Fix endpoints status out-of-sync when the pod state changes rapidly

[tnqn]

What type of PR is this?

/kind bug

What this PR does / why we need it:

When Pod state changes rapidly, endpoints controller may use outdated informer cache to sync Service. If the outdated endpoints appear to be expected by the controller, it skips updating it.

The commit fixes it by checking if endpoints informer cache is outdated when processing a service. If the endpoints is stale, it returns an error and retries later.

Which issue(s) this PR fixes:

Fixes #125638

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fix endpoints status out-of-sync when the pod state changes rapidly

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[k8s-ci-robot]

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[aojea]

I'm trying to find the issue where this option was discussed and discarded several releases ago, @thockin @robscott do you remember?

This fixes the issue because it process its own update, we are already doing it on other controllers, but it means we are going to do double the work now for each endpoint update

[tnqn]

I found this change would break a conformance test: "should test the lifecycle of an Endpoint".
However, the conformance test itself seems contradictory with some logic of endpoints controller:

• The conformance test expects an Endpoint created without a Service to exist
• The checkLeftoverEndpoints function of endpoint controller triggers syncing all Endpoints except for those having leader election annotation and will cause Endpoints without Services to be deleted:

  kubernetes/pkg/controller/endpoint/endpoints_controller.go

  Lines 561 to 567 in 921fb0b

  	// checkLeftoverEndpoints lists all currently existing endpoints and adds their
  	// service to the queue. This will detect endpoints that exist with no
  	// corresponding service; these endpoints need to be deleted. We only need to
  	// do this once on startup, because in steady-state these are detected (but
  	// some stragglers could have been left behind if the endpoint controller
  	// reboots).
  	func (e *Controller) checkLeftoverEndpoints() {

The conformance test gives an impression that an user created Endpoints (without a Service) can exist but it will be deleted once kube-controller-manager restarts or fails over. Subscribing endpoints update events extends the cleanup logic of checkLeftoverEndpoints in a sense.

[tnqn]

It seems the conformance test would fail as long as the controller watches endpoints update events.

I'm thinking another fix which doesn't affect the conformance test and could avoid doubling the work: we track the stale resource versions of endpoints after each successful endpoints update, use it to determine whether the endpoints in cache is stale when syncing it next time, and return error if it's stale and retry. (The reason why we don't track generation like endpointslice controller is endpoints doesn't have a generation.)

The 2nd commit implements the above fix.

[danwinship]

I'm trying to find the issue where this option was discussed and discarded several releases ago, @thockin @robscott do you remember?

I definitely remember what you're talking about, but not the details...

[tnqn]

/retest

[tnqn]

/retest

[aojea]

@tnqn sorry for being very picky but everytime we change something here there are always unexpected edge cases, I think that adding an integration test that reproduces the problem, we can do multiple transitions in parallel if necessary to increase the chances of getting an stale cache entry, will give us more confidence

kubernetes/test/integration/endpoints/endpoints_test.go

Line 38 in 742b2f7

func TestEndpointUpdates(t *testing.T) {

[chymy]

/test pull-kubernetes-integration

[tnqn]

@tnqn sorry for being very picky but everytime we change something here there are always unexpected edge cases, I think that adding an integration test that reproduces the problem, we can do multiple transitions in parallel if necessary to increase the chances of getting an stale cache entry, will give us more confidence

@aojea no problem, I will add one.

[chymy]

/lgtm
Our environment has happened several times.

[robscott]

Thanks @tnqn!

/hold cancel

[robscott]

Actually I guess @aojea said Friday, but I think we likely have enough reviewers that have signed off on this now, will defer to him.

/hold

[aojea]

Actually I guess @aojea said Friday, but I think we likely have enough reviewers that have signed off on this now, will defer to him.

/hold

/hold cancel

There are 3 additional reviews, more than enough 😄

[liggitt]

For visibility, backports of this regressed 1.30.3+, 1.29.7+, and 1.28.12+ (see #127370).

Make sure we stick to the criteria for backports. Backporting changes which are not regression fixes or critical bugfixes as described in https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/cherry-picks.md#what-kind-of-prs-are-good-for-cherry-picks should be avoided. Every backport carries risk, and in this case, we made patch releases worse with a backport.