PV health monitor KEP

[NickrenREN]

Moving kubernetes/community#1484 here

[k8s-ci-robot]

Welcome @NickrenREN!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[cdickmann]

This KEP is quite interesting to me, and I think this topic is quite important, so I am curious about your answers.

Some questions about the goals:
Q1: The goals mention Local PVs several times, but I felt the same health monitoring needs apply to any PV. Remote PVs can also suffer network partitions, temporary failure, permanent failure, IO issues leading to mount issues, etc. What do you think? Would it make sense to update the KEP to be less Local PV centric?
Q2: Do I understand correctly that the purpose of the health reporting is to allow for automated actions to be taken, e.g. by a database operator or Statefulset controller? In contrast to providing insights aimed at human users. it would be great to clarify this in the goals.

I also have some questions/suggestions on the concrete proposal:
Q3: The API change calls for 3 specific taints. Would this be extensible just like Node taints, i.e. would the use of custom taint keys be supported?
Q4: I was curious if you had considered a few more conditions, which I couldn’t map to the currently proposed conditions.

• One would be “evacuation suggested”, which could either be because the underlying provider wishes to perform maintenance and will take back the volume, or because it was detected that the physical media is degrading, and so evacuation may still be possible, but performance may already be impacted.
• Another would be to differentiate “Absent” and “Failed” underlying media when NotUsable it hit. My background is more bare metal software defined storage, and there it is a frequent situation that a physical drive is physically removed, as opposed to having failed. In network attached there is similarly the condition of “network partition” versus media failure. In my experience the distinction matters because the likelihood that a volume comes back from network disconnect is high, while coming back from “failure” is low (turns out it is not 0 though, because IO failures may be related to a bad firmware which a host reset can fix).
• Finally, it may be valuable to expose that a volume is experiencing conditions of “reduced redundancy” or “temporarily reduced performance” due to physical media failure that is being automatically remediated. Applications could choose to direct less traffic to these volumes when possible.

[xing-yang]

Hi @cdickmann, thanks for your comments! In addition to what @NickrenREN has replied to you on Slack, I want to add that I have an action item to add the CSI support in this KEP, which should cover the remote PV part. In general new features will only be added to support CSI drivers.

[richardelling]

in the case of a reserved volume: shared between multiple nodes, but RWO and this node does not own the reservation, do we need such a state? The volume could be functioning perfectly well, but is not available to this node at the moment.

[NickrenREN]

Good question, if the volume itself is problematical, we should definitely taint it.
If the volume is shared between multiple nodes and RWX, and because of network problem or sth like that, it is not available to one specific node, i think we need to taint it, because it may cause data loss.
But if it is RWO, and the node does not own the reservation, IIUC, the volume is healthy and will not lead to data loss, as you mentioned above, it may lead to reduced performance.I prefer not tainting it at first.
It seems that we need to list the specific causes. I will rethink the extension mechanism, and validate if Taint is suitable here.

[cdickmann]

Thanks for the updates. I had some thoughts especially on the CSI portion.

[cdickmann]

Why is it necessary to deploy a new daemon and further add to complexity? Intuitively, it feels to me that this should be able to fit into existing daemons, as it just extends CSI slightly to cover more state. CSI already communicates multiple pieces of state in both directions, and this is a natural extension to me.

[xing-yang]

Currently for every new feature added in kubernetes-csi, a new sidecar container will be added accordingly. For example, we have external-provisioner, external-attacher, external-snapshotter, and external-resizer, etc. This way it is easier to maintain each component, but I do see your point that this adds more complexity as well. I'll think more about this.

[cdickmann]

This seems to define a poll model. Would it also be possible for a push mechanism? I would assume that many storage systems underlying the CSI would actively notice and react to issues, and be able to notify upper layers in an expedient way. Thus, it should be possible for the CSI to communicate this. This is similar to the SCSI device specs, where a physical drive or physical SCSI controller can raise a notification when it detects an issue, so that upper layers can take immediate action. Being expedient can be important for applications that depend on application level replication and needing to know when to kick in rebuilds to reduce downtime.

[xing-yang]

That's a good point. Let me think about this.

[NickrenREN]

Hi, @xing-yang @cdickmann @richardelling
FYI, i updated the KEP, please take a look when you get a chance, thanks

[xing-yang]

If there is only one key and values are in free text form, it will be difficult to add reactions later based on those information. Should we keep the keys such as "VolumeNotAttached" or "VolumeNotMounted" and define a few constant string values, i.e., VOLUME_DELETED, FILESYSTEM_CORRUPTED? Maybe allow user to define their own custom values too but those will always have "NoEffect".

[xing-yang]

We can keep this here. In the case of multi-attach, it is easier to check on each node as discussed earlier.

[xing-yang]

new RPC GetVolume()

[serathius]

Pull based method for fetching utilization makes sense, but for status changes (health) maybe we should consider push?

[xing-yang]

Push based method is brought up in the section "HTTP(RPC) Service". We didn't adopt that approach as the main proposal because CSI uses pull based method. I'll add some clarification there.

