Proposal: Introduce Available Pods (MinReadySeconds in the PodSpec)

[0xmichalis]

Moved to #478

Today, Deployments/ReplicaSets use MinReadySeconds in order to include an additional delay on top of readiness checks and facilitate more robust rollouts. The ReplicaSet controller decides how many available Pods a ReplicaSet runs and the Deployment controller, when rolling out new Pods, will not proceed if the minimum available Pods that are required to run are not ready for at least MinReadySeconds (if MinReadySeconds is not specified then the Pods are considered available as soon as they are ready).

Two problems that have been identified so far with the current state of things:

1. A Pod is marked ready by the kubelet as soon as it passes its readiness check. The ReplicaSet controller runs as part of master and estimates when a Pod is available by comparing the time the Pod became ready (as seen by the kubelet) with MinReadySeconds. Clock-skew between master and nodes will affect the availability checks.
2. PodDisruptionBudget is working with ready Pods and has no notion of MinReadySeconds when used by a Deployment/ReplicaSet.

Both problems above can be solved by moving MinReadySeconds in the PodSpec. Once kubelet observes that a Pod has been ready for at least MinReadySeconds without any of its containers crashing, it will update the PodStatus with an Available condition set to Status=True. Higher-level orchestrators running on different machines such as the ReplicaSet or the PodDisruptionBudget controller will merely need to look at the Available condition that is set in the status of a Pod.

API changes

A new field is proposed in the PodSpec:

	// Minimum number of seconds for which a newly created pod should be ready
	// without any of its container crashing, for it to be considered available.
	// Defaults to 0 (pod will be considered available as soon as it is ready)
	// +optional
	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`

and a new PodConditionType:

	// PodAvailable is added in a ready pod that has MinReadySeconds specified. The pod
	// should already be added under a load balancer and serve requests, this condition
	// lets higher-level orchestrators know that the pod is running after MinReadySeconds
	// without having any of its containers crashed.
	PodAvailable PodConditionType = "Available"

Additionally:

• Deployments/ReplicaSets/DaemonSets already use MinReadySeconds in their spec so we should probably deprecate those fields in favor of the field in the PodSpec and remove them in a future version.
• Deployments/ReplicaSets will not propagate MinReadySeconds from their Spec down to the pod template because that will lead in differences in the pod templates between a Deployment and a ReplicaSet resulting in new rollouts. If MinReadySeconds is specified both in the spec and pod template for a Deployment/ReplicaSet and it's not the same value, a validation error will be returned (tentative). API defaulting can set MinReadySeconds in the spec, if it's specified only in the PodTemplate (tentative).
• ReplicaSets that specify MinReadySeconds only in the ReplicaSetSpec, can create new Pods by specifying MinReadySeconds in their PodSpec (w/o updating the ReplicaSet pod template).

kubelet changes

For a Pod tha specifies MinReadySeconds, kubelet will need to check (after MinReadySeconds) if any of the Pod containers has crashed. If not, it will switch the Available condition to Status=True in the status of the Pod. Pods that don't specify MinReadySeconds, won't have the Available condition set in their status.

Controller manager changes

The ReplicaSet controller will create new Pods by setting MinReadySeconds in their PodSpec if it's specified in the ReplicaSetSpec (and not in the ReplicaSet pod template). For Pods that don't specify MinReadySeconds, it can switch to use a virtual clock and continue using the current approach of estimating availability. This will also help in keeping new servers backwards-compatible with old kubelets.

Future work

The PDB controller will need to be extended to recognize the Available condition in Pods. It may also need to get into the bussiness of estimating availability for Deployments/ReplicaSets that already use MinReadySeconds (already existing Pods are not going to be updated with an Available condition - see the section above about kubelet changes).

@kubernetes/sig-apps-misc @kubernetes/sig-api-machinery-misc

[thockin]

Why is this a new condition, rather than a delay before setting the existing condition. With this we have 2 VERY similar conditions that differ in only very subtle ways. What guidance would we provide as to which one to use and when? E.g. readiness propagates to Endpoints.

