KEP: Finalizer Protection for Service LoadBalancers

[MrHohn]

This KEP proposes the plan for adding finalizer protection for service load balancer. The work has been started a long while back but unfortunately hasn't been delivered yet. We are looking forward to making it happen in 1.15.

Note that many content is derived from the original implementation (kubernetes/kubernetes#54569) of this feature.

Enhancement issue: #980

[MrHohn]

Adding relevant folks for review.

/assign @bowei @andrewsykim @jhorwit2 @jiatongw

[k8s-ci-robot]

@MrHohn: GitHub didn't allow me to assign the following users: jiatongw.

Note that only kubernetes members and repo collaborators can be assigned and that issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

Adding relevant folks for review.

/assign @bowei @andrewsykim @jhorwit2 @jiatongw

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[andrewsykim]

Can you split the paragraphs into multiple lines so it's easier to review?

[andrewsykim]

typo protectiion

[MrHohn]

Fixed.

[andrewsykim]

typo cusotmer

[MrHohn]

Fixed.

[andrewsykim]

Would prefixing with networking.kubernetes.io be useful here?

[MrHohn]

Don't have strong opinion here --- is there any naming convention we can follow?

The only finalizers I'm aware of are for volume, which use kubernetes.io: https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/util/finalizer.go

Or one other option is networking.k8s.io? (Following https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/20190125-ingress-api-group.md)

[andrewsykim]

Ah I see. Maybe kubernetes.io is okay then to be consistent with volumes & since it's added to core API?

[andrewsykim]

Wondering if feature gating is necessary here. Can't think of a scenario where you would opt-out of this except for the first version where it's supported. Even if user does a version downgrade, your cluster would break if you forget to remove the feature gate.

[MrHohn]

That's fair point. I was just following the usual lifecycle of a feature gate --- maybe we won't need that for this? Or we can decide when we actually hit beta.

[andrewsykim]

My personal take here is to not do feature gates. I consider this more of a bug fix then an added feature.

[MrHohn]

To be clear, did you mean not doing feature gate for this enhancement at all, or not doing feature gate at beta and after?

I think having a feature gate at least in the initial release might help if anyone would like to turn it on earlier (for the "add finalizer" part).

[andrewsykim]

think having a feature gate at least in the initial release might help if anyone would like to turn it on earlier (for the "add finalizer" part).

Good point 🤔. If we're okay with cleaning up the feature gate after only 1 release then sgtm.

[MrHohn]

Can you split the paragraphs into multiple lines so it's easier to review?

Right, split those into multiple lines.

[zanetworker]

Suggested change

	2. Service resoure deletion is blocked due to the finalizer.
	2. Service resource deletion is blocked due to the finalizer.

[MrHohn]

Fixed.

[zanetworker]

Suggested change

	service that has `type=LoadBalancer`. Upon the deletion of such servicce, the
	service that has `type=LoadBalancer`. Upon the deletion of such service, the

[MrHohn]

Fixed.

[andrewsykim]

Can we add a section for "Risks and Mitigations"? I think we should discuss what happens if user does n+2 upgrade from v1.14 -> v1.16 and then does a downgrade back to v1.14. They would have added finalizers to the Service but then lose the removal logic on the downgrade. To be safe should we alpha for 2 releases or just assume a user would always do n+1 upgrade?

[MrHohn]

Thanks for bringing this up. I was under the impression the supported upgrade order is always 1.n to 1.(n+1)? Ref https://kubernetes.io/docs/setup/version-skew-policy/#supported-component-upgrade-order.

Though should definitely cover that if n+2 upgrade case is valid.

[andrewsykim]

Thanks for bringing this up. I was under the impression the supported upgrade order is always 1.n to 1.(n+1)? Ref https://kubernetes.io/docs/setup/version-skew-policy/#supported-component-upgrade-order.

Yeah I believe officially it is 1 minor version that is supported but in practice/reality it's not uncommon for users to do n+2 :P. At the very least we should cover that in the KEP as a risk IMO even if we choose not to support it.