[msau42]

For a push model, can the node agent define some RPC service that CSI drivers can call out to?

@serathius can you point to any existing design that uses a push based model?

[xing-yang]

In the current CSI spec, I don't see a push model. Therefore the design is based on a pull model. We can ask about it at the CSI community meeting during the CSI spec review. If a push model is possible, we can come back to update the KEP later.

[serathius]

What is node failure event here? Can you give example?
Assuming that this is some k8s event on node object, does it mean that it will be coping events from Node to PVC?

[xing-yang]

This refers to a node down event. So the monitoring controller will be checking if the node is still up and only report event when the node is down. I'll reword this section to clarify.

[xing-yang]

Is network storage being handled differently than local volumes for this case?
How do you detect that a PVC for network storage is on that node?

Yes, it is handled differently. For local volumes, we can figure out what local volumes are on a particular node. So an event can be reported for every PVC affected. For network storage, we will only report a general node down event, not specific to any volume. Added clarifications.

[msau42]

Is network storage being handled differently than local volumes for this case?
How do you detect that a PVC for network storage is on that node?

Yes, it is handled differently. For local volumes, we can figure out what local volumes are on a particular node. So an event can be reported for every PVC affected. For network storage, we will only report a general node down event, not specific to any volume. Added clarifications.

What object is the node down event reported on? Also how will you tell the difference between a local volume vs network volume?

[xing-yang]

What object is the node down event reported on? Also how will you tell the difference between a local volume vs network volume?

For local storage, @NickrenREN said there is a way to tell what volumes are on that node. So this will be reported on the PVC objects.
For all other storage, we don't really have an object to report the event. So maybe we can only log a message. I'll drop the event part for this one.
In the external controller sidecar, we should know the driver name. Based on that we can tell whether it is local storage or not.

[msau42]

A controller sidecar calling to a CSI driver goes through localhost. I don't think you can detect network errors that way?

[xing-yang]

I said "conditions that cannot be reported by a CSI driver" on line 83 so I meant CSI driver cannot report a network failure. Maybe I should just remove it to avoid confusion.

[msau42]

The diagram seems a little out of date after addressing the comments. Should we remove it for now?

[xing-yang]

Sure

[msau42]

The proposal is not actually doing the health or mount checks right? The proposal is about providing a mechanism for plugins to report volume health/errors.

[xing-yang]

Yes, will modify this.

[msau42]

Yeah we can discuss the error codes in more detail during CSI spec review

[msau42]

For a push model, can the node agent define some RPC service that CSI drivers can call out to?

@serathius can you point to any existing design that uses a push based model?

[msau42]

When there's a local volume CSI driver, I'm not sure how the controller will be able to tell the difference between network and local.

One possibility is to track which pods are using which PVCs and what nodes they got scheduled to?

[xing-yang]

Sure.

[msau42]

typo: tunable

[xing-yang]

Fixed.

[msau42]

still see typo

[msau42]

Does the node agent actual check for mounts? Or is it the responsibility of the driver?

Maybe we should just say to provide a way for CSI drivers to report volume health problems at the controller and node levels.

[xing-yang]

Yeah, driver will check it. I'll reword this.

[msau42]

Are these "other errors" things that a CSI driver would not be able to detect?

[xing-yang]

This refers to errors the CSI drivers can detect. I'll reword.

[msau42]

still see typo

[msau42]

Would this be watching Node status?

[xing-yang]

Yes, it will watch node status. In addition I think we also need to ping the node as it could be an unplanned shut down.

[msau42]

It would be nice to be more specific about the test cases, what error scenarios will we be testing? What drivers are we going to use to test?

Also, any plan for stress/scale tests?

[xing-yang]

Updated.

[xing-yang]

@msau42 comments addressed. PTAL. Thanks.

[msau42]

There's already NodeLease objects that kubelet periodically updates (like a heartbeat). We could possibly use that, but even then, I'm still not sure why we cannot just rely on the NodeController to mark the Node as unhealthy when the NodeLease is stale. It seems like we're crossing over responsibilities here.

[xing-yang]

Fixed

[xing-yang]

Squashed commits into 1.

[msau42]

/lgtm

[xing-yang]

/assign @saad-ali

[saad-ali]

/approve

Overall I like that this KEP has reduced scope to just creating events (inform user) no programmatic response. That makes it easier to implement. I'm still concerned about encoding error codes in CSI, but we can go over that in the CSI API review.

[saad-ali]

Enumerating the failure types as error codes in CSI makes me worry. Are we going to be able to capture all possible use cases for all possible storage systems? How will we handle backwards compat?

The main reason to have error codes (as opposed to opaque strings) is to enable programmatic response. Like the existing CSI error codes we should detail the expected recovery behavior for each error code that may help us reduce to a minimum set.

[xing-yang]

Sure. Let's discuss more in the CSI API review.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: msau42, NickrenREN, saad-ali

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-storage/OWNERS [saad-ali]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[blackgold]

will the volume health event be attached to the pod using the volume?

[NickrenREN]

@blackgold yes, we are planning to do this, track issue: kubernetes-csi/external-health-monitor#10