…

On Mon, Dec 19, 2016 at 4:33 AM, Michail Kargakis ***@***.***> wrote: Today, Deployments/ReplicaSets use MinReadySeconds in order to include an additional delay on top of readiness checks and facilitate more robust rollouts. The ReplicaSet controller decides how many available Pods a ReplicaSet runs and the Deployment controller, when rolling out new Pods, will not proceed if the minimum available Pods that are required to run are not ready for at least MinReadySeconds (if MinReadySeconds is not specified then the Pods are considered available as soon as they are ready). Two problems that have been identified so far with the current state of things: 1. A Pod is marked ready by the kubelet as soon as it passes its readiness check. The ReplicaSet controller runs as part of master and estimates when a Pod is available by comparing the time the Pod became ready (as seen by the kubelet) with MinReadySeconds. Clock-skew between master and nodes will affect the availability checks <kubernetes/kubernetes#29229>. 2. PodDisruptionBudget is working with ready Pods and has no notion of MinReadySeconds when used by a Deployment/ReplicaSet. Both problems above can be solved by moving MinReadySeconds in the PodSpec. Once kubelet observes that a Pod has been ready for at least MinReadySeconds without any of its containers crashing, it will update the PodStatus with an Available condition set to Status=True. Higher-level orchestrators running on different machines such as the ReplicaSet or the PodDisruptionBudget controller will merely need to look at the Available condition that is set in the status of a Pod. API changes A new field is proposed in the PodSpec: // Minimum number of seconds for which a newly created pod should be ready // without any of its container crashing, for it to be considered available. // Defaults to 0 (pod will be considered available as soon as it is ready) // +optional MinReadySeconds *int32 `json:"minReadySeconds,omitempty"` and a new PodConditionType: // PodAvailable is added in a ready pod that has MinReadySeconds specified. The pod // should already be added under a load balancer and serve requests, this condition // lets higher-level orchestrators know that the pod is running after MinReadySeconds // without having any of its containers crashed. PodAvailable PodConditionType = "Available" Additionally: - Deployments/ReplicaSets already have MinReadySeconds in their spec so we should probably deprecate those fields in favor of the field in the PodSpec and remove them in a future version. - Deployments/ReplicaSets will not propagate MinReadySeconds from the spec down to the pod template because that will lead in differences in the pod templates between a Deployment and a ReplicaSet resulting in new rollouts. If MinReadySeconds is specified both in the spec and pod template for a Deployment/ReplicaSet and it's not the same value, a validation error will be returned. The defaulter can set MinReadySeconds in the spec, if it's specified only in the PodTemplate (tentative). - ReplicaSets that specify MinReadySeconds only in the ReplicaSetSpec, can create new Pods by specifying MinReadySeconds in their PodSpec (w/o updating the ReplicaSet pod template). kubelet changes For a Pod tha specifies MinReadySeconds, kubelet will need to check (after MinReadySeconds) if any of the Pod containers has crashed. If not, it will switch the Available condition to Status=True in the status of the Pod. Pods that don't specify MinReadySeconds, won't have the Available condition set in their status. Controller manager changes The ReplicaSet controller will create new Pods by setting MinReadySeconds in their PodSpec if it's specified in the ReplicaSetSpec (and not in the ReplicaSet pod template). For Pods that don't specify MinReadySeconds, it can switch to use a virtual clock and continue using the current approach of estimating availability. This will also help in keeping new servers backwards-compatible with old kubelets. Future work The PDB controller will need to be extended to recognize the Available condition in Pods. It may also need to get into the bussiness of estimating availability for Deployments/ReplicaSets that already use MinReadySeconds (already existing Pods are not going to be updated with an Available condition - see the section above about kubelet changes). @kubernetes/sig-apps-misc <https://github.com/orgs/kubernetes/teams/sig-apps-misc> @kubernetes/sig-api-machinery-misc <https://github.com/orgs/kubernetes/teams/sig-api-machinery-misc> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#194>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVIsOslDV21FCQtdLppe-51plCz1Hks5rJnl9gaJpZM4LQrfL> .