[MrHohn]

SG, will add a "Risks and Mitigations" section for this.

[MrHohn]

Added now.

[bowei]

We should be careful to not try to support more than what is documented. n+2 is definitely not something that is intended to work.

[MrHohn]

/assign @thockin

[andrewsykim]

Should this be:

- Beta: Finalizer clean up will always be on. Finalizer addition will be on by default but can be disabled via a feature gate.

instead?

[thockin]

I think he's proposing this state for Alpha, and I think it's probably OK.

We could require:

• pre-alpha: cleanup and addition gated, default off
• alpha: cleanup gated, default on; addition gated default off
• beta: cleanup and addition gated, default on
• GA: default on

That seems tedious. The risk of dropping pre-alpha is that people come to depend on the cleanup but we might remove it OR that cleanup causes real problems. Do we think that's signficant? I think it's a calculated risk that shaves a whole release off such a feature...

[MrHohn]

I guess what I meant was exactly what @andrewsykim suggested :)

We were trying to avoid the pre-alpha phase --- having the feature available but completely off by default. I can't easily think of how the cleanup can cause significant problem, as that is trying to remove a specific finalizer that presumably doesn't exist yet.

people come to depend on the cleanup

Not sure if there is other use case, we wanted to enable the cleanup but not the addition just to accommodate the downgrade problem.

[andrewsykim]

We were trying to avoid the pre-alpha phase --- having the feature available but completely off by default. I can't easily think of how the cleanup can cause significant problem, as that is trying to remove a specific finalizer that presumably doesn't exist yet.

Agreed, I think something like this is more ideal (and I think the KEP is supposed to reflect this?):

• pre-alpha / alpha: clean up always on, addition gated with default off
• beta: clean up always on, addition gated default on
• GA: clean up & addition always on

The risk of dropping pre-alpha is that people come to depend on the cleanup but we might remove it OR that cleanup causes real problems.

The biggest risk I think is in trying to change the clean-up logic. If we change it in any breaking way during alpha, we have to wait another release cycle to account for rollbacks. Two releases if we want to account for those users who like to be dangerous and do n+2 version upgrades.

[thockin]

I thought that sequence was what @MrHohn was proposing?

As to waiting another release - that is easy...don't screw up :)

[andrewsykim]

I thought that sequence was what @MrHohn was proposing?

Sorry, I was a bit confused earlier. I think we're on the same page now :)

[thockin]

ANY?

Should this be generic code or cloud-provider code? What happens if someone makes an LB Service in an environment that doesn't implement service LBs. Does that mean they can't delete the Service without manual finalizer removal?

[thockin]

I guess the service controller calls into cloud-provider code anyway, so even if it is a no-op in the provider, the finalizer will be managed?

[MrHohn]

Yep, even in a no-op case we ensure the finalizer is properly managed. So service LB w/ finalizer would have the same lifecycle regardless of the specific cloud provider.

[andrewsykim]

Worth noting that if the provider opts-out of LoadBalancer support, then we don't actually run service controller at all (see here). Does that behavior need to change or can we leave that as-is?

[andrewsykim]

Do we support a service with Type=LoadBalancer if the cloud provider doesn't support it (I think yes)? There can be custom controllers that watch this but maybe they should implement their own finalizer protection?

[MrHohn]

Worth noting that if the provider opts-out of LoadBalancer support, then we don't actually run service controller at all (see here). Does that behavior need to change or can we leave that as-is? Does that behavior need to change or can we leave that as-is?

Thanks, good to know. My thought is we leave that as-ls. In that case creating a LoadBalancer type service will take no effect (from service controller perspective), hence finalizer won't be needed.

There can be custom controllers that watch this but maybe they should implement their own finalizer protection?

Implementing their own finalizer makes the most sense to me --- I imagine custom controller may have distinct pipeline than service controller.

