kubernetes.io/cluster/CLUSTER_NAME tag missing from EIPs, NAT GWs, S3 buckets and R53 zones #458
Comments
I haven't found upstream docs for the tag, but this suggests that tag is for resources we expect Kubernetes to take over and manage for us. Is that true for all of the resources which currently lack this tag? I think we need to find upstream docs for the tag, and then make the argument for each resource individually. |
|
@wking who could we talk to that could shed some light on the appropriateness of adding the kubernetes.io/cluster/CLUSTER_X tag to objects not intended for kubernetes usage. really, what i'm looking for is "one true tag" so that i could search and see everything in AWS related to CLUSTER_X. |
I think |
|
yes. any object created by the cluster during runtime (eg PVs, security groups, ELBs) don't get the tectonicClusterID tag. |
So what do we need to update so that those get tagged? I guess other repos should be pulling the tag information out of the install-config we push into |
|
This (I think) is setting the tag for workers created by the machine-API operator. Do you know who's creating the untagged resources? If not, can you give me more information about them, e.g. what ELB is untagged? |
AWS resources created by the cluster (e.g. the machine-API operator creating workers) are currently missing the tectonicClusterID tag [1], which makes cleanup difficult. This helper makes it easy for those external tools to set the appropriate tags without needing local logic to generate them. [1]: openshift#458 (comment)
|
@wking for the PVs, it's the kubernetes storage class provisioner @ironcladlou can you give some details on which code is creating the ELBs/security groups that weren't being found by the uninstaller? |
AWS resources created by the cluster (e.g. some elastic load-balancers) are currently missing the tectonicClusterID tag [1], which makes cleanup difficult. This helper makes it easy for those external tools to set the appropriate tags without needing local logic to generate them. [1]: openshift#458 (comment)
|
To reproduce, create a service like: Here's a starting point upstream for understanding how k8s creates the resources in a given cloud provider to manifest such a service. |
|
Thanks for the code link :). It looks like folks creating services should be setting |
|
@wking so i looked at the annotation and it does indeed work as advertised (it even tagged the security group associated with the load balancer as well). the problem is that end users are free to create the service load balancers, and they are free to leave them untagged. this of course complicates cleaning up the cluster for deprovisioning. talking this over with some people it was suggested that having an admission server catch the service object creations could then add the annotations as needed. but this functionality doesn't exist today. i also looked at the options for getting custom tagging working on the PV/storage classes. i didn't find anything like what is possible with the service load balancers. |
This is not something we can solve completely via tagging. For example, someone with an AWS cluster might create GCE resources for some task. There's no way we're going to have our AWS-cleanup logic reap that for them. I think the solution to this sort of thing is to require users to spin down anything they've created on their own before they call our delete logic. Of course, the more we tag where our cleanup logic can find it, the less they'll have to manually spin down. So I'm in favor of comprehensive tagging. I just think getting user-created resources tagged is a nice-to-have and not a must-have. On the
|
It does sound reasonable to insert a step to delete all non-protected projects/namespaces as an early step. But I think this does still leave us exposed if the cluster itself is dysfunctional (ie the PR that we're doing CI against broke the cluster in some strange way).
I certainly don't have a comprehensive (nor non-comprehensive ;) list of the kinds of objects the cluster can create during normal lifecycle, but I would treat the lack of tagging as a bug and get that component to behave like the rest of the system.
I worry for the operations team that would have to look at UUID tags in the AWS console :). I suppose the names of the objects would help the 'browsing the AWS console' usecase, but using the UUID here would certainly avoid the naming collisions. |
|
So something to keep in mind is that very soon the cluster-ingress-operator is going to be enabled by default, which means that a LoadBalancer service is going to come out of the box with new AWS installs. This service will be untagged. Here's the service manifest. Questions:
|
#465 was my take for "please annotate, and get the annotations from
I'm new to this space, but surely someone has had to unwind a cluster on AWS before now, right? |
Well, in the context of our new installer and operators, I guess not, since I've been the one discovering and reporting these issues. 😁 |
|
Broken clusters get deleted, often, so I'm hesitant to even bother with the effort of cleanup via unwinding over the Kube API. This doesn't seem like it will be reliable enough to solve the problem. Falling back to uninstall by OR'ing tags would be my preferred backup plan, though we will return to needing a way to pre-specify cluster UUID to the installer, but that should be minor. However do we have a compelling reason why we cannot tag all resources with the kubernetes.io/cluster/NAME? The comment on the tag definition here https://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/providers/aws/tags.go#L34 indicates that it's just to differentiate multiple clusters in one account, in which case our use case here seems acceptable. This feels like best available option, more resilient and simple cleanup, less UUID concerns, a lot less work than API driven unwind. |
Why do we need a way to pre-specify cluster UUID? Currently the installer generates a UUID and pushes it into the cluster for operators to find and use. What does a pre-generated UUID give you beyond that?
We have concerns about the uniqueness scope of the cluster name. I'm ok pushing |
|
/cc @legionus @dmage @coreydaley this is something we need to consider when creating storage buckets for the registry on s3+gcs. |
Hive runs the installer in a pod, it may fail and have partially created a cluster before we were able to push the metadata/UUID back to the API server. It is not idempotent and if you just re-run again, you get resources recreated and a big mess to clean up. Per last arch call we have to cleanup any extraneous resources for a cluster before we launch an install again. If we can provide the UUID, we no longer have a situation where the install fails before we can get the UUID, or the UUID upload itself fails, we always know what we need to clean up and can retry reliably. However this is not required if we can tag everything with the kube cluster ID.