[0xmichalis]

Why is this a new condition, rather than a delay before setting the existing condition. With this we have 2 VERY similar conditions that differ in only very subtle ways. What guidance would we provide as to which one to use and when? E.g. readiness propagates to Endpoints.

Readiness adds the pod under rotation as you already said, the available condition offers an additional delay for orchestrators like Deployments so that they won't proceed with deleting old pods for an amount of time (assumes traffic is moved to new pods).

Admittedly, we need metrics to make this robust like real # of connections served by new pods but once we have such metrics, we could easily extend something (an external controller, the Deployment controller, or merely inform users) to set the average time it takes for a specific % of users to land in new pods.

[thockin]

I don't buy that this is a distinction that pays its own way. Or at least, the names are not sufficiently meaningful.embedding this into Pod and making the distinction as described is hacky. The distinction you're trying to make is properly an attribute of the deployment. I ACK the time skew issue. I'm open to better ways to characterize this or to alternative ways to describe the time relationship. What if we could a) have the apiserver write the timestamp and b) return a timestamp with a GET, so that any client could trust time more? Do we have to worry about time skew between masters? Depending on time is sketchy to start with, do we need a monotonic clock service?

…

On Thu, Dec 22, 2016 at 2:25 AM, Michail Kargakis ***@***.***> wrote: Why is this a new condition, rather than a delay before setting the existing condition. With this we have 2 VERY similar conditions that differ in only very subtle ways. What guidance would we provide as to which one to use and when? E.g. readiness propagates to Endpoints. Readiness adds the pod under rotation as you already said, the available condition offers an additional delay for orchestrators like Deployments so that they won't proceed with deleting old pods for an amount of time (assumes traffic is moved to new pods). Admittedly, we need metrics to make this robust like real # of connections served by new pods but once we have such metrics, we could easily extend *something* (an external controller, the Deployment controller, or merely inform users) to set the average time it takes for a specific % of users to land in new pods. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#194 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVCE4PJd7a408TpwMw5GmZqUGfd0zks5rKlAFgaJpZM4LQrfL> .

[0xmichalis]

I am not sure how this would solve any of the problem I have outlined in the original post On Fri, Dec 23, 2016 at 2:36 AM, Tim Hockin <notifications@github.com> wrote:

…

I don't buy that this is a distinction that pays its own way. Or at least, the names are not sufficiently meaningful.embedding this into Pod and making the distinction as described is hacky. The distinction you're trying to make is properly an attribute of the deployment. I ACK the time skew issue. I'm open to better ways to characterize this or to alternative ways to describe the time relationship. What if we could a) have the apiserver write the timestamp and b) return a timestamp with a GET, so that any client could trust time more? Do we have to worry about time skew between masters? Depending on time is sketchy to start with, do we need a monotonic clock service? On Thu, Dec 22, 2016 at 2:25 AM, Michail Kargakis < ***@***.***> wrote: > Why is this a new condition, rather than a delay before setting the > existing condition. With this we have 2 VERY similar conditions that differ > in only very subtle ways. What guidance would we provide as to which one to > use and when? E.g. readiness propagates to Endpoints. > > Readiness adds the pod under rotation as you already said, the available > condition offers an additional delay for orchestrators like Deployments so > that they won't proceed with deleting old pods for an amount of time > (assumes traffic is moved to new pods). > > Admittedly, we need metrics to make this robust like real # of connections > served by new pods but once we have such metrics, we could easily extend > *something* (an external controller, the Deployment controller, or merely > inform users) to set the average time it takes for a specific % of users to > land in new pods. > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <https://github.com/kubernetes/community/issues/ 194#issuecomment-268770299>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/ AFVgVCE4PJd7a408TpwMw5GmZqUGfd0zks5rKlAFgaJpZM4LQrfL> > . > — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#194 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADuFf1aOybJe5Rba5i3kyvsiYJfhj0Tqks5rKyW4gaJpZM4LQrfL> .

[0xmichalis]

I guess assuming both the replica set and pdb controllers use virtual clocks, the pdb controller will still need to get the information about available pods from somewhere else (deployment or any other controller).

