-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3886ffa
commit 8d76ecc
Showing
14 changed files
with
908 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,178 @@ | ||
/* | ||
Copyright 2020 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package controllers | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/pkg/errors" | ||
clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha3" | ||
"sigs.k8s.io/cluster-api/controlplane/kubeadm/internal" | ||
"sigs.k8s.io/cluster-api/util/conditions" | ||
"sigs.k8s.io/cluster-api/util/patch" | ||
ctrl "sigs.k8s.io/controller-runtime" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
) | ||
|
||
// reconcileUnhealthyMachines handles KubeadmControlPlane unhealthyMachine reconciliation. | ||
func (r *KubeadmControlPlaneReconciler) reconcileUnhealthyMachines(ctx context.Context, c *internal.ControlPlane) (ret ctrl.Result, retErr error) { | ||
logger := r.Log.WithValues("namespace", c.KCP.Namespace, "kubeadmControlPlane", c.KCP.Name, "cluster", c.Cluster.Name) | ||
|
||
// Gets all machines that have `MachineHealthCheckSucceeded=False` (indicating a problem was detected on the machine) | ||
// and `MachineOwnerRemediated` present, indicating that KCP is responsible of performing remediation as owner of the machine. | ||
unhealthyMachines := c.UnhealthyMachines() | ||
|
||
// If there are no unhealthy machines, return so KCP can proceed with other operations (ctrl.Result nil). | ||
if len(unhealthyMachines) == 0 { | ||
return ctrl.Result{}, nil | ||
} | ||
|
||
// Select the machine to be remediated, which is the oldest machine marked as unhealthy. | ||
// NOTE: The current solution is considered acceptable for the most frequent use case (only one unhealthy machine), | ||
// however, in the future this could potentially be improved for the scenario where more than one unhealthy machine exists | ||
// by considering which machine has lower impact on etcd quorum. | ||
machineToBeRemediated := unhealthyMachines.Oldest() | ||
|
||
// Returns if the machine is already being remediated | ||
if !machineToBeRemediated.ObjectMeta.DeletionTimestamp.IsZero() { | ||
return ctrl.Result{}, nil | ||
} | ||
|
||
patchHelper, err := patch.NewHelper(machineToBeRemediated, r.Client) | ||
if err != nil { | ||
return ctrl.Result{}, err | ||
} | ||
|
||
defer func() { | ||
// Always attempt to Patch the Machine conditions after each reconcileUnhealthyMachines. | ||
if err := patchHelper.Patch(ctx, machineToBeRemediated, patch.WithOwnedConditions{Conditions: []clusterv1.ConditionType{ | ||
clusterv1.MachineOwnerRemediatedCondition, | ||
}}); err != nil { | ||
logger.Error(err, "Failed to patch control plane Machine", "machine", machineToBeRemediated.Name) | ||
if retErr == nil { | ||
retErr = errors.Wrapf(err, "failed to patch control plane Machine %s", machineToBeRemediated.Name) | ||
} | ||
} | ||
}() | ||
|
||
// Before starting remediation, run preflight checks in order to verify it is safe to remediate. | ||
// If those checks are failing, we surface the reason why remediation is not happening into the MachineOwnerRemediated condition | ||
// and then we return so KCP can proceed with other operations (ctrl.Result nil). | ||
|
||
desiredReplicas := int(*c.KCP.Spec.Replicas) | ||
|
||
// The cluster MUST have spec.replicas >= 3, because this is the smallest cluster size that allows any etcd failure tolerance. | ||
if desiredReplicas < 3 { | ||
logger.Info("A control plane machine needs remediation, but the number of desired replicas is less than 3. Skipping remediation", "UnhealthyMachine", machineToBeRemediated.Name, "Replicas", desiredReplicas) | ||
conditions.MarkFalse(machineToBeRemediated, clusterv1.MachineOwnerRemediatedCondition, clusterv1.WaitingForRemediationReason, clusterv1.ConditionSeverityWarning, "KCP can't remediate if there are less than 3 desired replicas") | ||
return ctrl.Result{}, nil | ||
} | ||
|
||
// The number of replicas MUST be equal to or greater than the desired replicas. This rule ensures that when the cluster | ||
// is missing replicas, we skip remediation and instead perform regular scale up/rollout operations first. | ||
if c.Machines.Len() < desiredReplicas { | ||
logger.Info("A control plane machine needs remediation, but the current number of replicas is lower that expected. Skipping remediation", "UnhealthyMachine", machineToBeRemediated.Name, "Replicas", desiredReplicas, "CurrentReplicas", c.Machines.Len()) | ||
conditions.MarkFalse(machineToBeRemediated, clusterv1.MachineOwnerRemediatedCondition, clusterv1.WaitingForRemediationReason, clusterv1.ConditionSeverityWarning, "KCP waiting for having at least %d control plane machines before triggering remediation", desiredReplicas) | ||
return ctrl.Result{}, nil | ||
} | ||
|
||
// The cluster MUST have no machines with a deletion timestamp. This rule prevents KCP taking actions while the cluster is in a transitional state. | ||
if c.HasDeletingMachine() { | ||
logger.Info("A control plane machine needs remediation, but there are other control-plane machines being deleted. Skipping remediation", "UnhealthyMachine", machineToBeRemediated.Name) | ||
