terraform-hcloud-kube-hetzner icon indicating copy to clipboard operation
terraform-hcloud-kube-hetzner copied to clipboard

Published 20 hours ago verified publisher icon kube-hetzner

Cilium failing after automatic reboot

Open mysticaltech opened this issue 2 years ago • 3 comments

Hi guys, great work implementing Cilium as a CNI option in this awesome project! 🙏 While testing out Cilium with this project I've noticed that after node reboots through e.g. kured many pods become unmanaged by Cilium and stop working correctly as a result. Would we want to set a Cilium specific taint per default when CNI = cilium as mentioned in the Cilium docs to prevent the aforementioned from happening? I'll have time to try out the mentioned taint later today or tomorrow and am happy to submit a short PR for you to review if everything works. Just wanted to reach out and give a heads up 👍 FYI: @mysticaltech , @phaer , @PurpleBooth

Originally posted by @t1murl in https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner/issues/258#issuecomment-1207372796

mysticaltech avatar Aug 08 '22 09:08 mysticaltech

Hi @mysticaltech , replying here - thanks for opening this issue! My week is unfortunately quite busy with my day job. I usually find time at the weekends, mostly Saturdays. I can therefore offer time on Saturday at the latest to fully analyze this - however, I had figured you'd want to address this earlier hence giving the initial heads up.

The mechanism works as follows:

The cluster administrator places a specific taint (see below) on a given uninitialized node. Depending on the taint’s effect (see below), this prevents pods that don’t have a matching toleration from either being scheduled or altogether running on the node until the taint is removed.

Cilium runs on the node, initializes it and, once ready, removes the aforementioned taint.

From this point on, pods will start being scheduled and running on the node, having their networking managed by Cilium.

Taking this quote from the Cilium docs into consideration, I'd go about it like such (without having tried it):

  1. Taint all nodes with 'node.cilium.io/agent-not-ready=true:NoExecute' per default
  2. Bootstrap Cilium before anything else
  3. Wait for Cilium to remove the taint via looping over e.g. kubectl get nodes -o json | jq '.items[].spec.taints' checking for the existence of the taint
  4. Deploy the remaining kustomizations

From quickly scanning through the way how taints are applied through the k3s config, I suppose the taint is re-applied after a node reboot (which is a good thing) and should be removed again by Cilium once fully initialized, so the aforementioned steps should only be required for the first time kustomization apply. This is something that would need to be tested thoroughly to avoid unwanted side effects.

I hope this helps and sorry for not being able to offer a contribution right away. (Would've been different if I would've started looking at this on Saturday 😞 )

t1murl avatar Aug 08 '22 11:08 t1murl

This helps a bunch @t1murl, thanks a lot for taking the time to recap everything so clearly 🙏

mysticaltech avatar Aug 08 '22 12:08 mysticaltech

Folks, for transparency, I was too ambitious; I probably won't have the time for this for the next two weeks! 🥺 @t1murl, please don't hesitate; PR is more than welcome. I will check Github daily.

mysticaltech avatar Aug 10 '22 07:08 mysticaltech

Fixed and released in #288 and released in v1.4.6.

mysticaltech avatar Aug 29 '22 17:08 mysticaltech