k8s: include namespace in EndpointSliceName

[EmilyShepherd]

We previously did not include the Namespace in EndpointSliceNames, relying on the fact that EndpointSlices that use generateName- are unlikely to have name collisions, even across namespaces. While this is usually the case, there is no requirement for EndpointSlice managers to use generateName, and there are examples of controllers that do not (for example the master kubernetes service's EndpointSlice is always called "kubernetes").

Including the namespace in EndpointSliceNames guarantees collisions cannot occur.

Warning: If this bugfix is to be merged into a branch that does not yet contain d003678, the old code that that commit cleaned up suffers from the same bug. Happy to provide a separate PR for that, if required, although it looks very out of date.

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

Fix a bug where removed addresses from EndpointSlices might be missed if multiple EndpointSlices share the same name

[joamaki]

Was there an actual issue caused by this? pkg/loadbalancer/reflectors/k8s.go collates endpoint slices by the namespaced service name so it shouldn't matter that the EndpointSliceName is not namespaced. At least I cannot find where we could mix them up.

What would be awesome would be if you'd be able to show with a test case in pkg/loadbalancer/tests/testdata that this indeed is a bug. clusterip.txtar might be a reasonable starting point. Just strip out all the stuff about BPF maps and just focus on inserting services and endpoints slices and seeing if this causes a collision.

Or is there a problematic use of EndpointSliceName outside of pkg/loadbalancer?

I wouldn't change this just for the sake of it if there are no issues due to this as this does increase the number of allocations we need to perform to process an endpoint slice change.

[EmilyShepherd]

Was there an actual issue caused by this? pkg/loadbalancer/reflectors/k8s.go collates endpoint slices by the namespaced service name so it shouldn't matter that the EndpointSliceName is not namespaced. At least I cannot find where we could mix them up.

Yes, apologies, I should have given more context:

processEndpointsEvent in pkg/loadbalancer/reflectors/k8s.go uses a map of all endpoints called currentEndpoints which it indexes using just the EndpointSliceName. This is used to detect orphan backend addresses (when they are removed from an endpoint slice) which should then be deleted from the BPF maps.

This bug caused real negative behaviour in our cluster, which does have EndpointSlices of the same name across namespaces, as each would clobber each other in the currentEndpoints map, resulting in cilium-agent successfully adding new backend addresses whenever they were added to EndpointSlices, but not always noticing and cleaning up when addresses were deleted.

What would be awesome would be if you'd be able to show with a test case in pkg/loadbalancer/tests/testdata that this indeed is a bug. clusterip.txtar might be a reasonable starting point. Just strip out all the stuff about BPF maps and just focus on inserting services and endpoints slices and seeing if this causes a collision.

This is reasonable - I will try to formulate a testcase to demonstrate this bug.

[EmilyShepherd]

@joamaki Thank you to the pointer to the testcases - I have added a testcase now demonstrating how this issue arises.

Without 4bd9521 this test always fails, with it the test always passes.

If you could point me in the right direction of the correct commit order etiquette for this test, that would be very helpful. Normally I'd add a fail-proving test before the commit that fixes it, but cilium's Contribution Guide mentions that every commit needs to be able to build so I wasn't clear if that means "every commit needs to compile + all tests pass" or just "every commit needs to compile; fail proving tests are acceptable". Happy to reorder commits as suggested.

(Also rebased to latest main)

[EmilyShepherd]

If we are concerned about memory usage, we could look at changing EndpointSliceName to be based on the EndpointSlice's uid instead of name (or name + namespace), which Kubernetes loosely guarantees will be a uuid

If we parse the uuid into a 128-bit value this will create a constant, and relatively short 16-byte binary string, or if we take the uid as-is a 36 byte string without any extra processing / allocations.

I would be happy to do this if you think it would have value.

[joamaki]

@joamaki Thank you to the pointer to the testcases - I have added a testcase now demonstrating how this issue arises.

Without 4bd9521 this test always fails, with it the test always passes.

If you could point me in the right direction of the correct commit order etiquette for this test, that would be very helpful. Normally I'd add a fail-proving test before the commit that fixes it, but cilium's Contribution Guide mentions that every commit needs to be able to build so I wasn't clear if that means "every commit needs to compile + all tests pass" or just "every commit needs to compile; fail proving tests are acceptable". Happy to reorder commits as suggested.

(Also rebased to latest main)

Awesome thanks for the test case! I would add the failing test case first and then the fix. The CI only checks that every commit builds (e.g. go build ./...) not that every test passes on every commit.