conditions.MarkFalse(machineToBeRemediated, clusterv1.MachineOwnerRemediatedCondition, clusterv1.WaitingForRemediationReason, clusterv1.ConditionSeverityWarning, "KCP waiting for control plane machine deletion to complete before triggering remediation") | ||
return ctrl.Result{}, nil | ||
} | ||
|
||
// Remediation MUST preserve etcd quorum. This rule ensures that we will not remove a member that would result in etcd | ||
// losing a majority of members and thus become unable to field new requests. | ||
if c.IsEtcdManaged() { | ||
canSafelyRemediate, err := r.canSafelyRemoveEtcdMember(ctx, c, machineToBeRemediated) | ||
if err != nil { | ||
conditions.MarkFalse(machineToBeRemediated, clusterv1.MachineOwnerRemediatedCondition, clusterv1.RemediationFailedReason, clusterv1.ConditionSeverityError, err.Error()) | ||
return ctrl.Result{}, err | ||
} | ||
|
||
if !canSafelyRemediate { | ||
logger.Info("A control plane machine needs remediation, but removing this machine could result in etcd loosing quorum. Skipping remediation", "UnhealthyMachine", machineToBeRemediated.Name) | ||
conditions.MarkFalse(machineToBeRemediated, clusterv1.MachineOwnerRemediatedCondition, clusterv1.WaitingForRemediationReason, clusterv1.ConditionSeverityWarning, "KCP can't remediate this machine because this could result in etcd loosing quorum") | ||
return ctrl.Result{}, nil | ||
} | ||
} | ||
|
||
if err := r.Client.Delete(ctx, machineToBeRemediated); err != nil { | ||
conditions.MarkFalse(machineToBeRemediated, clusterv1.MachineOwnerRemediatedCondition, clusterv1.RemediationFailedReason, clusterv1.ConditionSeverityError, err.Error()) | ||
return ctrl.Result{}, errors.Wrapf(err, "failed to delete unhealthy machine %s", machineToBeRemediated.Name) | ||
} | ||
|
||
logger.Info("Remediating unhealthy machine", "UnhealthyMachine", machineToBeRemediated.Name) | ||
conditions.MarkFalse(machineToBeRemediated, clusterv1.MachineOwnerRemediatedCondition, clusterv1.RemediationInProgressReason, clusterv1.ConditionSeverityWarning, "") | ||
return ctrl.Result{Requeue: true}, nil | ||
} | ||
|
||
// canSafelyRemoveEtcdMember assess if it is possible to remove the member hosted on the machine to be remediated | ||
// without loosing etcd quorum. | ||
// | ||
// The answer mostly depend on the existence of other failing members on top of the one being deleted, and according | ||
// to the etcd fault tolerance specification (see https://github.com/etcd-io/etcd/blob/master/Documentation/faq.md#what-is-failure-tolerance): | ||
// - 3 CP cluster does not tolerate additional failing members on top of the one being deleted (the target | ||
// cluster size after deletion is 2, fault tolerance 0) | ||
// - 5 CP cluster tolerates 1 additional failing members on top of the one being deleted (the target | ||
// cluster size after deletion is 4, fault tolerance 1) | ||
// - 7 CP cluster tolerates 2 additional failing members on top of the one being deleted (the target | ||
// cluster size after deletion is 6, fault tolerance 2) | ||
// - etc. | ||
func (r *KubeadmControlPlaneReconciler) canSafelyRemoveEtcdMember(ctx context.Context, c *internal.ControlPlane, machineToBeRemediated *clusterv1.Machine) (bool, error) { | ||
logger := r.Log.WithValues("namespace", c.KCP.Namespace, "kubeadmControlPlane", c.KCP.Name, "cluster", c.Cluster.Name) | ||
|
||
workloadCluster, err := r.managementCluster.GetWorkloadCluster(ctx, client.ObjectKey{ | ||
Namespace: c.Cluster.Namespace, | ||
Name: c.Cluster.Name, | ||
}) | ||
if err != nil { | ||
return false, errors.Wrapf(err, "failed to get client for workload cluster %s", c.Cluster.Name) | ||
} | ||
|
||
// Gets the etcd status | ||
// NOTE: We are using etcd as a source of truth, because the MHC notion of machine unhealthy might be different than | ||
// the etcd member healthy definition. | ||
// This makes it possible to have a set of etcd members status different from the MHC unhealthy/unhealthy conditions. | ||
etcdStatus, err := workloadCluster.EtcdStatus(ctx) | ||
if err != nil { | ||
return false, errors.Wrapf(err, "failed to get etcdStatus for workload cluster %s", c.Cluster.Name) | ||
} | ||
|
||
currentTotalMembers := len(etcdStatus) | ||
|
||
targetTotalMembers := currentTotalMembers - 1 | ||
targetQuorum := targetTotalMembers/2.0 + 1 | ||
targetUnhealthyMembers := 0 | ||
for _, etcdMember := range etcdStatus { | ||
// skip the machine to be deleted because it won't be part of the target etcd cluster | ||
if etcdMember.Name == machineToBeRemediated.Name { | ||
continue | ||
} | ||
if !etcdMember.Responsive { | ||
logger.Info("An additional etcd member is reporting unhealthy status while remediation a machine", "MachineToBeRemediated", machineToBeRemediated.Name, "EtcdMember", etcdMember.Name) | ||
targetUnhealthyMembers++ | ||
} | ||
} | ||
|
||
if targetTotalMembers-targetUnhealthyMembers >= targetQuorum { | ||
return true, nil | ||
} | ||
return false, nil | ||
} |
Oops, something went wrong.