Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use reflector.Run instead of reflector.ListAndWatch #174

Closed
MaxFedotov opened this issue Nov 12, 2021 · 2 comments · Fixed by #175
Closed

Use reflector.Run instead of reflector.ListAndWatch #174

MaxFedotov opened this issue Nov 12, 2021 · 2 comments · Fixed by #175
Assignees
@MaxFedotov

Comments

@MaxFedotov
Copy link
Collaborator

We recently found out a problem in capsule-proxy when switching to rolebindings reflector to show tenant namespaces. If there are some issues with etcd (for example reelection is triggered) and reflector is unable to watch rolebindings from ApiServer

W1111 15:17:54.839976       1 reflector.go:424] storage/cacher.go:/rolebindings: watch of *rbac.RoleBinding ended with: Internal error occurred: etcdserver: no leader

it doesn't reconnect and watch new rolebindings until resync is triggered by rolebindings-resync-period.

In order to fix it will we had to use reflector.Run function (https://github.com/kubernetes/client-go/blob/v0.22.3/tools/cache/reflector.go#L218), which wraps reflector.ListAndWatch into backoff and will restart reflector in case of error returned
@MaxFedotov MaxFedotov self-assigned this Nov 12, 2021
@MaxFedotov
Copy link
Collaborator Author

Just reproduced this behavior on my local laptop with Kind.

  1. Create kind cluster, install capsule and capsule-proxy
  2. Create tenant and generate tenant owner kubeconfig
  3. Using tenant owner kubeconfig create namespace
kubectl --kubeconfig=hack/alice.kubeconfig create ns oil-foo  
namespace/oil-foo created
  1. It will be visible
 kubectl --kubeconfig=hack/alice.kubeconfig get ns
NAME      STATUS   AGE
oil-foo   Active   7s
  1. exec into capsule-control-plane pod and send SIGHUP to etcd, which will cause it to restart
root@capsule-control-plane:/# kill -HUP $(pidof etcd)
  1. After etcd will be restarted, create new namespace
kubectl --kubeconfig=hack/alice.kubeconfig create ns oil-baz 
namespace/oil-baz created
  1. And try to get them one more time
 kubectl --kubeconfig=hack/alice.kubeconfig get ns
NAME      STATUS   AGE
oil-foo   Active   7s

it will be missing

@MaxFedotov
Copy link
Collaborator Author

and now the same thing, but using reflector.Run instead of reflector.ListAndWatch in this func (https://github.com/clastix/capsule-proxy/blob/master/internal/controllers/role_bindings.go#L95)

  1. Using tenant owner kubeconfig create namespace
kubectl --kubeconfig=hack/alice.kubeconfig create ns oil-foo  
namespace/oil-foo created
  1. It will be visible
kubectl --kubeconfig=hack/alice.kubeconfig get ns
NAME      STATUS   AGE
oil-foo   Active   2s
  1. exec into capsule-control-plane pod and send SIGHUP to etcd, which will cause it to restart
root@capsule-control-plane:/# kill -HUP $(pidof etcd)
  1. After etcd will be restarted, create new namespace
kubectl --kubeconfig=hack/alice.kubeconfig create ns oil-baz 
namespace/oil-baz created
  1. And try to get them one more time
kubectl --kubeconfig=hack/alice.kubeconfig get ns            
NAME      STATUS   AGE
oil-baz   Active   2s
oil-foo   Active   100s

it will be visible :)

@MaxFedotov MaxFedotov mentioned this issue Nov 12, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MaxFedotov MaxFedotov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: rolebindings reflector must restart watch in case of connection problems wgsateam/capsule-proxy
1 participant
@MaxFedotov