I think the test case would be slightly easier to follow if it wouldn't look at the BPF maps and would just look at the tables. I'll see if I can come up with a minimal version of it.

[joamaki]

Here's a suggestion for how to write the test case:

#
# Regression test case for checking that the EndpointSlice names are allowed to overlap across
# namespaces. https://github.com/cilium/cilium/pull/43999.
#

# Start the test application
hive/start

# Make the test-b variants of the service and endpoint slice
cp service-a.yaml service-b.yaml
sed 'namespace: test-a' 'namespace: test-b' service-b.yaml
sed '10.96.50.104' '10.96.50.105' service-b.yaml
cp endpointslice-a.yaml endpointslice-b.yaml
sed 'namespace: test-a' 'namespace: test-b' endpointslice-b.yaml
sed '10.244.1.' '10.245.1.' endpointslice-b.yaml

# 1. Add the test-a Service and EndpointSlice.
k8s/add service-a.yaml endpointslice-a.yaml
db/cmp frontends frontends-1.table
db/cmp backends backends-1.table

# 2. Add the test-b Service and EndpointSlice. Both endpoint slices have
# the same name.
k8s/add service-b.yaml endpointslice-b.yaml
db/cmp frontends frontends-2.table
db/cmp backends backends-2.table

# 3. Update the first EndpointSlice - remove an address.
sed '.*- 10.244.1.2' '' endpointslice-a.yaml
k8s/update endpointslice-a.yaml
db/cmp frontends frontends-3.table
db/cmp backends backends-3.table

-- frontends-1.table --
Address               Type        ServiceName      PortName   Backends                             Status   Error
10.96.50.104:80/TCP   ClusterIP   test-a/service   http       10.244.1.1:80/TCP, 10.244.1.2:80/TCP Done

-- backends-1.table --
Address             Instances               Shadows   NodeName
10.244.1.1:80/TCP   test-a/service (http)             nodeport-worker
10.244.1.2:80/TCP   test-a/service (http)             nodeport-worker

-- frontends-2.table --
Address               Type        ServiceName      PortName   Backends                             Status   Error
10.96.50.104:80/TCP   ClusterIP   test-a/service   http       10.244.1.1:80/TCP, 10.244.1.2:80/TCP Done
10.96.50.105:80/TCP   ClusterIP   test-b/service   http       10.245.1.1:80/TCP, 10.245.1.2:80/TCP Done

-- backends-2.table --
Address             Instances               Shadows   NodeName
10.244.1.1:80/TCP   test-a/service (http)             nodeport-worker
10.244.1.2:80/TCP   test-a/service (http)             nodeport-worker
10.245.1.1:80/TCP   test-b/service (http)             nodeport-worker
10.245.1.2:80/TCP   test-b/service (http)             nodeport-worker

-- frontends-3.table --
Address               Type        ServiceName      PortName   Backends                             Status   Error
10.96.50.104:80/TCP   ClusterIP   test-a/service   http       10.244.1.1:80/TCP                    Done
10.96.50.105:80/TCP   ClusterIP   test-b/service   http       10.245.1.1:80/TCP, 10.245.1.2:80/TCP Done

-- backends-3.table --
Address             Instances               Shadows   NodeName
10.244.1.1:80/TCP   test-a/service (http)             nodeport-worker
10.245.1.1:80/TCP   test-b/service (http)             nodeport-worker
10.245.1.2:80/TCP   test-b/service (http)             nodeport-worker

-- service-a.yaml --
apiVersion: v1
kind: Service
metadata:
  name: service
  namespace: test-a
spec:
  clusterIP: 10.96.50.104
  clusterIPs:
  - 10.96.50.104
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  type: ClusterIP
  sessionAffinity: ClientIP

-- endpointslice-a.yaml --
# Initial EndpointSlice has two addresses
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
  labels:
    kubernetes.io/service-name: service
  name: service
  namespace: test-a
addressType: IPv4
endpoints:
- addresses:
  - 10.244.1.1
  - 10.244.1.2
  conditions:
    ready: true
    serving: true
    terminating: false
  nodeName: nodeport-worker
ports:
- name: http
  port: 80
  protocol: TCP

[EmilyShepherd]

Here's a suggestion for how to write the test case:

#
# Regression test case for checking that the EndpointSlice names are allowed to overlap across
# namespaces. https://github.com/cilium/cilium/pull/43999.
#

