cluster membership race when streaming eds data and active health checking

[lita]

Title: cluster membership race when streaming eds data and active health checking

Description:
Now that Lyft has rolled out streaming xDS data to all the envoys, we are seeing a race condition with service discovery.

During shut down, the host fails health check and then deregisters with discovery. We are running into a problem where the downstream envoys get the updated EDS data first before it gets the failed health check. This causes cluster membership to go out of sync until a membership change happens (which could be a long time).

This was not a problem before, as the sidecar envoys were polling the discovery data every 30 seconds. But now that we moved to the xDS protocal, we are seeing this race.

This is a bigger issue with Kubernetes services, as the k8s api server streams service discovery data very quickly (and sometimes infrequently) to our control plane, potentially entering into panic routing mode.

After talking with Matt, the proposed solution is to not just reconcile host membership on when envoy recieves EDS data, but also when envoy recieves a failed health check from an upstream host.

Would love to get consensus from the community, particulary @snowp, on the best path forward. We would like host membership to reconile very quickly if possible.

[snowp]

I think ejecting hosts on health check changes make sense. The other option I had in mind was to periodically check hosts on some timer after they get removed from EDS, but it might be easier to just do it inline during health updates.

We'd need some way of knowing that a host is eligible for removal (maybe just store this information on the Host itself?), as well as some way of knowing which HostSet to remove it from (it might be fine to just attempt to remove it from everything, not sure). Other than that this doesn't seem so bad.

[lita]

If you are okay with storing in the Host itself and then removing it from the entire HostSet, then I can go code that up.

[mattklein123]

The other option I had in mind was to periodically check hosts on some timer after they get removed from EDS, but it might be easier to just do it inline during health updates.

I'm actually not sure which is easier. The timer might be easier TBH, though it would be nice to spec out what it would mean to have this be event based. @lita if you are up for it I would take a look at the code and see what the options might be. I looked through it briefly and I think it's going to be non-trivial to do the event based solution, just based on where the various event callbacks are routed currently. I can give you a quick code tour in person if you like.

[lita]

Sounds good, we can go through it tomorrow and see what the options are. I plan on rolling out a timing solution on the control plane side anyway. But would be nice to have an event based solution.