Kubernetes: What is "reconciliation"?

July 28, 2019

Technology

14k

Kubernetes: What is "reconciliation"?

A very brief exploration of what we mean when we talk about reconciliation in the context of Kubernetes APIs and controllers.

This is mostly animation-style pictures, so don't be afraid of the length of it :)

Tim Hockin

July 28, 2019

Tweet

More Decks by Tim Hockin

See All by Tim Hockin

Kubernetes Pod Probes

Go Workspaces for Kubernetes

Code Review in Kubernetes

Multi-cluster: past, present, future

Kubernetes Controllers - are they loops or events?

Kubernetes Network Models (why is this so dang hard?)

KubeCon EU 2020: SIG-Network Intro and Deep-Dive

A Non-Technical Kubernetes Talk (KubeCon EU 2020)

Bringing Traffic Into Your Kubernetes Cluster

Other Decks in Technology

See All in Technology

dx_osarai_about_connection

今後の開発規模拡大、QA人材を爆速で立ち上げる

APIによるレガシーシステムの改善

モノリスからの脱却に向けた物流システムリプレイスの概要紹介 / Towards Decentralized Logistics System Replacement from Monolithic Structure

Virtual Threads - 導入の背景と、効果的な使い方 -

人工知能学会 AI哲学マップ・総括セッション講演資料

Head toward Java 20 and Java 21

line_developers

ジェネレーティブAIとの共創

Riverpodに機能追加したときの話

バクラクのAI-OCR機能の体験を支える良質なデータセット作成の仕組み / data-centric-ai-bakuraku-dataset

2023.06.01_LangChain/Llamaindex/Whisperを使ったアプリケーション開発のまとめと展望

async-profilerによるスタックトレースタイムトラベル - Kafkaのパフォーマンス問題調査での応用例

line_developers

Featured

See All Featured

Helping Users Find Their Own Way: Creating Modern Search Experiences

A Tale of Four Properties

The Mythical Team-Month

個人開発の失敗を避けるイケてる考え方 / tips for indie hackers

実際に使うSQLの書き方徹底解説 / pgcon21j-tutorial

Into the Great Unknown - MozCon

What’s in a name? Adding method to the madness

productmarketing

ピンチをチャンスに：未来をつくるプロダクトロードマップ #pmconf2020

Navigating Team Friction

Why Our Code Smells

Art, The Web, and Tiny UX

The World Runs on Bad Software

Transcript

Google Cloud Platform
Kubernetes: What is
“reconciliation”?
Tim Hockin
@thockin

View Slide
Google Cloud Platform
Assume there’s a cloud API to make shapes.
Why shapes? It’s just concrete enough to reason about,
while not getting stuck in the details.

View Slide
Google Cloud Platform
API

View Slide
Google Cloud Platform
Make shape “Foo”
- type: Square
- color: Red
API

View Slide
Google Cloud Platform
API
Foo

View Slide
Google Cloud Platform
This API is ﬁne, but I want to wrap it into a declarative
system (e.g. Kubernetes)

View Slide
Google Cloud Platform
K8s API

View Slide
Google Cloud Platform
K8s API
kubectl create shape “Foo”
- type: Square
- color: Purple

View Slide
Google Cloud Platform
K8s API
kind: Shape
name: Foo
type: Square
color: Red

View Slide
Google Cloud Platform
K8s API
Make shape “Foo”
- type: Square
- color: Red
kind: Shape
name: Foo
type: Square
color: Red

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Red

View Slide
Google Cloud Platform
The controller will keep my Kubernetes object in sync with
the underlying API

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Red

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Red
kubectl edit shape “Foo”
- type: Square
- color: Purple

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple
Update shape “Foo”
- color: Purple

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
This is what we call “reconciliation”. Speciﬁcally, this is
uni-directional reconciliation.
What happens if...

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple
Delete shape Foo

View Slide
Google Cloud Platform
K8s API
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
The shape I wanted has inadvertently been removed by a
human or other system.
If we only reconcile in one direction, we will never ﬁx it!
We need to observe that the underlying state has changed
and re-assert the state we want.

View Slide
Google Cloud Platform
K8s API
Make shape “Foo”
- type: Square
- color: Purple
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
We usually call this bi-directional reconciliation.
But it gets funkier. What if...

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple
Create shape Bar
- type: Circle
- color: Red

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple
Bar

View Slide
Google Cloud Platform
What should the controller do?
Does it expect to have exclusive use of all shapes? If so,
clean up!
Does it expect to share the shapes API with other users?
If so, leave it alone!
Right?

View Slide
Google Cloud Platform
I said it gets funkier. What if...

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple
CRASH

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple
CRASH
kubectl delete shape
“Foo”

View Slide
Google Cloud Platform
K8s
Foo
API
CRASH

View Slide
Google Cloud Platform
K8s
Foo
API
RECOVER

View Slide
Google Cloud Platform
K8s
Foo
API

View Slide
Google Cloud Platform
The controller missed the deletion of the shape, but as we
saw earlier, it ignored things it doesn’t know.
This is a LEAK!

View Slide
Google Cloud Platform
The controller has to know which shapes it owns and
which it doesn’t.
HOW to do that depends on the API. Examples:
● Special name preﬁxes
● Metadata (labels, tags, description)
● Controller-speciﬁc checkpoints

View Slide
Google Cloud Platform
K8s API
RECOVER
Foo
labels:
owner: k8s

View Slide
Google Cloud Platform
K8s API
List shapes where
owner=k8s
Foo
labels:
owner: k8s

View Slide
Google Cloud Platform
K8s API
Foo
Foo
labels:
owner: k8s

View Slide
Google Cloud Platform
K8s API
Foo
labels:
owner: k8s
I don’t have a
“Foo”

View Slide
Google Cloud Platform
K8s API
Delete shape “Foo”
Foo
labels:
owner: k8s

View Slide
Google Cloud Platform
K8s API

View Slide
Google Cloud Platform
This is sometimes called the “list-watch” pattern.
Now the controller will keep things it owns in sync and
ignores other things.
What if...

