New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reduce configmap and secret watch of kubelet #99393
reduce configmap and secret watch of kubelet #99393
Conversation
return | ||
} | ||
|
||
go wait.Forever(func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this PR works.
The fact the secrets whenever changed re automatically updated to all pods mounting them:
https://kubernetes.io/docs/concepts/configuration/secret/#mounted-secrets-are-updated-automatically
Means that they are periodically checked if nothing changed.
So this PR doesn't work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The following uses configmap as an example. The secret is the same as the configmap,
The configmap is used in the following two places:
- Used by a container as volume.
- Information in the configmap is injected to the container as environment variables.
For the configmap volume, we expect that the watch link can be maintained. Therefore, we set maxIdleTime to three times the value of resyncInterval. (Each resyncInterval period, VolumeManager queries the configmap information, lastAcquiredTime will be updated.)
For the configmap used by environment variables, it is expected that after the container is created, the kubelet can disconnect the watch link for the configmap.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK - I see what you're saying now - that makes sense.
(we can argue if three times resyncInterval isn't too small - I would feel more comfortable with something higher, but that's a minor thing)
But this kind of change for sure deserves a test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a ConfigMap or Secret is only used to set container environment variables, why watch it at all?
/retest |
/priority important-longterm waiting on author for @wojtek-t's comments |
0a243e6
to
2e1ddc6
Compare
/retest |
@wojtek-t I have perfected the code. And I tested on the 4000-node cluster. This solution can significantly reduce the number of watches. Could you help me to review the code again? |
8e86aeb
to
afd27c9
Compare
@wojtek-t Thanks for your suggestions, I have modified the code based on the review comments. |
/retest |
store := manager.NewObjectCache(listObj, watchObj, newObj, isImmutable, schema.GroupResource{Group: "v1", Resource: "secrets"}) | ||
|
||
fakeClock := clock.NewFakeClock(time.Now()) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: remove this empty line
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not done yet
afd27c9
to
dba1b3e
Compare
@chenyw1990: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
||
item.lock.Lock() | ||
defer item.lock.Unlock() | ||
select { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: you can just return item.stopped
here (instead of checking channels)
store := manager.NewObjectCache(listObj, watchObj, newObj, isImmutable, schema.GroupResource{Group: "v1", Resource: "secrets"}) | ||
|
||
fakeClock := clock.NewFakeClock(time.Now()) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not done yet
c6d5d6a
to
390be42
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some very minor comments.
390be42
to
57a3b0a
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chenyw1990, wojtek-t The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
In a large cluster, if a large number of pods reference configmap/secret as environment variables, kubelet will generate a lot of watches for configmap and secret, and kube-apiserver will use too much memory due to too many watches.
Although we have added Immutable features, in real usage scenarios, many configmaps are not marked as Immutable.
Which issue(s) this PR fixes:
Fixes #98660
Special notes for your reviewer:
@wojtek-t
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: