Support tainting all nodes needing update during rolling update

[johngmyers]

Adds a per-instancegroup option to taint all nodes needing update near the start of a rolling update. The expectation is that this would only be enabled on instancegroups which have autoscaling enabled and which have workloads which can tolerate waiting for scale-up if needed.

Extends the InstanceGroup API to support configuration of the rolling update strategy. Extends the Cluster API to support per-cluster defaults for same. The configuration options are behind the new ConfigurableRollingUpdate feature flag, which defaults to off.

In order to limit the damage should the new instance specification produce instances which fail validation, in the case where there are no existing instances with the current spec the strategy will first cordon and update a single instance, waiting until its replacement validates before tainting the rest.

Fixes #7958

[k8s-ci-robot]

Hi @johngmyers. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[johngmyers]

/area rolling-update

[johngmyers]

/kind feature

[zetaab]

/ok-to-test

[johngmyers]

Per comment in #7902, cordoning will cause the nodes to be taken out of the AWS ELB's group, so this will need to take a gentler approach to making the nodes unschedulable. I would still appreciate feedback on the approach to doing configuration of strategies.

/hold

[johngmyers]

/hold cancel

[johngmyers]

/retest

[johngmyers]

/test pull-kops-e2e-kubernetes-aws

[johngmyers]

/test pull-kops-verify-staticcheck

[johngmyers]

/test pull-kops-e2e-kubernetes-aws

[johngmyers]

Let me know if I should rebase and clean up the commit stream.

[justinsb]

Not 100% sure about this name - should this be "cordon"? Maybe preTaint or taintAllFirst?

Though I do see exactly how you came up with this name ... my suggestions don't specify that we only do instances that we are rolling. We could optimize the name for the common case, where we are rolling all the instances in the group - it's only when an update was interrupted that it won't be all of them (I think!)

What about if we state the intent, rather than the mechanism: avoidRepeatedPodScheduling or something along those lines?

OTOH, maybe this doesn't matter, because I would actually expect we treat unspecified as true once we are happy, because it seems the right strategy (I think!)

[johngmyers]

We taint instead of cordon because cordoning can take the node out of rotation of the AWS ELB. Not a good thing to happen to all the nodes of an instancegroup.

I have a pending PR for allowing an external process to nominate nodes for updating, for example if they are older than site policy permits. Also, cluster autoscaler could add new nodes between spec update and rolling update. So interruption of rolling update isn't necessarily the only case where not all nodes in the instancegroup need updating.

It would be unfortunate if someone enabled this on an instancegroup that doesn't have autoscaling (or 100% surging), so I think having some indication to the admin that tainting will happen is desirable.

[justinsb]

Do we need a featureflag, or can we rely on the idea that if users don't specify the field it won't get activated?

[johngmyers]

I think it would be a good idea to have a featureflag until we have the whole set of features in. Then we might consider whether we want to consolidate some of the settings.

[justinsb]

This looks like it's tainting each node before draining?

I understand why it's in the loop, but see the next comment. It might be easier to use PreferNoSchedule, and then we might not need to wait for the first successful new node.

I do wonder if we should undo the tainting on failure, but as these nodes no longer map to an InstanceGroup, we probably should keep them tainted, reflecting their true state.

[johngmyers]

Currently kops doesn't uncordon a node on a failed drain. The only automated way to recover is to do another rolling update to complete the update.

In case the instance spec is reverted, we might add code to ensure that nodes with our taint are considered NotReady and thus updated on a subsequent rolling update. But this feature is likely to be only enabled on instancegroups with cluster autoscaler enabled, so that will eventually remove them for being underused.

[justinsb]

Oh - this is clever :-)

It does get more complicated if we start rolling multiple nodes and/or temporarily creating more nodes ("surge upgrades"), but I guess in all cases we just wait for the first.

We can also "soft taint" the nodes ("preferred" not "forbidden'), so that the scheduler will still schedule pods back to the old nodes if something goes wrong. This also allows for e.g. if something goes wrong concurrently with the nodes and we start losing them. I don't know if we should rely on that or this "wait for success before tainting" approach?

[johngmyers]

Yes, for both MaxUnavailable and MaxSurge, I intend to also have this toe-dipping behavior. You really don't want a whole fleet of dead surged instances. Especially if it takes two or three tries to get a working spec.

[justinsb]

It's normally fine not to worry about this, or just do node(s), but this does look better!

[justinsb]

This is where we could use TaintEffectPreferNoSchedule, instead of the more complex "wait for one" heuristic.

[johngmyers]

We could also do both...

The downside of a soft taint is that it would not cause cluster autoscaler to step in and create new instances.

The one thing I haven't figured out is how to get the overprovisioning pods evicted from the tainted nodes, so the pods can perform their intended function. Unfortunately, the requiredDuringSchedulingRequiredDuringExecution anti-affinity isn't implemented. Perhaps the rolling update code needs to search for and preemptively delete them.

[justinsb]

I was going to say it would be good to log the patch so we knew CreateTwoWayMergePatch was doing what we thought, but then I saw you have a test - even better 👍

[justinsb]

This looks really great @johngmyers thanks so much & sorry about the delays!

A few comments that I've posted above:

• field naming, as is always the case. I suggested naming to focus on the intent ("avoiding repeated pod bounces") and optimizing for the common case where all the machines in an instancegroup are rolling.
• I wonder if we should just "soft" taint the old nodes with PreferNoSchedule, and then maybe we don't need the "wait for one" logic. Though I do like that!
• I don't know if we need the featureflag, if users have to specify the field explicitly. But OTOH I also want to make it the default, and have the field unspecified turn on this behaviour - but I recognize we don't necessarily want to do that on day 1.

The name of the field is the only thing that's not really changeable, so that's the only real blocker in my view. (I know it's annoying because it's probably the least important thing technically). Just to throw out a strawman, I'd be happy with avoidPodRescheduling if that name makes sense for you? But really anything intent based...

[johngmyers]

I think the first thing to decide is whether it should be a hard or soft taint.

If it's soft, then there probably isn't a need for a setting at all. We could just do this always, including for masters. With hard, the setting is needed for instancegroups without either cluster autoscaling or 100% surging.

The disadvantage of soft is that it's less effective at avoiding the repeating pod rescheduling. Cluster autoscaler won't create new nodes until all the old ones are filled to capacity.

We could have the setting choose between hard/soft instead of hard/none.

[johngmyers]

I think it makes sense to proceed with soft tainting for now. There is the possibility of later adding a setting for choosing between soft and hard tainting, should we need it.

[johngmyers]

/test pull-kops-e2e-kubernetes-aws

[geojaz]

I don't see any dealbreakers here. if we can get aligned on our labels and naming, i'm +1

[geojaz]

Perhaps .../rolling-update-in-progress?

[olemarkus]

I'd use something like /scheduled-for-update

[geojaz]

i'm on board with that

[johngmyers]

Changed

[geojaz]

we haven't worried about this yet, (as per jsb's comment) but i'd be happy to see this pulled out to a util function somewhere. I'd be happy to use a helper like this as we build out GCE support.

[geojaz]

pretty much the only thing I don't like is the naming here. I would prefer something like taintOutdatedNodes, but i'm not a hard no, it just feels awkward to me.

[justinsb]

Tip (that I am a recent convert to): Using if err := foo(); err != nil { return err } avoids problems with variable shadowing (though it really confuses the go static analysis tools, and it only works when it's a single error retval!)

[johngmyers]

Thanks, I'll try it out.

[justinsb]

Thanks @johngmyers - this is really a great improvement

/approve
/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johngmyers, justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [justinsb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rifelpet]

/retest