View Slide
Google Cloud Platform
K8s API
kind: Shape
name: Foo
type: Square
color: Purple
Foo
labels:
owner: k8s

View Slide
Google Cloud Platform
K8s API
kind: Shape
name: Foo
type: Square
color: Purple
Create shape Bar
- type: Circle
- color: Red
- labels:
- owner: k8s
Foo
labels:
owner: k8s

View Slide
Google Cloud Platform
K8s
Foo
labels:
owner: k8s
API
kind: Shape
name: Foo
type: Square
color: Purple
Bar
labels:
owner: k8s

View Slide
Google Cloud Platform
K8s API
List shapes where
owner=k8s
Foo
labels:
owner: k8s
Bar
labels:
owner: k8s
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s API
Foo
labels:
owner: k8s
Bar
labels:
owner: k8s
kind: Shape
name: Foo
type: Square
color: Purple
Foo
Bar

View Slide
Google Cloud Platform
K8s API
Foo
labels:
owner: k8s
Bar
labels:
owner: k8s
kind: Shape
name: Foo
type: Square
color: Purple
I don’t have a
“Bar”

View Slide
Google Cloud Platform
K8s API
Delete shape “Bar”
Foo
labels:
owner: k8s
Bar
labels:
owner: k8s
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s API
Foo
labels:
owner: k8s
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
Note that while doing a full reconciliation at startup is
necessary, it is not suﬃcient.
Good controllers will reconcile against underlying APIs
continuously or at least periodically.

View Slide
Google Cloud Platform
How does this apply to real life?
This pattern is found in almost every case where
Kubernetes layers on top of some other API. Examples:
● Cloud load-balancers for Services & Ingress
● Cloud disks for PersistentVolumes
● iptables rules for Services
● Running containers for Pods

View Slide
Google Cloud Platform
Sadly, not every controller gets this right.
While every controller should strive for complete
reconciliation, sometimes the underlying API makes it very
hard or expensive or even just impossible.
:(

View Slide
Google Cloud Platform
There are some techniques that can mitigate the lack of
mechanisms to denote ownership (or augment them).

View Slide
Google Cloud Platform
Finalizers

View Slide
Google Cloud Platform
K8s API

View Slide
Google Cloud Platform
kubectl create shape “Foo”
- type: Square
- color: Purple
K8s API

View Slide
Google Cloud Platform
K8s API
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s API
Patch shape “Foo”
- finalizer: shapes
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s API
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes

View Slide
Google Cloud Platform
K8s API
Make shape “Foo”
- type: Square
- color: Purple
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes

View Slide
Google Cloud Platform
K8s
Foo
API
CRASH
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes

View Slide
Google Cloud Platform
K8s
Foo
API
CRASH
kubectl delete shape
“Foo”
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes

View Slide
Google Cloud Platform
K8s
Foo
API
CRASH
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes
deletionTimestamp
is set, but finalizer
prevents removal of
the object

View Slide
Google Cloud Platform
K8s
Foo
API
RECOVER
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes

View Slide
Google Cloud Platform
The controller observes the pending deletion of the shape.

View Slide
Google Cloud Platform
K8s API
Delete shape “Foo”
Foo
labels:
owner: k8s
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes

View Slide
Google Cloud Platform
K8s API
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes

View Slide
Google Cloud Platform
K8s API
Patch shape “Foo” to
remove finalizer
kind: Shape
name: Foo
type: Square
color: Purple
finalizers:
- shapes

View Slide
Google Cloud Platform
K8s API
kind: Shape
name: Foo
type: Square
color: Purple
deletion can be
completed

View Slide
Google Cloud Platform
K8s API

View Slide
Google Cloud Platform
CustomResources

View Slide
Google Cloud Platform
K8s API

View Slide
Google Cloud Platform
kubectl create shape “Foo”
- type: Square
- color: Purple
K8s API

View Slide
Google Cloud Platform
K8s API
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s API
Create ShapeRef “Foo”
- ownerReference: Foo
kind: Shape
name: Foo
type: Square
color: Purple

View Slide
Google Cloud Platform
K8s API
kind: Shape
name: Foo
type: Square
color: Purple
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
K8s API
Make shape “Foo”
- type: Square
- color: Purple
kind: Shape
name: Foo
type: Square
color: Purple
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
K8s
Foo
API
kind: Shape
name: Foo
type: Square
color: Purple
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
K8s
Foo
API
CRASH
kind: Shape
name: Foo
type: Square
color: Purple
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
K8s
Foo
API
CRASH
kubectl delete shape
“Foo”
kind: Shape
name: Foo
type: Square
color: Purple
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
K8s
Foo
API
CRASH
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
K8s
Foo
API
RECOVER
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
K8s
Foo
API
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
The controller did not observe the deletion of the Shape,
but it does observe the dangling ShapeRef.

View Slide
Google Cloud Platform
K8s API
Delete shape “Foo”
Foo
labels:
owner: k8s
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
K8s API
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
K8s API
Delete shaperef “Foo”
kind: ShapeRef
name: Foo

View Slide
Google Cloud Platform
K8s API

View Slide
Google Cloud Platform
In most of these mechanisms, there’s some amount of
“you broke it, you bought it”.
If a user deletes the ShapeRef or removes the ﬁnalizer or
edits the underlying metadata, the linkage can be broken.
You broke it, you get to keep the pieces.

View Slide