CNI: keep cni config on shutdown; taint instead, queue deletions

[squeed]

This change is made up of several commits, which build on each other. It fixes a wart with how CNI, Containerd, and Dockershim interact, and prevents some possible outage scenarios.

Ultimately, I'd like to make much of this less necessary with an improved CNI STATUS verb, but that will take some time to roll out across the ecosystem.

Asynchronous CNI delete

The CNI plugin now queues DEL for later submission, rather than failing. It tries to connect to the agent socket, and if that fails, it will write a file in /run/cilium with the pod's details. When the agent starts up, it will read that queue and process all pending deletes.

This fixes #22067, where an end-user found themselves with an unrecoverable cluster. Cilium got descheduled but their node was at its pod limit. They couldn't start any pods, and they couldn't delete any pods without Cilium running. Not good.

Taint the node when Cilium is shut down

On nodes where Cilium is scheduled, if it is not running, taint the node with NoSchedule. This will prevent new pods from being scheduled there. This has two goals:

1. Minimize ignorable errors from pods failing to start because Cilium can't handle a CNI ADD
2. Minimize pods being started with a non-Cilium network provider

Preserve CNI configuration

Lastly, we no longer delete the CNI configuration file when stopping the agent. This has several important effects:

• the node no longer goes NotReady, so it won't be removed from cloud LB backends just because cilium is being upgraded. This prevents unneeded churn.
• CNI DEL will still succeed, so pods can always be cleaned up
• No chance of pods being started with a different CNI provider

The Cilium operator now taints nodes where Cilium is scheduled to run but is not running. 
This prevents pods from being scheduled on nodes without Cilium.
The CNI configuration file is no longer removed on agent shutdown. 
This means that pod deletion will always succeed; previously it would fail if Cilium was down for an upgrade.
This should help prevent nodes accidentally entering an unmanageable state.
It also means that nodes are not removed from cloud LoadBalancer backends during Cilium upgrades.

Fixes: #22067.

[squeed]

/test

Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed:

Click to show.

Test Name

K8sDatapathConfig MonitorAggregation Checks that monitor aggregation restricts notifications

Failure Output

FAIL: Found 1 k8s-app=cilium logs matching list of errors that must be investigated:

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.24-kernel-5.4 so I can create one.

[squeed]

Test failures are either known flakes, or unlikely to be caused by this:

• l4lb XDP doesn't use CNI at all
• TestGetIdentity/Duplicated_identity is a known flake
• MonitorAggregation didn't get all ICMP events. Again, not something this could do.

So, rebasing and retrying to see if that helps.

[christarazi]

Looks mostly good to me, a few minor comments to address.

If I may share an opinion: I appreciate the PR description because it made reviewing the code much easier, however I'd hate to lose all that context because it isn't somewhere in the commit msg. What do you think of putting it somewhere in the commit(s)? The reason is because when bisecting, it's much easier to read all the context related to a change from the commit msg, rather than think "hmm, I wonder if there's more to this" and have to locate the PR behind it.

What I've seen people do (and what I try to do as well) is paste the "important" commit msgs in the PR description as well, so people sort of have a cover letter to read before diving in, as you did in your PR, while also preserving the history in the commit(s) themselves.

On another note, for the release note: I'd suggest stripping the extra newlines as it's not going to format quite as nicely in the end. Something like this would be easier to read:

This is sentence 1 of the release note.
This is sentence 2 of the same release note.
And so on...

[sayboras]

This PR is not only interesting but alsoo fun to read, love the comment in code 👍.

LGTM ✔️

[squeed]

@christarazi updated the logging based on your suggestions, thanks for the review.

[christarazi]

/test

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master

Failure Output

FAIL: Expected

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

[squeed]

jenkins job failure is because of a missed tail call!? This PR has nothing to do with BPF...

time="2023-03-21T21:17:36Z" level=debug msg="running local command: kubectl exec -n kube-system cilium-dj8v9 -- cilium metrics list -o json | jq '.[] | select( .name == \"cilium_drop_count_total\" and .labels.reason == \"Missed tail call\" ).value'"
cmd: "kubectl exec -n kube-system cilium-dj8v9 -- cilium metrics list -o json | jq '.[] | select( .name == \"cilium_drop_count_total\" and .labels.reason == \"Missed tail call\" ).value'" exitCode: 0 duration: 168.910676ms stdout:
1

[squeed]

/mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next

👍 created #24514

[squeed]

/test-1.26-net-next

[aojea]

it is sad we don't have a better defined processs for the Pod lifecycle in k8s so we don't have to implement these things :(

[robbie-demuth]

Forgive me if there's an obvious answer to this question, but, out of curiosity, why a NoSchedule taint as opposed to a NoExecute taint? If Cilium isn't running, pods already scheduled to the node will presumably run into issues. Why not apply a NoExecute taint so that they're evicted and rescheduled elsewhere? A NoExecute taint presumably shouldn't evict Cilium itself since it's a daemon set pod

[squeed]

That is a fine idea. I initially did NoExecute as well to catch pods that were scheduled but not yet picked up by the Kubelet, but I agree that it's too drastic an effect.

[bmendoza820]

That is a fine idea. I initially did NoExecute as well to catch pods that were scheduled but not yet picked up by the Kubelet, but I agree that it's too drastic an effect.

What are your thoughts on updating the behavior to actually apply a NoExecute? Or could this be parameterized similar to how we are able to set the agent-not-ready-taint-key?

[squeed]

Actually, I got this backwards; I set a NoSchedule taint and avoided a NoExecute taint. The reason is that running pods do not need to be evicted when Cilium goes down, as they are running and should not be disrupted.

[bmendoza820]

Actually, I got this backwards; I set a NoSchedule taint and avoided a NoExecute taint. The reason is that running pods do not need to be evicted when Cilium goes down, as they are running and should not be disrupted.

When Cilium goes down, the running pods lose connectivity. Shouldn't they be evicted so that they can be rescheduled onto other nodes where Cilium is running? We encountered this scenario recently and experienced some service outages because the pods were not rescheduled elsehwere.

[squeed]

When Cilium goes down, the running pods lose connectivity.

Generally, that shouldn't happen, with the exception of flows being sent through the userspace L7 proxies. Do you suspect a Cilium bug?

[bmendoza820]

When Cilium goes down, the running pods lose connectivity.

Generally, that shouldn't happen, with the exception of flows being sent through the userspace L7 proxies. Do you suspect a Cilium bug?

Oh, this is not what we observed (or perhaps what we observed were failed network calls sent through the userspace L7 proxies). We saw several reported failed connection attempts for the duration that the nodes had the NoSchedule taint applied. This lasted for several hours until our autoscaler conducted node consolidation.