimming ownerReferences. I've marked it for someone to take a look at.

youngnick avatar May 06 '24 04:05 youngnick

@IvanProdaiko94 Have you tried this step in the latest version of Cilium? I seem unable to reproduce this issue in the latest version.

chaunceyjiang avatar May 07 '24 10:05 chaunceyjiang

@chaunceyjiang it seems you're right

IvanProdaiko94 avatar May 09 '24 08:05 IvanProdaiko94

@chaunceyjiang @youngnick So, folks. I checked 1.13.3, 1.14.10, 1.15.4 and all of them remove ownerReferences. With 1.16.0-pre.2 running on cluster ownerReferences are not removed, but bgp is not assigning the IP for LoadBalancer. I assume, that if only the bgp tried to assign the IP, it will do a removal as well

IvanProdaiko94 avatar May 10 '24 13:05 IvanProdaiko94

but bgp is not assigning the IP for LoadBalancer. I assume, that if only the bgp tried to assign the IP, it will do a removal as well

I will try to reproduce it locally.

chaunceyjiang avatar May 13 '24 04:05 chaunceyjiang