OCPBUGS-33620: define *probes for KSM

[rexagod]

Will set a target version post-4.16 branching.

• I added CHANGELOG entry for this change.
• No user facing changes, so no entry in CHANGELOG was needed.

[openshift-ci-robot]

@rexagod: This pull request references Jira Issue OCPBUGS-33620, which is invalid:

• expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

• I added CHANGELOG entry for this change.
• No user facing changes, so no entry in CHANGELOG was needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rexagod]

https://github.com/kubernetes/kube-state-metrics/blob/6de105ebbe0eeb5d97d9e6adf1cc83314434e8cc/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet#L200

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rexagod

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rexagod]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rexagod]

::: since kube-prometheus hides these fields.

[juzhao]

/jira refresh

[openshift-ci-robot]

@juzhao: This pull request references Jira Issue OCPBUGS-33620, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.17.0) matches configured target version for branch (4.17.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @juzhao

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[simonpasquier]

Exec probes have lots of edge cases and I'd rather stay away from them.
Also are we convinced that a liveness probe would have caught the network issue?

[rexagod]

There were a couple of asks in the original ticket.

• Being able to "figure out" network outages.
• Being able to restart the kube-state-metrics container if that happens.

I believe for the second case, exec probes may be the only way since kubelet pings are blocked off by KRP. In other cases, we've used HTTP-based probes for the outer KRP instance, but a non-200 status there will end up restarting the KRP instance, and not the proxied container.

For the first case, I believe we should keep the endpoints here as they are defined upstream, but make sure that /healthz (in upstream KSM) considers network outages before sending a 200 (querying a known resource type for metrics, for instance, or maybe a more suited endpoint). This way, liveness will restart the pod if there's an outage, while readiness will query :8082 to determine if the pod's good for traffic (so no changes there).

IMHO I agree and would prefer HTTP-based approach over this given the edge cases, but this seems to check all the asks, unless I'm missing something here.

[simonpasquier]

For the first case, I believe we should keep the endpoints here as they are defined upstream, but make sure that /healthz (in upstream KSM) considers network outages before sending a 200 (querying a known resource type for metrics, for instance, or maybe a more suited endpoint). This way, liveness will restart the pod if there's an outage, while readiness will query :8082 to determine if the pod's good for traffic (so no changes there).

https://github.com/kubernetes/kube-state-metrics/blob/a4ddfe6ed901c80b96e1dfab00a2df1820925b53/pkg/app/server.go#L405-L409

AFAICT /healthz always return 200 OK. I'd be on the fence adding checks against Kubernetes API to the /healthz endpoint: strictly speaking kube-state-metrics is still alive even if it can't reach the API. But it's an upstream discussion anyway.

[rexagod]

Right, and to make this a non-breaking change, would it make sense to add outage checks to a /livez endpoint instead? If so, I can pitch this upstream.

[simonpasquier]

Checking against what metrics-server does:

• /livez reports whether the process is dead-locked or not.
• /healthz reports whether all dependencies are operational.
• /readyz reports that the process is ready to serve HTTP requests.

Even to avoid a breaking change, I'm not sure that you want to swap the semantics of /livez and /healthz?

[rexagod]

Hmm, there seems to be a similar pattern (eg., /healthz being influenced by dependencies) across components that are coupled with API-server (controller-manager) or aggregate-API-server (metrics-server).

But for out-of-tree non-apiserver-dependent projects like usage-metrics-collector, the /healthz seems to be in line with KSM, and seems to choose controller-runtime's style over apiserver's.

I believe this pattern would warrant for including outage checks within /livez, while making it responsible for looking out for any non-healing symptoms (i.e., outages) which would demand a restart.

WDYT?

[rexagod]

(PS. I might be wrong here, but I wanted to confirm my deduction to devise my approach to resolve this upstream)

[simonpasquier]

As I said above, I've been burnt too many times by exec probes. Can we configure kube-rbac-proxy to disable authn/authz for probes?

[simonpasquier]

/livez returns 200 OK currently because the HTTP server returns the home URL. I'd rather have the /livez endpoint implemented before having the change here.

[rexagod]

I've raised a PR for livez here (https://github.com/openshift/cluster-monitoring-operator/pull/2352/files#diff-81cd935cb1786fb907c3e0b33e0ebfde1a209b916aba70217b4a836992a1808aR281): kubernetes/kube-state-metrics#2418.

[rexagod]

(point livenessProbe for the KSM container to it's respective proxied port, this helps us actually restart the container on a probe failure)

[rexagod]

/test e2e-aws-ovn-techpreview

[rexagod]

kubernetes/kube-state-metrics#2418 (comment) is in, and will be included in kubernetes/kube-state-metrics#2419 (v2.13.0).

[rexagod]

Pinging @simonpasquier for one last review here to make sure everything looks good before we release KSMv2.13.0, so all that will be left after that would be merging this.

[openshift-ci]

@rexagod: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[simonpasquier]

We ignore /metrics here because it's used by the readiness probe? It doesn't feel correct since it would mean that any in-cluster actor can read the KSM metrics too?

[rexagod]

Right, even though we've relied on telemetry metrics to check for readiness upstream, nonetheless, exposing that information is susceptible to malicious intent. I'll patch upstream to restrict that information from being exposed and add a dedicated /readyz.

[rexagod]

On second thought, it'd be better to not rely on telemetry endpoints at all and base all probes off of the actual KSM resource metrics server.

[rexagod]

Opened kubernetes/kube-state-metrics#2442.

[simonpasquier]

I don't understand how the e2e tests pass given that the /livez endpoint doesn't exist.

[simonpasquier]

should be /livez?

[rexagod]

May be omitted, I'll patch this up though for it to be consistent with other paths.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sample-deployment
  namespace: default
  labels:
    app: sample-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: sample-app
  template:
    metadata:
      labels:
        app: sample-app
    spec:
		...
        - containerPort: 80
        livenessProbe:
          httpGet:
            path: healthfoo
            port: 80
			...

Containers:
  sample-container:
    Container ID:   cri-o://736a33ba57ec594200107098015e4d0fd38c03d24e46e65b359bd83e43172095
    Image:          nginx:latest
    Image ID:       docker.io/library/nginx@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df
    Port:           80/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Wed, 03 Jul 2024 23:08:25 +0530
    Ready:          False
    Restart Count:  0
    Liveness:       http-get http://:80/healthfoo delay=15s timeout=2s period=5s #success=1 #failure=3
    Readiness:      http-get http://:80/readyz delay=5s timeout=2s period=5s #success=1 #failure=3