Adding Rate limiting ec2:DescribeInstances API along with Batching for high TPS

[bhks]

Prerequisite:

The AWS ec2:DescribeInstances API is a low TPS batching capable API.

Summary :

As of Today a K8s cluster can support up-to 5000 nodes. every nodes has to run kubelet process to join to cluster, while joining the cluster kubelet makes multiple calls to API Server and if it fails it does a retry with backoff where it can make 8-9 calls per object type per second.

Given the Authenticator is a webhook and API Server makes calls to Authenticator for every API call being made to verify the users or nodes role.

While verifying for nodes it needs to call to ec:DescribeInstances to get the PrivateDNSName for the node. When we make call to verify token and get-caller-identity we know about the instanceId. PrivateDNSName and whether the session is valid but we don't know whether this node belongs to the same aws account.

Problem:

For example lets assume we have 500 nodes , and a cluster have 20 object types.

Thinking of two situations:

• When Master restarts or new Master comes up and old master goes down in a HA Master setup
• When cluster has a sudden hike in number of nodes joining

For the master restart , every connection to the old master from every kubelet running on nodes will close like watches and all hence kubelet will try to re-connect and get the updated list and do watch connection while doing so it has to pass through Authenticator and authenticator does verification of instance with PrivateDNSNames belonging to the same aws account.

As of today not having any rate limiting for the ec2:DescribeInstances make service unavailable as after 20-30 calls the aws ec2 API starts throttling because every node calls goes to API in the same interval and at multiple fold.

The number of calls per second for the failed to get authenticated would be

Number of nodes * 20 * 8 = 500 * 20 * 8 = ~ 8000 TPS

In a minute it can go upto ~ 200 K - ~400K

As this throttling would not get resolved at the same time it takes almost 2-5 minutes to get resolve

So total number of throttling goes to a very high number which impacts other services running in the aws account or CNI or Kube-Controller-manager.

While the Authenticator tries to cache the PrivateDNSNames but that does not help in this case as the kubelet calls very fast and the master has restarted so it does not have every node in cache.

Solution:

1. Adding rate Limiting to make sure it does not hit the high TPS
2. Adding rate limit will make the system very slow in the above mentioned situations as for the same node it would still make calls to ec2:DescribeInstances. So adding a look up map to check if we already have the in flight request for the ec2 instanceId and then wait for upto 5 second and keep looking into the cache to check if the Inflight request has completed and added the PrivateDNSName to cache.
3. Given having a large number of nodes it can still take minutes to process every single node description so adding a batching routine which when number of Inflight request becomes more than 5 it can start batching and every 200 milliseconds batches the instances and just makes one call to ec2 to get the details of instances and put the PrivateDNSNames into the cache.

Testing:

• Added unit tests which emulates the behavior with 100 nodes.
• Tested in a real EKS cluster with 500, 1000 and 3000 nodes to check the count of API as well as overall performance of the system when we recycle the masters.

Next:

• Adding Backoff Retry for AWS API ec2:DescribeInstances

[k8s-ci-robot]

Welcome @bhagwat070919!

It looks like this is your first PR to kubernetes-sigs/aws-iam-authenticator 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-iam-authenticator has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

@bhagwat070919: GitHub didn't allow me to assign the following users: mhausler.

Note that only kubernetes-sigs members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign mhausler

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mogren]

Nice, but this change should probably have been a separate PR.

[mogren]

Nit: Add a newline before the comment so that gofmt will intent this a bit nicer.

[mogren]

Nit: This could be set higher, then it won't have to be changed later on.

[bhks]

How about 10K ?

[mogren]

Isn't 5 seconds quite a long time?

[micahhausler]

This seems OK, given that its just for calls from nodes not in the cache

[bhks]

5 seconds is the timeout for any given request and upper limit.

[mogren]

In go, this func would usually be named just New, since then it will get called using ec2provider.New()

[bhks]

ack, yeah it does not hurt given I already have extracted it out from the server.go and in this package there are no other New()

[mogren]

Rename these cache it lock, since they will always be referenced using dnsCache.cache and dnsCache.lock

[bhks]

ack

[mogren]

Hmm, this is not even really a queue, is it? The pattern of a map to book is commonly used when you want a Set. Also, maps in go return the keys in random order, so you won't even get them in the order they were added when you iterate over it.

Can this just be

type ec2Requests struct {
	set  map[string]bool
	lock sync.RWMutex
}

[bhks]

Good point.

• my Idea was:
  its a logical concept to understand easily as its a request queue where we have inflight requests saved to have lookup.

I will make this change.

[mogren]

This is good! Change to use this "lock / defer unlock"-pattern in all the functions attached to ec2ProviderImpl.

[bhks]

Yeah , I like your idea as I was trying to be performance agnostic about these code in terms of nanoseconds while loosing the readability.
I will make all the unlock with defer.

[micahhausler]

This is a great improvement! Mostly stylistic changes, and a reduction in the amount of logging

[micahhausler]

Nit: Go generally doesn't use underscores, maybe DefaultEC2DescribeInstancesQPS. See Effective Go

[bhks]

ack

[micahhausler]

Nit: Ec2 -> EC2

[bhks]

ack

[micahhausler]

nit: could you separate stdlib imports from third party imports?

[bhks]

I hope one day my Goland will learn this and don't make this mistakes.

[micahhausler]

nit: can you update these variable names to not include underscores?

[bhks]

ack

[micahhausler]

instead of all the variables and appends, what do you think about just returning a single variable with the nested fields set?

[bhks]

good idea let me check.

[micahhausler]

Can you name this something more specific like newMockedEC2ProviderImpl?

[bhks]

Done , good name suggestions

[micahhausler]

Can you move this to third party imports?

[bhks]

ack

[micahhausler]

tiniest of nit: this could be onelined

func (p *testEC2Provider) StartEc2DescribeBatchProcessing() {}

[bhks]

ack

[micahhausler]

Do you need to log this since you have a log call in the batch process? Can this be debug?

[bhks]

Added as Debug log

[bhks]

This is a great improvement! Mostly stylistic changes, and a reduction in the amount of logging

Thanks !!!

I somehow knew that there would be an idea of removing the loggings but given the fact for every instance the whole workflow prints the messages once except few which just roam around for cache lookup.

[bhks]

Thank you so much @mogren and @micahhausler for helping improve the Go code quality.
I have updated the code with comments incorporation.

[micahhausler]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bhagwat070919, micahhausler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [micahhausler]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mogren]

Nice work Bhagwat, thanks for fixing this!

/lgtm