WIP: DNM: Hack on kep 3085

[thockin]

I didn't get to review 3085 and there is no good way to add comments to a merged KEP, so I am trying this approach.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: thockin
Once this PR has been reviewed and has the lgtm label, please assign derekwaynecarr for approval by writing /assign @derekwaynecarr in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-node/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[BenTheElder]

Seems like we should have a status for the sandbox overall instead of specifically "has network" ?

I see #3087 (review), but it still seems like the motivation is knowing if the sandbox is ready and because the sandbox is somewhat nebulous I think it's wrong to couple directly to "has network" when we're really looking for "CRI finished sandbox setup"?

[BenTheElder]

But if the user is looking for more granular data on timings, surely a common tracing standard is the answer?

How granular would we eventually go with conditions vs tracing?

[jpbetz]

When I see PodHasNetwork my first thought was that this is a "is the network working right now?" type indicator. Should this be named something like PodNetworkConfigured?

[jpbetz]

I'm concerned about using transition times of different conditions to measure duration of operations. For phases that must be performed in series and that have a guaranteed stable ordering, this would seem okay, but it seems like network configuration could happen in parallel with other steps, maybe as an optimization in the future. Also, in the future, if there needs to be some step after network it looks like it would mess up metrics collection (i.e. if X happens after network configuration, you could end up measuring the latency of network configuration + latency of X).

[jpbetz]

Would something along these lines be viable? If we continued to add monitoring of pod sandbox latencies for other things over time, how far can we go? If we want more granular monitoring, would we be okay with having 10 or even 50 conditions? My hunch is that some type of tracing approach, or some other way to export metrics data scales much better.

[jpbetz]

Are we proposing any in-tree metrics collection? Or is the intention make it possible for 3rd party metrics collection of network configuration? (I'm assuming the later, but wanted to double check)

[thockin]

Hi, I am sorry I didn't see this one before it went in for alpha. I have some real reservations about this at multiple layers.

First, this makes an assumption that I don't think necessarily holds - that network is the last step in setup. You're calling it "has network" but you MEAN "sandbox is done". Why are we mis-naming it?

Second, it's possible that we may yet support multi-network pods in Kube. There's a discussion going in sig-net. If/when that lands, does this now mean "has all networks" or "has one network"?

Third, I am not a fan of Conditions, in general, and this feels like a bit of a force-fit. All thru reading I kept asking "why not use a new field which exists FOR THIS PURPOSE? Conditions are supposed to be orthogonal - not related to each other. Describing them in a sequence means you have defines a state-machine, and that makes a TERRIBLE API.

I really like the main idea (or at least what I interpret as the main idea) - publish information about how long pod startup took and which components ate how much of that time. This feels like a partial answer at best.

Stepping back, we have finalizers and we have readiness gates, which are kind-of oppiste ends, but they both cover time while the pod is running. This KEP is covering time before it is running, but the pattern - "a set of arbitrary check-boxes need to be checked" seems to hold. Can we / should we embrace that?

For example, imagine we kept a list of "steps" with timestamps. Si,ilar to conditions but actually designed for this, no baggage. kubelet could look at the pod at admission and build up a list of the steps it knows (which volumes, which networks, etc). It could record the start and stop times (or just deltas) for each step. This does not assume linearity or concurrency - that's up to kubelet to manage. It's also extensible - so new components could add steps without breaking the published state-machine (which is what this really becomes, as-is).

Lastly - I am still confused about "Initialized". Does that mean "ready to run non-init-containers? It sounds like it is muddy. Would be nice to have a diagram showing the actual timeline, e.g.

|--<scheduled>-|-<admitted>-|-<setup begun>-|-<components...>-|-<setup complete>-|-<initcontainers begun>-|-<initcontainers done>-|-<running>-|-<deleted>-|-<finalizers>--|

So I do not think this KEP shoudl proceed beyond alpha as it is written, at least I feel like I need to understand a whole lot better why these tradeoffs are correct. I am happy to get on a meeting some time (kubecon?) and discuss.

[thockin]

Why is "has network" necessarily the last step? Is that part of a contract I do not know about?

What I mean is: It seems like theres a list (or graph?) of things that have to happen as a pod starts. That list may not be knowable a priori (e.g. a "special" RuntimeClass might maybe have extra steps that a "regular one wouldn't") so I am immediately wary of this sort of statement.

[thockin]

I really like the idea of creating a way to measure the contribution of each "step" to the total startup time of a pod. That said, are all of the steps guranteed to be linear? Or can they happen in parallel (e.g. I can pull an image while I mount volumes and configure network all at the same time)? How do we represent that?

[thockin]

I Have argued in the past that "Ready" is a terrible use of conditions, so I have a problem with using "we did that" as an excuse to do it again. Past mistakes are still mistakes.

[thockin]

I'm not quite buying this - if kubelet is the internal "switchboard" for running messages between plugins, that feels like a purely internal thing - don't make these plugins THEMSELVES update the "pre-readiness gates", make kubelet do it.

[k8s-ci-robot]

@thockin: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[thockin]

FTR: I am not expecting dramatic action on 1.26, given timing, but this CAN NOT proceed to beta without discussion.

[ddebroy]

ack, @thockin. Appreciate the review and the thoughts. I will DM to find a time to meet (virtually or during Kubecon).

I really like the idea of a list of "steps" with timestamps. Similar to conditions but actually designed for this, no baggage. We indeed tried to force-fit our requirement into pod conditions mainly based on the existing Initialized pod condition but deciding not to alter that for compatibility concerns.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[thockin]

@ddebroy what did we decide to do about this?