Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

plumb context with request deadline #96901

Merged
merged 2 commits into from Jan 28, 2021
Merged

plumb context with request deadline #96901

merged 2 commits into from Jan 28, 2021

Conversation

tkashem
Copy link
Contributor

@tkashem tkashem commented Nov 27, 2020
edited by liggitt

What type of PR is this?

/kind bug

What this PR does / why we need it:
plumb context with request deadline: A request deadline is:

  • the timeout specified in the request URL
  • 60s is the default if the above is not present.

Plumbing:

  • as soon as a request is received by the apiserver, determine the timeout duration of the request and set a new request context with the appropriate deadline.
  • the timeout filter that times out non-long-running requests uses the request context with a deadline from above (as opposed to a fixed 60s wait today)
  • admission layer uses the same request context from above
  • storage layer uses the same request context to talk to etcd

This approach is:

  • more correct way of setting up a request deadline (as soon as it arrives to the apiserver)
  • more maintainable - the request deadline is setup inside a server filter and is used throughout. No other layer (storage or admission layer) needs to parse timeout from the request URI.

We use the default timeout enforced by the apiserver:

  • if the user has specified a timeout of 0s, this implies no timeout on the user's part.
  • if the user has specified a timeout that exceeds the maximum deadline allowed by the apiserver.

If the user specifies an invalid timeout duration specifier in the request URL then the request is failed with HTTP 400 and it is audited.

Does this PR introduce a user-facing change?:

Requests with invalid timeout parameters in the request URL now appear in the audit log correctly.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/bug Categorizes issue or PR as related to a bug. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Nov 27, 2020
@k8s-ci-robot k8s-ci-robot added area/apiserver area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Nov 27, 2020
@tkashem
Copy link
Contributor Author

tkashem commented Nov 27, 2020

/retest

@tkashem
Copy link
Contributor Author

tkashem commented Nov 27, 2020

/retest

@tkashem tkashem changed the title [WIP] plumb context with request deadline plumb context with request deadline Nov 29, 2020
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 29, 2020
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Nov 30, 2020
tkashem
tkashem commented Nov 30, 2020
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/filters/fail_with_audit.go Outdated
return errorHandler
}

return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
Copy link
Contributor Author

@tkashem tkashem Nov 30, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this above handler has been copied from https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authn_audit.go#L35-L58 and made reusable, any server filter that appears before the audit filter can use it to audit a failed request.

If this looks good then I am happy to open a follow up PR to replace authn_audit.go.

@tkashem
Copy link
Contributor Author

tkashem commented Nov 30, 2020

Hi @liggitt, I have addressed your feedback from #96061. Please review when you have time.

@tkashem
Copy link
Contributor Author

tkashem commented Nov 30, 2020

/assign @liggitt @sttts @deads2k @smarterclayton

sttts
sttts reviewed Jan 28, 2021
View reviewed changes
staging/src/k8s.io/apiserver/pkg/server/filters/timeout.go Outdated
t.handler.ServeHTTP(w, r)
return
}

timeout := r.Context().Done()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: timeoutCh

sttts
sttts reviewed Jan 28, 2021
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/handlers/create.go Outdated
@@ -76,7 +73,7 @@ func createHandler(r rest.NamedCreater, scope *RequestScope, admit admission.Int
}
}

ctx, cancel := context.WithTimeout(req.Context(), timeout)
ctx, cancel := context.WithTimeout(req.Context(), requestTimeout)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this needs explanation. Why is it good to put a 34s here now?

@sttts sttts added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Jan 28, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Jan 28, 2021
sttts
sttts reviewed Jan 28, 2021
View reviewed changes
staging/src/k8s.io/apiserver/pkg/server/config.go Outdated
// context with deadline. The go-routine can keep running, while the timeout logic will return a timeout to the client.
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc)

// WithRequestDeadline sets a deadline for the request context appropriately
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this comment can go

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 28, 2021
@tkashem
apiserver: plumb context with request deadline
e416c9e 
- as soon as a request is received by the apiserver, determine the
  timeout of the request and set a new request context with the deadline.
- the timeout filter that times out non-long-running requests should
  use the request context as opposed to a fixed 60s wait today.
- admission and storage layer uses the same request context with the
  deadline specified.

we use the default timeout enforced by the apiserver:
- if the user has specified a timeout of 0s, this implies no timeout on the user's part.
- if the user has specified a timeout that exceeds the maximum deadline allowed by the apiserver.
@tkashem
apiserver: add e2e tests for request context deadline
df7a890
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 28, 2021
@sttts
Copy link
Contributor

sttts commented Jan 28, 2021

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 28, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts, tkashem

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 28, 2021
@tkashem
Copy link
Contributor Author

tkashem commented Jan 28, 2021

/retest

@k8s-ci-robot k8s-ci-robot merged commit 0bf2618 into kubernetes:master Jan 28, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Jan 28, 2021
@openshift-ci-robot openshift-ci-robot mentioned this pull request Feb 3, 2021
Merged
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note Denotes a PR that will be considered when it comes time to generate release notes. release-note-none Denotes a PR that doesn't merit a release note. labels Mar 27, 2021
@tkashem tkashem mentioned this pull request Mar 29, 2021
Closed
@liggitt liggitt mentioned this pull request Jul 27, 2021
Merged
@openshift-ci-robot openshift-ci-robot mentioned this pull request Sep 7, 2021
Merged
@tkashem tkashem mentioned this pull request Oct 26, 2021
Open
@openshift-ci-robot openshift-ci-robot mentioned this pull request May 6, 2022
Merged
@JohnRusk JohnRusk mentioned this pull request Jan 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

@liggitt liggitt liggitt left review comments

@caesarxuchao caesarxuchao Awaiting requested review from caesarxuchao

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@sttts sttts

@smarterclayton smarterclayton

@deads2k deads2k

@MikeSpreitzer MikeSpreitzer

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@tkashem @fedebongio @sttts @k8s-ci-robot @liggitt @smarterclayton @deads2k @MikeSpreitzer