Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consistent reads mitigation #4608

Merged
merged 4 commits into from
May 9, 2024
Merged

Consistent reads mitigation #4608

merged 4 commits into from
May 9, 2024

Conversation

wojtek-t
Copy link
Member

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Apr 30, 2024
@wojtek-t wojtek-t changed the title Consistent reads mitigation [WIP] Consistent reads mitigation Apr 30, 2024
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 30, 2024
@wojtek-t wojtek-t mentioned this pull request Apr 30, 2024
Closed
wojtek-t
wojtek-t commented May 7, 2024
View reviewed changes
Copy link
Member Author

@wojtek-t wojtek-t left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also propagated table for watch requests.

@wojtek-t
Copy link
Member Author

wojtek-t commented May 7, 2024

@p0lyn0mial @serathius

@serathius
Copy link
Contributor

serathius commented May 7, 2024
edited
Loading

I largely agree with @wojtek-t. After further consideration, I don't think a dedicated "SkipCache" API option is necessary in this scenario. We shouldn't view watchcache as a traditional database cache like memcache or varnish. Skipping cache for debugging purposes is suitable for periodically refreshed and invalidated caches to identify corrupted data. It operates under the expectation of consistent results. However, in distributed systems, it's normal to receive different results from concurrent consistent read requests.

In distributed systems like etcd, two concurrent read requests can target different instances, leading to different pathing and arbitrary network delays, allowing for interleaved transactions and reordering. The only way to determine their "real" execution order is by checking the revision returned by etcd. Responses from two different reads should only match when they have the same revision. However, even in medium-sized clusters, there's enough traffic that two concurrent consistent read requests will often return different revisions. To better understand that I recommend reading https://jepsen.io/consistency/models/linearizable

The only way to debug watch cache corruption is to verify if the cached data matches the data in etcd. If you want to use the K8s API for this, the only way is to make two requests that share the same ResourceVersion (RV). This means the correct flow to compare watchcache state to etcd state is:

  1. Make a request without an RV (which will be served from the watch cache).
  2. Follow it with a request that includes the exact RV from the first request and uses ResourceVersionMatch=Exact. (which is served from etcd)

@p0lyn0mial
Copy link
Contributor

My view on this case is that instead of adding a new list option that allows bypassing the cache, we should better test the feature before enabling it globally.

Mainly, my concern is that today, when the feature ConsistentListFromCache is enabled (or any other), it becomes available to all clients simultaneously. In my opinion, we should have a graduation mechanism and initially enable the feature for a specific client, a client with some attribute, or for a percentage of traffic coming to the server. Subsequently, we should gradually increase the number of clients or the percentage of traffic directed to the server until finally enabling the feature for all clients.

Additionally, as @serathius mentioned, we should (especially in CI) have a mechanism for detecting inconsistencies in data by comparing data returned from the cache and directly from etcd. For that we could use the data_consistency_detector by issuing two request to the server.

@wojtek-t wojtek-t force-pushed the consistent_reads_mitigation branch from 9f92967 to 41381be Compare May 8, 2024 11:55
@deads2k
Copy link
Contributor

deads2k commented May 9, 2024

Thank you @wojtek-t and @serathius for taking the time to put together the list, describe the potential debugging flows, and answer questions live. I think I've reached where you are: we should not create a new option for bypassing the watch cache.

While it seems congruent to add a parameter for "bypass watch cache" and it could be useful if the watch cache is misbehaving, such an option is not useful for debugging answers from the watch cache. This is because the wache cache cannot support Exact and etcd cannot support NotOlderThan and that prevents any congruent etcd and watch cache access.

This means that the only debugging flow available is make a watch cache request and then use the existing option RV Exact unset unset. I like the idea of making this an opt-in self-check available in our client as referenced above.

Additionally, as @serathius mentioned, we should (especially in CI) have a mechanism for detecting inconsistencies in data by comparing data returned from the cache and directly from etcd. For that we could use the data_consistency_detector by issuing two request to the server.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 9, 2024
@wojtek-t wojtek-t force-pushed the consistent_reads_mitigation branch from 5612885 to 9cacba8 Compare May 9, 2024 19:15
@wojtek-t wojtek-t changed the title [WIP] Consistent reads mitigation Consistent reads mitigation May 9, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 9, 2024
@wojtek-t
Copy link
Member Author

wojtek-t commented May 9, 2024

@deads2k - I updated the PR to reflect our discussion today, PTAL

@wojtek-t wojtek-t force-pushed the consistent_reads_mitigation branch from 9cacba8 to 9afa3e0 Compare May 9, 2024 19:28
@deads2k
Copy link
Contributor

deads2k commented May 9, 2024

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 9, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, wojtek-t

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 9, 2024
@k8s-ci-robot k8s-ci-robot merged commit e2c97c0 into kubernetes:master May 9, 2024
4 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.31 milestone May 9, 2024
@serathius
Copy link
Contributor

Awesome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@deads2k deads2k deads2k left review comments

@serathius serathius Awaiting requested review from serathius

Assignees

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.31
Development

Successfully merging this pull request may close these issues.
6 participants
@wojtek-t @serathius @p0lyn0mial @deads2k @k8s-ci-robot @liggitt