[thockin]

You understand that the names, as presented are very confusing, right? So, at minimum, we need a good name and less confusing meaning And you understand that this problem will come up in other contexts, right? I was hoping to find a more general solution. As a compromise, since I hate just being the guy who shoots things down, how about a name/semantic like "stable". ``` Kubelet sets the "Stable" condition on a pod when all containers have been running without any restarts for `StableTimeSeconds`. Some facets of the system watch the "Ready" condition, while others watch the "Stable" condition. ``` A few things unresolved: The definition of the pod Ready Condition needs to be fleshed out. It's not at all clear what happens to Ready when a container in the pod is crashing periodically. I'm not convinced that "all pods, no restarts" is appropriate, but it's a decent starting place (same with ready). I feel like many/most pods have some "primary" containers and some "secondary" containers. If a primary container restarts, it absolutely should affect Ready and Stable. If a helper container crashes, it probably should not. But it can't NEVER affect readiness, but an occasional crash maybe isn't a big deal. I think we need a more nuanced definition. TL;DR: rename "Available" to "Stable" and I'll buy it, provided we can define what it means very clearly and spec EXACTLY when it changes.

…

On Fri, Dec 23, 2016 at 3:08 AM, Michail Kargakis ***@***.***> wrote: I guess assuming both the replica set and pdb controllers use virtual clocks, the pdb controller will still need to get the information about available pods from somewhere else (deployment or any other controller). — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#194 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFVgVJC9rULlD65Nc-Amj6yiZZ2uVc00ks5rK6vHgaJpZM4LQrfL> .

[smarterclayton]

For example, clock skew between nodes and masters today means that your cluster is fairly broken to the end user. I'm not sure adding new concepts is required without addressing that first. We have skew problems in all controllers that deal with pods. We've discussed several approaches - we already return Date headers from the server so that clients can adjust skew (web consoles, etc). We require clock skew to be low for etcd (hard), and effectively require all clusters to have low skew (although and although many naive installation methods do not install ntpd it's something that (for instance) OpenShift requires in order to be considered to have a working cluster).

I would like to consider treating skew holistically first, then come back and add new concepts defending against it. Is there any reason that our primary system components shouldn't be aware of the possibility of skew and manage that? Every response from the api server delivers a time correction. Our multi-master solution requires time skew to be low. Either we should strengthen our existing requirements for time sync in the cluster, or be more aggressive about warning for detected skew, or add some general solutions for skew. But I'd like to not pretend that skew doesn't matter.

I'm ok with a bit of shooting down here, I agree with Tim that all new concepts on pods need to pave their own way. If we need to be able to trust the timestamp better, we can always make the timestamp better.

[0xmichalis]

But I'd like to not pretend that skew doesn't matter.

Agreed. My other concern was that available conditions in pods would help in making PDB work with controllers that use minReadySeconds but after a closer look in the pdb controller we can easily add support w/o having the condition. I am going to close this proposal for now and proceed with adding virtual clocks in all involved controllers.

[bgrant0607]

@thockin @smarterclayton

I actually suggested this here:
kubernetes/kubernetes#32771 (comment)

And got agreement in principle from dchen1107 (deliberately not notified so as not to bug her) that it wouldn't be crazy to add to Kubelet.

Independent of time-skew issues, it would be simpler to have this in PodSpec rather than duplicated in every workload controller, in PodDisruptionBudget, and probably other places (e.g., I think AppController may do something similar).

I agree the Ready and Available names are less than ideal, but that's what happens when an API is evolved iteratively, and it's hard to come up with pithy terms that are unambiguous. The term Ready was used in relation to readinessProbe. The term Available was used to make the connection to maxUnavailable clear. If we add another reachability signal, that will be Reachable.

They really do need to be distinct, however. Ready is used by the Endpoints controller. Delaying that signal would prevent traffic from being directed to a new pod, which would likely mean that whatever potential bugs were lurking wouldn't be exposed until after it became Ready. So, the additional delay would only delay discovery of the problem and not leave additional time for assessing stability, enabling the instance to warm up, etc.

I'm reopening this proposal.

[bgrant0607]

cc @erictune @janetkuo