[andrewsykim]

Makes sense to me :) Should we mention this in the KEP somewhere?

[MrHohn]

Sure, will add this in KEP.

[MrHohn]

Added a Other notes section for this.

[thockin]

service.kubernetes.io/load-balancer-cleanup ? Do we have any convention for naming in-system finalizers?

[MrHohn]

For volume we uses kubernetes.io/pvc-protection (ref https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/util/finalizer.go).

load-balancer-cleanup seems good though, as that is more clear what this is for.

[thockin]

harumph. Storage should have used a storage prefix.

[MrHohn]

Agreed, updated to use service.kubernetes.io/load-balancer-cleanup.

[thockin]

I think he's proposing this state for Alpha, and I think it's probably OK.

We could require:

• pre-alpha: cleanup and addition gated, default off
• alpha: cleanup gated, default on; addition gated default off
• beta: cleanup and addition gated, default on
• GA: default on

That seems tedious. The risk of dropping pre-alpha is that people come to depend on the cleanup but we might remove it OR that cleanup causes real problems. Do we think that's signficant? I think it's a calculated risk that shaves a whole release off such a feature...

[jiatongw]

Thoughts on also adding regression tests?

[MrHohn]

Yeah I haven't put much thought on that. Would the existing LB related tests be enough for this purpose?

[jiatongw]

yup I think that's good 👍 thanks.

[jiatongw]

Suggested change

	fully deleted until the correlating load balancing resources are also deleted.
	fully deleted until the correlating load balancing resources are deleted.

this seems better?

[MrHohn]

Thanks, I will apply these and some suggestions above at the next push.

[MrHohn]

Fixed.

[jiatongw]

👍

[jiatongw]

same as above

[MrHohn]

Fixed.

[andrewsykim]

I think it's worth mentioning here also that cloud provider integration is required.

This finalizer will be attached to any service that has `type=LoadBalancer` if the cluster has the cloud provider integration enabled.

[MrHohn]

Thanks, applied.

[andrewsykim]

typo: serivce

[MrHohn]

Fixed.

[thockin]

Is this ready for re-review?

…

On Fri, Apr 26, 2019 at 8:36 PM Andrew Sy Kim ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In keps/sig-network/20190423-service-lb-finalizer.md <#992 (comment)> : > + - The newly created `LoadBalancer` services will have finalizer attached upon + creation. +- Downgrade from with-finailzer version + - All existing `LoadBalancer` service will have the attached finalizer removed + upon the cleanup of load balancing resources. + - The newly created `LoadBalancer` services will not have finailzer attached. + +To ensures that downgrades can happen safely, the first release will include the +"remove finalizer" logic with the "add finalizer" logic behind a gate. Then in a +later release we will remove the feature gate and enable both the "remove" and +"add" logic by default. + +As such, we are proposing Alpha/Beta/GA phase for this enhancement as below: +- Alpha: The finailizer cleanup logic would be on by default while the finalizer +addition logic will be put behind a feature gate that is off by default. +- Beta: Both the cleanup and addition logic will be default on, but allowing I thought that sequence was what @MrHohn <https://github.com/MrHohn> was proposing? Sorry, I was a bit confused earlier. I think we're on the same page now :) — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#992 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABKWAVCHFMIDU7URIWG2LDLPSPC2VANCNFSM4HIGIFAA> .

[MrHohn]

Is this ready for re-review?

Addressed some feedback, PTAL thanks!

[andrewsykim]

/lgtm

I think we should revisit the risks involved with n+2 upgrades after alpha. Maybe we should wait 2 releases just to be safe? SIG Storage folks might have some useful insight there since they had a similar problem with volumes.

[MrHohn]

Thanks folks, I've changed the status to implementable and hoping to get this merged before 1.15 Enhancements Freeze (EOD 4/30). We can add details on design/risk/anything else after.

[thockin]

Thanks!

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewsykim, MrHohn, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-network/OWNERS [thockin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment