Troubleshooting for job pod finalizers

[alculquicondor]

I see this problem more often than not.

Examples:

• Stuned deleting of a pod whose parents are job. kubernetes#121605
• [Bug] Webhook prevents job controller from removing finalizers kyverno/kyverno#8815

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	46df889
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/6552481bac37260008bef5ea
😎 Deploy Preview	https://deploy-preview-43773--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[kannon92]

/lgtm

I have also seen this.

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 40a7d39e125544dbc92a46672d376f7b87be233e

[kannon92]

We have also updated the Job Tracking KEP as a common fail case. So it seems like a good idea to update the documentation as that has more eyes on it.

[alculquicondor]

/sig apps

[chipzoller]

Calling such webhooks "faulty" is a bit strong here. Sometimes validating or mutating webhooks are configured (by users, either explicitly or implicitly) to match on UPDATE requests for entirely valid and useful purposes. In some cases, this can have undesirable consequences which is the case with just about every thing else.

[alculquicondor]

I changed it to "misconfigured or faulty"

[chipzoller]

It still seems like you're suggesting a webhook which is configured to react to UPDATE requests must be one of either "misconfigured" or "faulty" and that's not true. I get what you're trying to convey, but it could be stated to better reflect the variety of webhooks and their driving use cases. Here's my suggestion:

"Webhooks which are configured to match on UPDATE requests may inadvertently deny an update for a Pod that is already running or finished. This causes kube-apiserver to reject the update to remove the Pod finalizers, preventing the Job controller from making progress. Inspect and disable or modify the webhook or its managing controller's configuration to allow these updates."

[alculquicondor]

This might not be the case of kyverno, but a webhook that tries to add an initContainer to a running or finished Pod (kubernetes/kubernetes#121605) is a faulty webhook, because in under no circumstances that works.

If you configure a webhook to reject Pod updates for existing Pods created before the webhook was installed, that's a misconfiguration in the user side.

[chipzoller]

The webhook, as an API resource, is not the issue here. It's what the service does with the AdmissionReview that it receives as a result of the webhook's configuration. A webhook can only ask for UPDATE ops; it has no logic to do anything with them. Having a webhook which matches on UPDATE to Pods is neither "faulty" nor represents a "misconfiguration." Having logic which attempts to add an initContainer, per your example, based upon the call-back it receives, is "faulty" or does represent a "misconfiguration."

[alculquicondor]

Here I am referring to webhook as the combination the Webhook object and the service that responds to it. I don't think most users make the distinction between the two.

@sftim do you have any guidelines?

[chipzoller]

I think some clarification may be in order lest this paragraph inspire users to go inspect all their webhooks and, upon finding any that match on UPDATE ops, proceed to <project/product> and proclaim it's a bug and shouldn't be there. The guidance is helpful for sure, but more specifics are needed to avoid making wrong assumptions.

[alculquicondor]

See update. I'm still using "webhook" to refer to both, but I mention the CRDs when necessary. Let me know what you think.

[sftim]

It helps readers when concept explanations are as short as we can reasonably make them.

I'd prefer to have the actual advice somewhere in https://kubernetes.io/docs/tasks/debug/debug-application/ and have this page hyperlink to the troubleshooting page.

[alculquicondor]

uhm... it doesn't fit in the existing articles. We would need a new "Debugging Jobs" or "Debugging control plane", which I don't have the time to write now :(

[alculquicondor]

I could put it in "Debugging Pods" as "My pod is stuck in Terminating"

[sftim]

@alculquicondor we can file an issue asking for another (docs) contributor to pick up the baton here. Would that work?

[sftim]

I'm also OK with adding a section to Debugging Pods as an interim thing, and making the Debugging Jobs task page a longer term ambition.

[alculquicondor]

I put it in "Debugging Pods". It might be the most appropriate place long term, after all.

[kannon92]

Suggested change

	`UPDATE` operations. Typically, any container changes are not allowed.
	`UPDATE` operations.

In the https://kubernetes.io/blog/2023/05/12/in-place-pod-resize-alpha/, this is not true anymore.

[alculquicondor]

I guess I can change it by "most", instead of "any".
I don't want to list everything.

[kannon92]

Yea you can take what I say or leave it. Its an alpha feature so the amount of users modified container limts/requests will be very little. Just want to bring up that this could become less true over time.

[kannon92]

Can you update this to say most at least?

I think that over time this statement will become incorrect.

We could update this once in place pod becomes beta/ga if you want.

/lgtm

[alculquicondor]

I rephrased it.

[alculquicondor]

Can I get a review for the last update? As clusters upgrade, they are being hit by these problems.

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: f11b2d8825c2ed5c197f38fa22d86271677f9012

[kannon92]

/lgtm
from tech standpoint.

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: dbab56cfbfdefcc7e6e8f0a3a9eb6bd8763325e7

[sftim]

One more fix please

[sftim]

Suggested change

	and there is an [admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
	and there is an [admission webhook](/docs/reference/access-authn-authz/extensible-admission-controllers/)

[alculquicondor]

Oops, copy-paste problem :)

[sftim]

Thanks

/lgtm
LGTM also from #43773 (comment)

/approve

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 91cb6c17707ad92f615c6e6b2d7f894478413fc8

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sftim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/OWNERS [sftim]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment