Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sidecarset forbid updating of sidecar container name #937

Merged
merged 1 commit into from
May 26, 2022
Merged

sidecarset forbid updating of sidecar container name #937

merged 1 commit into from
May 26, 2022

Conversation

adairxie
Copy link
Contributor

Ⅰ. Describe what this PR does

This PR will forbid updating of sidecar container name in admission web hook. It will crash openkruise server when changing sidecar container's name under version v1.0.1,as shown in the figure below:

I0316 15:08:49.731232 1 sidecarset_controller.go:143] begin to process sidecarset cube-service-trunk-istio-sidecarset for reconcile E0316 15:08:49.731487 1 runtime.go:78] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference) goroutine 1057 [running]: k8s.io/apimachinery/pkg/util/runtime.logPanic(0x1c4fe60, 0x2e5e7d0) /workspace/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:74 +0x95 k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0) /workspace/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:48 +0x86 panic(0x1c4fe60, 0x2e5e7d0) /usr/local/go/src/runtime/panic.go:965 +0x1b9 github.com/openkruise/kruise/pkg/controller/sidecarset.flipPodSidecarContainerDo(0x218af68, 0xc014f80398, 0xc005651c00) /workspace/pkg/controller/sidecarset/sidecarset_hotupgrade.go:81 +0x310 github.com/openkruise/kruise/pkg/controller/sidecarset.(*Processor).flipPodSidecarContainer.func1(0xc015101548, 0x40e278) /workspace/pkg/controller/sidecarset/sidecarset_hotupgrade.go:49 +0x5c k8s.io/client-go/util/retry.OnError.func1(0xc015101590, 0x40e278, 0x1) /workspace/vendor/k8s.io/client-go/util/retry/util.go:51 +0x3c k8s.io/apimachinery/pkg/util/wait.runConditionWithCrashProtection(0xc015101640, 0xc015101600, 0x0, 0x0) /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:211 +0x69 k8s.io/apimachinery/pkg/util/wait.ExponentialBackoff(0x989680, 0x4014000000000000, 0x3fb999999999999a, 0x4, 0x0, 0xc015101640, 0x0, 0x2) /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:399 +0x55 k8s.io/client-go/util/retry.OnError(0x989680, 0x4014000000000000, 0x3fb999999999999a, 0x4, 0x0, 0x1f97a98, 0xc0151016e8, 0x2, 0x2) /workspace/vendor/k8s.io/client-go/util/retry/util.go:50 +0xa6 k8s.io/client-go/util/retry.RetryOnConflict(...) /workspace/vendor/k8s.io/client-go/util/retry/util.go:104 github.com/openkruise/kruise/pkg/controller/sidecarset.(*Processor).flipPodSidecarContainer(0xc00bbad0b0, 0x218af68, 0xc014f80398, 0xc005651000, 0x0, 0xc0151017b0) /workspace/pkg/controller/sidecarset/sidecarset_hotupgrade.go:47 +0x107 github.com/openkruise/kruise/pkg/controller/sidecarset.(*Processor).flipHotUpgradingContainers(0xc00bbad0b0, 0x218af68, 0xc014f80398, 0xc014f803d8, 0x1, 0x1, 0x0, 0x1) /workspace/pkg/controller/sidecarset/sidecarset_hotupgrade.go:36 +0x145 github.com/openkruise/kruise/pkg/controller/sidecarset.(*Processor).UpdateSidecarSet(0xc00bbad0b0, 0xc00133a600, 0x0, 0x0, 0x0, 0x0) /workspace/pkg/controller/sidecarset/sidecarset_processor.go:107 +0x7be github.com/openkruise/kruise/pkg/controller/sidecarset.(*ReconcileSidecarSet).Reconcile(0xc00bbad0e0, 0x21728f8, 0xc009fd4660, 0x0, 0x0, 0xc00f5fa2a0, 0x29, 0xc009fd4660, 0xc00003a000, 0x1d38f40, ...) /workspace/pkg/controller/sidecarset/sidecarset_controller.go:144 +0x259 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc002632460, 0x2172850, 0xc000c81580, 0x1cdee40, 0xc00d619a00) /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:298 +0x30d sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc002632460, 0x2172850, 0xc000c81580, 0x0) /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:253 +0x205 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.2(0x2172850, 0xc000c81580) /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:216 +0x4a k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1() /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:185 +0x37 k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0xc00069a750) /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155 +0x5f k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc015101f50, 0x2131c20, 0xc00ae44f30, 0xc000c81501, 0xc001c8c000) /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156 +0x9b k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc00069a750, 0x3b9aca00, 0x0, 0xc005b50e01, 0xc001c8c000) /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133 +0x98 k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext(0x2172850, 0xc000c81580, 0xc00c2b5cb0, 0x3b9aca00, 0x0, 0x1f99601) /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:185 +0xa6 k8s.io/apimachinery/pkg/util/wait.UntilWithContext(0x2172850, 0xc000c81580, 0xc00c2b5cb0, 0x3b9aca00) /workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:99 +0x57 created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1 /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:213 +0x40d

Although it has been fixed by the function sidecarcontrol.IsPodConsistentWithSidecarSet in the v1.0.1, but it will cause sidecarset not to match any existing pod. In a way, it can also lead to orphan sidecar container.

Therefore, we should explicitly refuse to update the sidecar container name in the webhook.

Ⅱ. Does this pull request fix one issue?

NONE

Ⅲ. Describe how to verify it

Under the version of 1.0.1, you can crash openkruise server by changing the sidecar container's name in the sidecarset, note that the sidecar container's upgrade strategy must be hotupgrade.

At the version of 1.0.1, after you change your sidecar container name, the sidecarset will not matching any pods. You can verify it by check sidecarset status.

Ⅳ. Special notes for reviews

@kruise-bot kruise-bot requested review from FillZpp and furykerry March 21, 2022 14:47
@kruise-bot
Copy link

Welcome @adairxie! It looks like this is your first PR to openkruise/kruise 🎉

@kruise-bot kruise-bot added the size/XS size/XS: 0-9 label Mar 21, 2022
@codecov-commenter
Copy link

Codecov Report

Merging #937 (7788963) into master (02f8fe6) will increase coverage by 0.02%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master     #937      +/-   ##
==========================================
+ Coverage   49.42%   49.45%   +0.02%     
==========================================
  Files         119      119              
  Lines       11306    11316      +10     
==========================================
+ Hits         5588     5596       +8     
- Misses       4857     4859       +2     
  Partials      861      861
Flag Coverage Δ
unittests 49.45% <0.00%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...set/validating/sidecarset_create_update_handler.go 51.16% <0.00%> (-0.91%) ⬇️
pkg/controller/cloneset/cloneset_event_handler.go 79.46% <0.00%> (-0.19%) ⬇️
pkg/controller/cloneset/sync/api.go 0.00% <0.00%> (ø)
pkg/controller/cloneset/utils/cloneset_utils.go 0.00% <0.00%> (ø)
pkg/webhook/pod/mutating/sidecarset.go 74.70% <0.00%> (+0.14%) ⬆️
pkg/controller/cloneset/cloneset_controller.go 54.15% <0.00%> (+1.29%) ⬆️
pkg/controller/cloneset/sync/cloneset_update.go 48.24% <0.00%> (+1.75%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 02f8fe6...7788963. Read the comment docs.

@adairxie adairxie force-pushed the container-name-change-bug branch from 7788963 to b6117c2 Compare March 21, 2022 14:58
@zmberg
Copy link
Member

zmberg commented Mar 22, 2022

@adairxie Thanks. The DCO failed. Please git commit --amend -s to signoff yourself and force push again.

@adairxie
sidecarset forbid updating of sidecar container name
ab17595 
Signed-off-by: xiehui <615810790@qq.com>
@adairxie adairxie force-pushed the container-name-change-bug branch from b6117c2 to ab17595 Compare March 22, 2022 03:27
@adairxie
Copy link
Contributor Author

adairxie commented Mar 22, 2022
edited
Loading

@adairxie Thanks. The DCO failed. Please git commit --amend -s to signoff yourself and force push again.

@zmberg It's done. Thank you.

@zmberg
Copy link
Member

zmberg commented May 26, 2022

/lgtm

@FillZpp
Copy link
Member

FillZpp commented May 26, 2022

/approve
@adairxie thanks!

@kruise-bot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FillZpp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kruise-bot kruise-bot merged commit 7d49a4e into openkruise:master May 26, 2022
diannaowa pushed a commit to diannaowa/kruise that referenced this pull request Sep 14, 2022
@adairxie @diannaowa
sidecarset forbid updating of sidecar container name (openkruise#937)
4ef089c 
Signed-off-by: xiehui <615810790@qq.com>
Signed-off-by: Liu Zhenwei <zwliu@thoughtworks.com>
ppbits pushed a commit to ppbits/kruise that referenced this pull request Apr 4, 2024
@adairxie
sidecarset forbid updating of sidecar container name (openkruise#937)
44d530d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FillZpp FillZpp Awaiting requested review from FillZpp

@furykerry furykerry Awaiting requested review from furykerry

Assignees

@zmberg zmberg

Labels
approved lgtm size/XS size/XS: 0-9
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@adairxie @kruise-bot @codecov-commenter @zmberg @FillZpp