Dynamic LB sync non-external backends only when necessary

[ZxYuan]

The PR records a timestamp in nginx shared configuration when API "/configuration/backends" is called by ingress controller. Every second each nginx worker checks whether it is necessary to sync non-external backends.

What this PR does / why we need it:

In our Kubernetes cluster with thousands of service and ingress resources, each of nginx workers syncing backends every second leads to quite heavy load for CPUs. In my testing environment with no input requests, impact on cpu usage is showed as below. Heavy CPU load also seriously affects request time of Biz APIs.
Although it is necessary to sync backends of services using ExternalName since DNS may change anytime, frequent sync of non-external backends can be avoided.

Types of changes

I'm not sure about the type of change, but how dynamic LB works internally is actually modified. Perhaps Breaking change?

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Which issue/s this PR fixes

How Has This Been Tested?

Create N ingress rules and corresponding N non-ExternalName services. Each ingress rule makes a route to one of the services. Without the patch, when N is large, each nginx worker runs out much of its CPU core as the figure above shows.

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have added tests to cover my changes.
• All new and existing tests passed.

[k8s-ci-robot]

Hi @ZxYuan. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ZxYuan
To complete the pull request process, please assign elvinefendi
You can assign the PR to them by writing /assign @elvinefendi in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ElvinEfendi]

@ZxYuan can you share some more numbers please, ideally graphs? I'd like to see how much impact does this change have on CPU usage.

[aledbf]

/ok-to-test

[aledbf]

/assign @ElvinEfendi

[ElvinEfendi]

What about backends_with_external_name?

[ElvinEfendi]

I think this should be more specific and indicate that it is specifically about backend sync - what about backends_last_synced_at?

[ElvinEfendi]

Similar to https://github.com/kubernetes/ingress-nginx/pull/5418/files#r412948805, I'd go with is_backend_with_external_name.

[ElvinEfendi]

Are you deliberately updating this in the beginning of function body to avoid retries in case of i.e json decoding error happens? Intuitively I'd have expected this update to be in the end of the function body. I wonder how we can make the intention clearer for the reader.

[ElvinEfendi]

Similar to https://github.com/kubernetes/ingress-nginx/pull/5418/files#r412949876, get_raw_backends_last_sycned_at.

[ElvinEfendi]

s/timestamp/raw_backends_last_sycned_at

[ElvinEfendi]

Why not ngx.update_time and ngx.time?

[ElvinEfendi]

Please include some information in the error message about the potential consequences of not being able to update this timestamp.

[ElvinEfendi]

Should we force sync if last_timestamp - timestamp is too large?

[ZxYuan]

Do you mean we should force sync if current timestamp is too larger than backends_last_sycned_at stored in each worker, avoiding failure of backends syncing caused by error updating raw_backends_last_sycned_at in shared configuration data?

[ZxYuan]

@ZxYuan can you share some more numbers please, ideally graphs? I'd like to see how much impact does this change have on CPU usage.

Thanks for your nice suggestions. I'll give a patch later.
The figures below show how much impact current LB has on CPU usage. Current version=0.30.0 seems a little better than what I mentioned, but still has the issue.

1000 services (or ingresses)

2000 services (or ingresses)

3000 services (or ingresses)

4000 services (or ingresses)

5000 services (or ingresses)

6000 services (or ingresses)

[k8s-ci-robot]

@ZxYuan: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-ingress-nginx-e2e-1-17	7d4aea1	link	/test pull-ingress-nginx-e2e-1-17
pull-ingress-nginx-e2e-1-15	7d4aea1	link	/test pull-ingress-nginx-e2e-1-15
pull-ingress-nginx-e2e-1-18	7d4aea1	link	/test pull-ingress-nginx-e2e-1-18
pull-ingress-nginx-e2e-1-16	7d4aea1	link	/test pull-ingress-nginx-e2e-1-16

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[aledbf]

@ZxYuan do you have a script to generate this scenario?

[ZxYuan]

@ZxYuan do you have a script to generate this scenario?

FYI. Create a nginx deployment on port 80 with label app: nginx
Save the following yaml as press.yaml.tmpl

kind: Service
apiVersion: v1
metadata:
  name: service-press-HAHA
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-press-HAHA
spec:
  rules:
  - http:
      paths:
      - path: /press/HAHA
        backend:
          serviceName: service-press-HAHA
          servicePort: 80

Run the bash script

for i in {1..6000}
do
    sed s#HAHA#${i}#g press.yaml.tmpl > tmp.yaml
    kubectl apply -f tmp.yaml
done