ingress-nginx
ingress-nginx copied to clipboard
kubernetes
Controller: Correctly identify other pods on shutdown.
What this PR does / why we need it:
- #11087 is a serious footgun: if a user upgrades the helm chart version in-place, or adds pod labels (either via the helm chart or some other mechanism), ingress-nginx may shutdown an ingress even though there are other ingress-nginx pods running and serving traffic.
- The root cause of #11087 is that ingress-nginx re-uses the set of pod labels on the terminating pod to find other pods belonging to the same controller group. This is a bug, since there are cases where we expect the set of labels on the terminating pod to differ from the labels on other pods belonging to the same controller group (for example, during an in-place helm upgrade, the chart version label will be different on old vs. new pods).
- ingress-nginx already has an appropriate primitive to track the pods belonging to the same controller group:
electionID. We expect a pod to tear down an ingress iff all pods with the same electionID have gone away (i.e. meaning there will be no future successful master election).
Types of changes
- [X] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] CVE Report (Scanner found CVE and adding report)
- [X] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] Documentation only
This is a breaking change in two respects:
- I would argue all helm chart upgrades are currently breaking changes because of #11087. This is dangerous for users until resolved.
- The PR enables this new behavior by default. I don't believe this is a breaking change for users, but would like other eyes to validate my assumption.
Which issue/s this PR fixes
- fixes #1877[^1]
- fixes #4774[^1]
- fixes #7047[^1]
- fixes #11087
How Has This Been Tested?
- I have added unit tests to the
helm chartto validate the new label is defined. - I have added unit tests to the
status.gocomponent to validate the pod finding behavior.
Checklist:
- [X] My change requires a change to the documentation.
- [X] I have updated the documentation accordingly.
- [X] I've read the CONTRIBUTION guide
- [X] I have added unit and/or e2e tests to cover my changes.
- [X] All new and existing tests passed.
[^1]: See: https://github.com/kubernetes/ingress-nginx/issues/11087#issuecomment-2712118775
Deploy Preview for kubernetes-ingress-nginx canceled.
| Name | Link |
|---|---|
| Latest commit | eba4c5bc1541096ec2cb36ddac165398bd7e6c97 |
| Latest deploy log | https://app.netlify.com/projects/kubernetes-ingress-nginx/deploys/686592069063380008b2da20 |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: DerekTBrown Once this PR has been reviewed and has the lgtm label, please assign strongjz for approval. For more information see the Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
Welcome @DerekTBrown!
It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.
You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.
You can also check if kubernetes/ingress-nginx has its own contribution guidelines.
You may want to refer to our testing guide if you run into trouble with your tests not passing.
If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!
Thank you, and welcome to Kubernetes. :smiley:
Hi @DerekTBrown. Thanks for your PR.
I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
What we are looking for here is basically a way to determine all the other pods targeted by either the Deployment or the DaemonSet, right? Why don't we hand in the selector labels used in the matchLabels property to the controller? I know this is not available from the pod details, but could be handed in as an argument. Because in some cases people want leader election to be disabled but still have features working which rely on identifying other pods, right?
Reviewing the code once again, I'm asking myself if the whole stuff in status.go is even called if there's not leader election. As in: The whole mess we currently have is around the status not being updated correctly on shutdown. For correctly updating the status on shutdown, the controller needs to have write access and only one controller pod should do that at the same time, so there needs to be a leader.
Reviewing the code once again, I'm asking myself if the whole stuff in
status.gois even called if there's not leader election. As in: The whole mess we currently have is around the status not being updated correctly on shutdown. For correctly updating the status on shutdown, the controller needs to have write access and only one controller pod should do that at the same time, so there needs to be a leader.
As I understand it, status.go's primary purpose is to sync the ingress-nginx pod IP back to the ingress resource:
https://github.com/kubernetes/ingress-nginx/blob/eba4c5bc1541096ec2cb36ddac165398bd7e6c97/internal/ingress/status/status.go#L83-L89
I think we still need to do this even if we have a single pod / leader election disabled, since on initial ingress creation, the user will see the ingress go from having no IPs to having a single pod IP as a result of this function.
However, I agree we probably should have a separate abstraction for whether a given ingress-nginx pod is a leader. If leader-election is disabled, the pod should just assume its a leader.
What we are looking for here is basically a way to determine all the other pods targeted by either the Deployment or the DaemonSet, right? Why don't we hand in the selector labels used in the
matchLabelsproperty to the controller? I know this is not available from the pod details, but could be handed in as an argument. Because in some cases people want leader election to be disabled but still have features working which rely on identifying other pods, right?
If leader election is disabled, the user needs to prevent multiple concurrent ingress-nginxes from running concurrently, otherwise concurrent modifications can happen. I thus assume the user is running only a single pod.
The existing + new logic works correctly under this assumption; no pods have the same election id, so on shutdown it treats itself as the last remaining pod.
PR needs rebase.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.