On Thu, 2021-01-28 at 22:17 -0500, jay vyas wrote:
> Hi folks !!!!
>
> We recently hit a codepath difference in how CNI is leveraged in
> containerd, for windows, wherein the IP address of a pod is created
> (by a cni provider) but not really ready yet (because of the timing
> of how the containerd->cni vs cri setup and ordering for windows
> sets up "Vnics").
We would expect the CNI plugin not return a Result to the runtime until
the container has connectivity. It's more complicated than that
(depending on how much visiblity the CNI plugin has into the full
network) but as far as the plugin is reasonably able to determine
container network readiness, this is what it should do.
> In any case, we were wondering wether or not theres anyone using
> the cni check api call, to checkin periodically on the health of IP
> addresses, to potentially use that info to kill off containers which
> wound up getting a corrupted device attachment.
CRIO used to do this, based on kubelet's ~30 second PodSandboxStatus
CRI requests. These days however, it just caches the network result and
returns that instead of calling check. I think that's a mistake, and
I'm working with the CRIO team to change that behavior back to
periodically calling CNI CHECK.
Your understanding above is the more-or-less the intention of CHECK.
It's not intended to replace the Kubernetes application-level health
check, but simply to determine (to the best extent possible) if the
container's networking is alive.
If a pod sandbox restart will solve the problem, then CHECK should
return an error. If it wouldn't solve the problem, then CHECK shouldn't
do anything.
eg, if the node's load balancer isn't working, a random container
restart won't solve that problem, so CHECK probably shouldn't poke the
node LB for liveness.
> In the windows scenario, this might be the only way to build large
> scale CNIs that support Containerd for k8s, so it would be a pretty
> cool paradigm to potentially adopt.
Why is that? Are we not able to reliably determine the container's
specific network resources are allocated and set up on Windows?
> So, just looking for any initial thoughts on how folks use the CNI
> check API, and wether this might not be too-crazy of an idea to try
> out ?
CHECK should return an error to the runtimem when the container's
network is unhealthy, and a container restart can do something about
that unhealthiness.
It's up to the runtime to plumb CHECK through in some useful way, and
most of them have done that via PodSandboxStatus CRI call.
Dan