I think we should be safe to work on the assumption that cluster names are unique enough within one AWS account. We're going to have some safeguards to prevent problems in Hive, and it probably would be possible to have the installer try to prevent this as well by looking for similarly tagged resources in the account. |
Depending on how robust you need to be, there are at least two ways to address this:
Looking for an existing cluster with a given name, not finding it, and then creating a cluster with that name is going to be racy. Is there a way to lock an AWS account against cluster creation to prevent two folks from trying to simultaneously create a.example.com and a.example.org in the same account? I'd much rather stick to UUIDs for this sort of thing, where the likelihood of collision is vanishingly small. Or use names and just tell users that they get to police collisions on their own and keep the pieces if they collide. |
|
Earlier today, @abhinavdahiya was asking for specifics on whether the destroy leakage caused by missing tags was happening now. @ironcladlou says they're seeing it in CI for both openshift/cluster-ingress-operator#52 and openshift/cluster-dns-operator#38. |
|
If we want to use We can add sematics like the cluster-name is We can program the dns names and other user oriented stuff use only the |
|
Provided it is configured in the cluster provider so all post-install LBs PVs etc get tagged with this as their cluster ID, clustername-random would be pretty good from my POV. It's possible it will end up clustername-random-random as GenerateName may be used for some clusters created in Hive, we're not sure if Dedicated will need to use this yet or not, but either way it should be fine. This would give us the one cluster ID that can be used to fully deprovision. Is the tectonicClusterUUID necessary anymore with this in play? |
That could work, although 5 characters is not that big a space ;). What about As an example of name-uniqueness collisions in real life, @ironcladlou and @sallyom have both hit: when switching regions within a single AWS account (and presumably not updating their cluster name). @sallyom said:
|
|
For the S3 issue specifically, I think we can just drop the bucket name. But it's an example of the same cluster name being used for two regions in the same account. |
Alex gave the history behind our previous bucket name [1]:
We should probably just fix the creation of the S3 bucket since we
no longer rely on CNAMEs (which required the S3 bucket to match the
domain name).
But now we can just let AWS pick a random bucket name for us. This
avoids issues like [2]:
DEBUG error getting tags for bucket %!s(*string=0xc4207d0268): BucketRegionError: incorrect region, the bucket is not in 'us-east-2' region
status code: 301, request id: , host id: , skipping...
on destroy when the tag lookup finds a bucket of the same name in
another region.
I've also dropped the no-longer-used S3Bucket validator.
[1]: openshift#359 (comment)
[2]: openshift#458 (comment)
It is not cluster name collision, see the commit for details openshift/hive@32cde50
it will be fine :P we want enough uniqueness that single user does not collide. |
|
What has been decided on this? Do I update the uninstaller to key off of kubernetes.io/cluster, or is there another approach we should be taking with the uninstaller that can capture resources created inside and outside of the installer? |
|
Agreed appending a 5 char suffix should be more than sufficient for colliding cluster names in one account, which you shouldn't be doing at all. Can we move forward with this @wking ? If so, can we pass in the value or do you want to generate it? Will it appear in the metadata file? Should it fully replace tectonic UUID that is there today? |
|
After discussing today with @abhinavdahiya, we think a reasonable approach would be to update the hive package to remove resources matching either the I've started in on converting the hive code from AND-ing the tags to OR-ing the tags, and have a few minor clean-up PRs in the pipe so far. Does this sound reasonable? |
|
Ok, openshift/hive#47 has a moderately-ugly (but hopefully working ;) OR implementation. Once that lands (if the approach looks sound), I can update the installer to delete resources matching either |
|
@wking what do you think about calling hive destroy twice in installer? One for tectonicclusterid, another sweep for |
They need to be simultaneous, in case a resource tagged one way blocks deletion of a resource tagged the other way. You could do that with goroutines here, but I prefer openshift/hive#47, because it allows for future optimization (the |
…deletion We're having trouble getting our resources tagged consistently, with elastic IPs, NAT gateways, etc. missing kubernetes.io/cluster/<name> [1]. Meanwhile, the ingress operator will be creating elastic load balancers that lack tectonicClusterID [2]. This change deletes everything we can find with either tag while we sort out something cleaner. [1]: openshift#458 (comment) [2]: openshift#458 (comment)
…deletion We're having trouble getting our resources tagged consistently, with elastic IPs, NAT gateways, etc. missing kubernetes.io/cluster/<name> [1]. Meanwhile, the ingress operator will be creating elastic load balancers that lack tectonicClusterID [2]. This change deletes everything we can find with either tag while we sort out something cleaner. [1]: openshift#458 (comment) [2]: openshift#458 (comment)
…deletion We're having trouble getting our resources tagged consistently, with elastic IPs, NAT gateways, etc. missing kubernetes.io/cluster/<name> [1]. Meanwhile, the ingress operator will be creating elastic load balancers that lack tectonicClusterID [2]. This change deletes everything we can find with either tag while we sort out something cleaner. [1]: openshift#458 (comment) [2]: openshift#458 (comment)
|
closing. this was solved by adding/changing the functionality of the uninstaller to receive a list of key=values and attempting deletes on any matching tags openshift/hive#47 |
|
Reopening, because I think openshift/hive#47 and #535 are more of a temporary stopgap than a permanent fix ;). We should figure out a consistent way to tag AWS resources and get back to a single approach. And we should figure out a way to set the user-specified tags on our resources too (#465 or similar). |
|
I believe we finished making sure everything that can be tagged is tagged. So closing. |
Version
Platform (aws|libvirt|openshift):
aws
What happened?
After installation, I see some objects are tagged with kubernetes.io/cluster/CLUSTER_NAME and some aren't. Specifically, I've noticed that EIPs, NAT Gateways, S3 buckets, and Route53 zones are missing the above tag.
What you expected to happen?
I expect the tags applied to objects during installation to be consistent.
How to reproduce it (as minimally and precisely as possible)?
The text was updated successfully, but these errors were encountered: