Cilium can't handle pods massive creation on high scale Kubernetes cluster

[luanguimaraesla]

Bug reports

Title

On a Kubernetes cluster with 200+ nodes, Cilium can't handle the creation of 4000+ pods.

General Information

• Cilium version: v1.2.3
• Kernel version: Linux 4.14.67
• Orchestration system version in use: Kubernetes 1.10.7
• etcd version: 3.1.11

Cluster Configuration

	Instances	CPU per Instance	Memory per Instance
Masters	3	4	16GB
Nodes	200	8	15GB

How to reproduce the issue

1. Deploy a Kubernetes cluster with 3 master nodes and 200 worker nodes
2. Create 800 servers and 5200 clients making 10 requests per second each one.

Results

The following chart shows how does the cluster behave under this test scenario.

The gray line counts how many Ready nodes the cluster has. It is extremally unstable due metrics-server outages during the tests.

After reaching 3000 pods, the cluster starts to behave unexpectedly, with some pods dying, and the rate of pod creation declining until no more was created. 1500 pods were no longer created, and the cluster was practically unusable. Check this section of the chart above.

The most recurrent error was:

Warning   FailedCreatePodSandBox   kubelet, ip-172-151-106-95.ec2.internal    Failed create pod sandbox: rpc error: code = Unknown desc = NetworkPlugin cni failed to set up pod "ubuntu-curl-5b9f864c79-mtdj6_ubuntu-curl" network: add cmd: failed to assign an IP address to container

Also, we collected some resource usage metrics before metrics-server crashing. The blue, red and orange lines represent the master nodes.

CPU usage critically increased during the test, making the Kubernetes API unavailable. We believe that this behavior may be due to some misconfiguration, since performing the same test with two other CNI plugins, Calico and Amazon VPC, there was a big difference in the results.

	Calico	Amazon VPC	Cilium
Masters Max CPU usage	80%	80%	93%*
Masters Max Memory usage	25%	25%	28%*
Nodes Max CPU usage	14%	35%	43%*
Nodes Max Memory usage	14%	16%	16%*
Test duration	5 min	12 min	interrupted

* reported before metrics-server breaking

Do we have to make any specific configuration for a high scale cluster to work with a big number of pods and a high load networking traffic?

[tgraf]

@luanguimaraesla I'll write a longer response but the get things started: What PodCIDR configuration are you putting Kubernetes in? It seems that Cilium is running out of IP addresses to allocate.

[luanguimaraesla]

Thank you for your attention. The PodCIDR is 100.64.0.0/10.

[tgraf]

@luanguimaraesla Thanks for the quick response.

We suspect that frequent Pod annotations plus the updates to the CRD that mirrors each pod as performed by Cilium are the cause for the increased CPU usage in the apiserver which causes the breakage at +3K pods. We'll confirm this theory and provide a fix.

The increased CPU usage on the worker is caused by the BPF program generation right now. Cilium 1.3 will already bring some relief and the upcoming BPF templating will remove the need to compile programs entirely when pods are bootstrapped.

@luanguimaraesla Do you have Cilium and apiserver logs by any change? We would love to dig through them to confirm the above theories.

[luanguimaraesla]

Yes. I had to make another test to collect the logs. The files are attached.

cilium.zip

[luanguimaraesla]

The increased CPU usage on the worker is caused by the BPF program generation right now.

We also collected some data from the moment we instantiate 200 nodes. Knowing that the use of resources would increase in the workers during the generation of the BPF program, we thought that after the stabilization of the cluster, the use of CPU would normalize, which did not happen. Take a look at the following chart.

26% of CPU usage per node with no workloads running, except by the default ones, is too high for production nodes. So, why do you think the cluster still using too many resources? Could we normalize the resource usage after BPF program generation with any configuration?

The master nodes are more critical, perhaps the high CPU usage causes Kubernetes API outages and then the Cilium bad behavior, which we can see on the following error on cilium-node.

level=info msg="Updating CRD (CustomResourceDefinition)..." name=v2.CiliumEndpoint subsys=k8s
level=error msg="Unable to update CRD" error="Operation cannot be fulfilled on customresourcedefinitions.apiextensions.k8s.io \"ciliumendpoints.cilium.io\": the object has been modified; please apply your changes to the latest version and try again" name=v2.CiliumEndpoint subsys=k8s
level=fatal msg="Unable to establish connection to Kubernetes apiserver" error="Unable to create custom resource definition: Operation cannot be fulfilled on customresourcedefinitions.apiextensions.k8s.io \"ciliumendpoints.cilium.io\": the object has been modified; please apply your changes to the latest version and try again" subsys=daemon
level=fatal msg="Agent pipe unexpectedly closed, shutting down" subsys=cilium-node-monitor

Regards

[aanm]

@luanguimaraesla thanks for the given zip file, 2 of the cilium issues in that file will be fixed and backported to v1.2 with this PR #5926

[tgraf]

@luanguimaraesla Thanks for the excellent data. This is awesome. The data confirm the previous suspicion that this is not related to pod creation workload itself but to the interaction with the apiserver with respect to the CiliumEndpoint CRD. The log indicates over 200 interactions with the apiserver per second. We'll fix this right away.

[luanguimaraesla]

@tgraf @aanm Thank you guys for this excellent work. The --disable-endpoint-crd flag and the other fixes you quickly made resulted in a significant improvement in the results.

Now it is possible to see the CRD sync disabled.

level=warning msg="Not running controller. CEP CRD synchronization is disabled" containerID=cilium-loc controller="sync-to-k8s-ciliumendpoint (21530)" endpointID=21530 ipv4= ipv6= k8sPodName=/ policyRevision=2

This really caused an excessive load on Kubernetes API. Now we can see the CPU usage decrease after the BPF programs generation. Look at the following charts from this test.

We successfully reached almost 6500 running pods on 200 Kubernetes nodes. The temporary unavailability of the metrics-server is normal and also happened in the load-test with other technologies.

Here we can see the tendency to decrease the use of resources after creating all pods. I think it's still significantly high especially in the worker nodes, but this is a matter of future enhancements. I also collected again the cilium and apiserver logs for the comparison with the old logs.

cilium2.zip

Now, things are looking good. Thanks for all the work.