# Start the test application
hive/start

# Make the test-b variants of the service and endpoint slice
cp service-a.yaml service-b.yaml
sed 'namespace: test-a' 'namespace: test-b' service-b.yaml
sed '10.96.50.104' '10.96.50.105' service-b.yaml
cp endpointslice-a.yaml endpointslice-b.yaml
sed 'namespace: test-a' 'namespace: test-b' endpointslice-b.yaml
sed '10.244.1.' '10.245.1.' endpointslice-b.yaml

# 1. Add the test-a Service and EndpointSlice.
k8s/add service-a.yaml endpointslice-a.yaml
db/cmp frontends frontends-1.table
db/cmp backends backends-1.table

# 2. Add the test-b Service and EndpointSlice. Both endpoint slices have
# the same name.
k8s/add service-b.yaml endpointslice-b.yaml
db/cmp frontends frontends-2.table
db/cmp backends backends-2.table

# 3. Update the first EndpointSlice - remove an address.
sed '.*- 10.244.1.2' '' endpointslice-a.yaml
k8s/update endpointslice-a.yaml
db/cmp frontends frontends-3.table
db/cmp backends backends-3.table

-- frontends-1.table --
Address               Type        ServiceName      PortName   Backends                             Status   Error
10.96.50.104:80/TCP   ClusterIP   test-a/service   http       10.244.1.1:80/TCP, 10.244.1.2:80/TCP Done

-- backends-1.table --
Address             Instances               Shadows   NodeName
10.244.1.1:80/TCP   test-a/service (http)             nodeport-worker
10.244.1.2:80/TCP   test-a/service (http)             nodeport-worker

-- frontends-2.table --
Address               Type        ServiceName      PortName   Backends                             Status   Error
10.96.50.104:80/TCP   ClusterIP   test-a/service   http       10.244.1.1:80/TCP, 10.244.1.2:80/TCP Done
10.96.50.105:80/TCP   ClusterIP   test-b/service   http       10.245.1.1:80/TCP, 10.245.1.2:80/TCP Done

-- backends-2.table --
Address             Instances               Shadows   NodeName
10.244.1.1:80/TCP   test-a/service (http)             nodeport-worker
10.244.1.2:80/TCP   test-a/service (http)             nodeport-worker
10.245.1.1:80/TCP   test-b/service (http)             nodeport-worker
10.245.1.2:80/TCP   test-b/service (http)             nodeport-worker

-- frontends-3.table --
Address               Type        ServiceName      PortName   Backends                             Status   Error
10.96.50.104:80/TCP   ClusterIP   test-a/service   http       10.244.1.1:80/TCP                    Done
10.96.50.105:80/TCP   ClusterIP   test-b/service   http       10.245.1.1:80/TCP, 10.245.1.2:80/TCP Done

-- backends-3.table --
Address             Instances               Shadows   NodeName
10.244.1.1:80/TCP   test-a/service (http)             nodeport-worker
10.245.1.1:80/TCP   test-b/service (http)             nodeport-worker
10.245.1.2:80/TCP   test-b/service (http)             nodeport-worker

-- service-a.yaml --
apiVersion: v1
kind: Service
metadata:
  name: service
  namespace: test-a
spec:
  clusterIP: 10.96.50.104
  clusterIPs:
  - 10.96.50.104
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  type: ClusterIP
  sessionAffinity: ClientIP

-- endpointslice-a.yaml --
# Initial EndpointSlice has two addresses
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
  labels:
    kubernetes.io/service-name: service
  name: service
  namespace: test-a
addressType: IPv4
endpoints:
- addresses:
  - 10.244.1.1
  - 10.244.1.2
  conditions:
    ready: true
    serving: true
    terminating: false
  nodeName: nodeport-worker
ports:
- name: http
  port: 80
  protocol: TCP

Ta. Yes this is far more readable. I'll update.

[joamaki]

If we are concerned about memory usage, we could look at changing EndpointSliceName to be based on the EndpointSlice's uid instead of name (or name + namespace), which Kubernetes loosely guarantees will be a uuid

If we parse the uuid into a 128-bit value this will create a constant, and relatively short 16-byte binary string, or if we take the uid as-is a 36 byte string without any extra processing / allocations.

I would be happy to do this if you think it would have value.

I quickly checked with pkg/loadbalancer/benchmark and there wasn't a noticeable difference. I would just go with namespace + name.

[joamaki]

"fix endpointslices with the same name cause changes to be missed" as release note is a bit vague. Could you reword it a bit so it's clear what was fixed?

[joamaki]

/test

[maintainer-s-little-helper]

Commit 3954c69 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin