CAInjector entering crashloop with "timed out waiting for cache to be synced"

[dhumphries-sainsburys]

Describe the bug:

Since upgrading to 1.15.0 we seem to be having problems with CAInjector entering a crashloop state on some of our EKS clusters. The actual error appears to be a timeout listing resources but we cannot see any long running or error'd calls to the control plane that matches this from an EKS perspective. It also appears it uses more memory since the upgrade as we also had this pod OOMing a lot since the upgrade but that is entirely a secondary issue.

cert-manager-cainjector-dfd4bd499-p2x48.log

Expected behaviour:
Pod not be crashing

Steps to reproduce the bug:

• EKS 1.30 running bottlerocket
• Install cert manager 1.15.0
  Not sure exactly as it is inconsistent for us. We currently have 2/12 clusters impacted with this and the only notable thing with these two clusters are that they are the biggest 2 we have so best guess it is load related so here is a dump of stats for the smallest of the 2 in case it helps (feel free to request others i'm just dumping info based off of what i have seen cause issues on other issues)
• 70 m5d.8xlarge nodes
• 2558 running pods
• 151 CRDs
• 19952 secrets

Anything else we need to know?:

Environment details::

• Kubernetes version: 1.30
• Cloud-provider/provisioner: AWS EKS 1.30
• cert-manager version: 1.15.0
• Install method: helm

/kind bug

[wallrj]

xref:

• Cert-manager causes API server panic on clusters with more than 20000 secrets.  #3748

[dhumphries-sainsburys]

We've had a third cluster start exhibiting this behaviour. If the linked issue is the cause/same issue here then it will be of interest to point out that this new cluster only has 12975 secrets well below the 20,000 that allegedly causes problems

[wallrj]

@dhumphries-sainsburys Here's a draft response:

---

Why does cainjector sometimes crash when it starts up?

When it starts up cainjector performs a time limited operation, to populate an in-memory cache of Secret resources.
This involves an API request to list all the Secrets in all namespaces.
The cainjector will crash on startup, if:

• the API server fails to respond, or
• the response is too slow or
• the API server responds with an error, or
• it takes too long to process the response.

Workarounds

1. Configure cainjector to only read Secrets in the cert-manager namespace.
2. Reduce the number of Secrets in your cluster.
3. Reduce the total size of the Secrets in your cluster.
4. Remove or increase the CPU limit of the cainjector Deployment.
5. Increase the CPU and memory resources of your Kubernetes API server.

Possible Solutions

1. Use the WatchList feature in cainector when it becomes stable.
2. Add support for restricting the secrets watch list in cainjector.
3. Use a metadata-only cache in cainjector, which should speed up the initial sync of all Secrets and avoid overloading the API server.
4. Allow users to increase the CacheSyncTimeout

📖 Read Memory consumption reduction which goes into some detail about what we have been thinking about to solve problems like this.

Why does cainjector read Secrets?

When the cert-manager webhook starts up, it generates a CA certificate and puts it in a Secret in the cert-manager namespace.
The cainjector is responsible for copying that CA certificate into the cert-manager ValidatingWebhookConfiguration and MutatingWebhookConfiguration,
so that the K8S API server can verify its TLS connection to the cert-manager webhook server.

ℹ️ If you have some other way of injecting the webhook CA certificate into the ValidatingWebhookConfiguration and MutatingWebhookConfiguration then you could omit the cainjector..

Read Injecting CA data from a Secret resource.

Read Example: Installing a operator featuring webhooks with OLM for an example of an alternative mechanism for setting up the CA certificate for a webhook, where cainjector would not be necessary.

Why does cainjector need Secret resources in all namespaces?

It doesn't!
You can configure cainjector to only access Secrets in the cert-manager namespace
and this is the first thing you should try.

The default configuration of cainjector is to list, watch and cache all Secrets in all namespaces,
because when cainjector was first written, the client-go Informer API used by cainjector,
did not allow you to limit the cache to specific namespaces.
That restriction has now been removed, but in the interests of backwards compatibility, the default has remained the same.

Learn how to reduce the memory consumption of cainjector by configuring it to only watch resources in the cert-manager namespace.

⚠️ Other operators in your cluster may be relying on cainjector to inject CA certificates for their webhooks, in which case cainjector will need to read Secrets in all namespaces.

What is the cache sync time limit?

2 Minutes.
That is the default CachSyncTimeout defined by the controller-runtime module.
cainjector does not currently allow you to override the default.

ℹ️ Read the controller-runtime source code where the default CacheSyncTimeout is set.

// CacheSyncTimeout refers to the time limit set to wait for syncing caches.
// Defaults to 2 minutes if not set.

Why might the API server respond slowly or fail to respond?

The initial request to list all Secret resources can be a very expensive operation for the Kubernetes API server,
if your cluster contains a large number Secrets and especially if the Secret resources contain large files.

The API server may consume large amounts CPU, Memory and network resources and the response may take a long time to be sent.
Depending on how the API server is configured, the API server may abort the request.
If the API server has too few resources, the API server may crash.

Check your API server logs and metrics for signs that the API server is overloaded.

Why might cainjector be slow to process the response?

If the cainjector CPU limit is too low, it may not have sufficient CPU time to process the large response to the initial Secret list.

Why does cainjector request all the Secrets from the K8S API server when it starts up?

To populate its in-memory cache.
If you increase the logging verbosity to 6, you will see the following requests in the logs:

GET /api/v1/secrets?limit=500&resourceVersion=0
GET /api/v1/secrets?allowWatchBookmarks=true&resourceVersion=1360&timeoutSeconds=493&watch=true

The first request is a List request, which returns all the Secret resources, to populate the cache.
The second request is a Watch request, which streams all changes to all Secrets in the cluster, so that cainjector can keep its cache up-to-date.

ℹ️ This list-then-watch logic is provided by the Kubernetes Go client library.
The API is called a Reflector and is located in the k8s.io/client-go/tools/cache package.
See https://kubernetes.io/docs/reference/using-api/api-concepts/#efficient-detection-of-changes

ℹ️ The limit=500 parameter is actually ignored when resourceVersion=0.
This is a known contradiction and cause of confusion.
See kubernetes/kubernetes#102672

Why does cainjector need to cache Secret resources in-memory?

To reduce the number of API requests to the K8S API server and to reduce the load on the K8S API server.
This is a standard pattern in Kubernetes controllers and most Go controllers use the K8S client-go module for this.

📖 Read https://pkg.go.dev/k8s.io/client-go@v0.30.2/tools/cache

[wallrj]

@dhumphries-sainsburys
A pre-release is now available containing the fix for this issue. Please test and feedback if you have time.

• https://github.com/cert-manager/cert-manager/releases/tag/v1.16.0-alpha.0

[wallrj]

A beta-release is now available which contains the fix for this issue. Please test and feedback if you have time.

• https://github.com/cert-manager/cert-manager/releases/tag/v1.16.0-beta.0