[Calico] Fix delay setting up ip routes in new nodes #4589
Conversation
…CALICO_K8S_NODE_REF in calico-node, this commit fixes kubernetes#3224 and kubernetes#4533
k8s-ci-robot
added
cncf-cla: yes
|
This is awesome, thanks for your work on this @felipejfc. /ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
We've been dealing with this for awhile too so I'll give this a test as well. |
| @@ -469,8 +469,8 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri | |||
| key := "networking.projectcalico.org" | |||
| versions := map[string]string{ | |||
| "pre-k8s-1.6": "2.4.2-kops.1", | |||
| "k8s-1.6": "2.6.7-kops.1", | |||
| "k8s-1.7": "2.6.7-kops.1", | |||
| "k8s-1.6": "2.6.8-kops.1", | |||
There was a problem hiding this comment.
We just need to update the suffix here: (ie 2.6.7-kops.2)
There was a problem hiding this comment.
the reason that I bumped the version to 2.6.8 is that if I didn't, then existing clusters would not get the current deployment and daemonset updated
There was a problem hiding this comment.
Right but 2.6.8 would imply a different image which is not the case, just a config change, right? I agree with @robinpercy. We shouldn't need to bump the version, just the kops.1 -> kops.2 number
|
/assign robinpercy |
…nt the suffix and little docs improvement
|
version in now fixed @robinpercy @mikesplain |
|
Awesome! Thanks @felipejfc, I'm going to test this locally now! |
|
Thanks @felipejfc! |
k8s-ci-robot
added
the
lgtm
|
I'm having issues testing this at the moment, will circle back tomorrow, but I think this should solve my issue too. Thanks so much for the contribution! /lgtm |
|
I was able to get a test through of this and it worked great! Thanks so much @felipejfc and @caseydavenport! |
|
/assign @chrislovecnm |
docs/networking.md
Outdated
| #### Calico troubleshooting | ||
| ##### New nodes are taking minutes for syncing ip routes and new pods on them can't reach kubedns | ||
| This is caused by nodes in the Calico etcd nodestore no longer existing. Due to the ephemeral nature of AWS EC2 instances, new nodes are brought up with different hostnames, and nodes that are taken offline remain in the Calico nodestore. This is unlike most datacentre deployments where the hostnames are mostly static in a cluster. Read more about this issue at https://github.com/kubernetes/kops/issues/3224 | ||
| This has been solved in kops 1.8.2, when creating a new cluster no action is needed, but if the cluster was created with a prior kops version the following actions should be taken: |
There was a problem hiding this comment.
This will need to be update to kops 1.9.0
docs/networking.md
Outdated
| This is caused by nodes in the Calico etcd nodestore no longer existing. Due to the ephemeral nature of AWS EC2 instances, new nodes are brought up with different hostnames, and nodes that are taken offline remain in the Calico nodestore. This is unlike most datacentre deployments where the hostnames are mostly static in a cluster. Read more about this issue at https://github.com/kubernetes/kops/issues/3224 | ||
| This has been solved in kops 1.8.2, when creating a new cluster no action is needed, but if the cluster was created with a prior kops version the following actions should be taken: | ||
| * Use kops to update the cluster ```kops update cluster <name> --yes``` and wait for calico-kube-controllers deployment and calico-node daemonset to be updated | ||
| * Delete all calico-node pods in kube-system namespace, so that they will be recreated with the new env CALICO_K8S_NODE_REF and update the current nodes in etcd |
There was a problem hiding this comment.
Can we give kubectl command?
There was a problem hiding this comment.
I did it manually and right now I have no time to think of a command that would do everything :/, maybe @mikesplain or @caseydavenport have a script for that?
There was a problem hiding this comment.
Actually, I would suggest just rolling over the whole cluster... Deleting the pods could create temporary connectivity loss couldn't it? I drain and roll the cluster anytime I need to change core daemonsets like this.
There was a problem hiding this comment.
actually not, I always do kubectl delete pods -n kube-system -l "k8s-app=calico-node" --force --grace-period=0
deleting calico-node pods does not delete the iptables rules and interfaces that were already created, so no problem on that.
There was a problem hiding this comment.
@chrislovecnm you mean kubectl command to delete calico-node pods or to delete the invalid nodes in etcd storage, the later is the one I have no time to provide, the first one is in my comment above
There was a problem hiding this comment.
@felipejfc Fair enough! I wasn't certain. I have a script/container open sourced that we could use: https://github.com/mikesplain/calico-clean/blob/master/calico-clean.sh
Would just need to convert https://github.com/mikesplain/calico-clean/blob/master/CronJob.yaml into a one time job.
There was a problem hiding this comment.
Do we need to delete the calico-node pods in a second step? Won't upgrading the cluster trigger a rolling update due to the env change?
If not couldn't we enable rolling update on the daemonset and then it would?
Deleting all workload pods shouldn't be necessary (nor should rolling the whole cluster).
There was a problem hiding this comment.
I aggre it should be ok to add a rolling update strategy @caseydavenport, what do you guys think @mikesplain @chrislovecnm @robinpercy
There was a problem hiding this comment.
Personally, I've never used rolling update strategy on daemonset. I could see cases when upgrading an entire cluster would trigger a daemonset upgrade which may not be intended on older nodes... We could put it behind a config value or something. I have mixed feelings... Thoughts @chrislovecnm @robinpercy ?
There was a problem hiding this comment.
It should only trigger when changes are made to the DaemonSet (not other things in the cluster) so I suspect it's OK and desirable.
We enable it by default in upstream Calico manifests.
docs/networking.md
Outdated
| This has been solved in kops 1.8.2, when creating a new cluster no action is needed, but if the cluster was created with a prior kops version the following actions should be taken: | ||
| * Use kops to update the cluster ```kops update cluster <name> --yes``` and wait for calico-kube-controllers deployment and calico-node daemonset to be updated | ||
| * Delete all calico-node pods in kube-system namespace, so that they will be recreated with the new env CALICO_K8S_NODE_REF and update the current nodes in etcd | ||
| * Decommission all invalid nodes, [see here](https://docs.projectcalico.org/v2.6/usage/decommissioning-a-node) |
There was a problem hiding this comment.
Should we just recommend rolling the cluster?
There was a problem hiding this comment.
it will have a higher overhead rolling update the cluster, what do you think if I just point it as an alternative?
|
should it be ported also for canal? https://github.com/kubernetes/kops/blob/master/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.8.yaml.template |
|
I guess that the damage this does to clusters using Canal is smaller @ese due to flannel doing the routing part (right?), still I don't see why not port it... |
|
@felipejfc If you want to open the canal change, I'd make it a separate PR so we can get this one through, and likely that one will move quicker once we figure out a few of these details :) |
k8s-ci-robot
removed
the
lgtm
|
so, I've applied an updateStrategy to calico-node daemonset (as per @caseydavenport recommendation), removed the "delete calico-node pods" step from the docs as its no longer necessary and updated the "fixed on" version to 1.9.0 |
|
Great! Thanks so much @felipejfc and @caseydavenport! /lgtm Mind taking a look again @chrislovecnm |
k8s-ci-robot
added
the
lgtm
|
/lgtm We need to reference the doc in the release notes. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrislovecnm, felipejfc, mikesplain, robinpercy The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Same as PR #4588 but with latest changes from master