Bug 1894667

Summary: [release 4.5] cluster-openshift-controller-manager-operator: Fix bug in reflector not recovering from "Too large resource version"
Product: OpenShift Container Platform Reporter: Lukasz Szaszkiewicz <lszaszki>
Component: openshift-controller-managerAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: wewang <wewang>
Severity: high Docs Contact:
Priority: high    
Version: 4.5CC: adam.kaplan, aos-bugs, gmontero, mfojtik, palonsor
Target Milestone: ---   
Target Release: 4.5.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: devex
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: An upstream kubernetes bug resulted in the API client not recovering reasonably quickly after recovery from a tcp-reset. Since controllers/operators inherently maintain client connections to the api server, they could be impacted by this. Consequence: Client logs could be flooded with "Timeout: Too large resource version errors" when connectivity was lost and and then regained. Fix: The upstream kubernetes 1.18 fix was pulled into samples operator 4.5.z Result: openshift-controller-manager operator is no longer susceptible to this hot loop of errror messages.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-17 16:06:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1879901    

Description Lukasz Szaszkiewicz 2020-11-04 18:06:33 UTC 
A recent fix in the reflector/informer https://github.com/kubernetes/kubernetes/pull/92688 prevents components/operators from entering a hotloop and stuck.

There are already reported cases that have run into that issue and were stuck for hours or even days. For example https://bugzilla.redhat.com/show_bug.cgi?id=1877346.

The root cause of the issue is the fact that a watch cache is initialized from the global revision (etcd) and might stay on it for an undefined period (if no changes were (add, modify) made). 
That means that the watch cache across server instances may be out of sync. 
That might lead to a situation in which a client gets a resource version from a server that has observed a newer rv, disconnect (due to a network error) from it, and reconnect to a server that is behind, resulting in “Too large resource version“ errors.

More details in https://github.com/kubernetes/kubernetes/issues/91073 and https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1904-efficient-watch-resumption


It looks like the issue only affects 1.18. According to https://github.com/kubernetes/kubernetes/issues/91073#issuecomment-652251669 the issue was first introduced in that version by changes done to the reflector. 
The fix is already present in 1.19.


Please make sure that cluster-openshift-controller-manager-operator and its operands are using a client-go that includes https://github.com/kubernetes/kubernetes/pull/92688 if not please use this BZ and file a PR.
In case you are using a framework to build your operator make sure it uses the right version of the client-go library.
Comment 5 wewang 2020-11-06 09:18:29 UTC 
Verified in 
4.5.0-0.nightly-2020-11-05-223728

Steps
1. disconnect one node for a few minutes
sh-4.2# cat > test.sh << EOF
> ifconfig ens3 down
> sleep 300
> ifconfig ens3 up
> EOF
sh-4.2$ ./test.sh

2. After recovered the node connect, check logs of pods in openshift-controller-manager-operator, no issue about "Timeout: Too large resource version"  
[wewang@wangwen ~]$ oc logs -f pod/openshift-controller-manager-operator-55f49cc48f-ffksz -n  openshift-controller-manager-operator  |grep "Timeout: Too large resource version"
Comment 8 errata-xmlrpc 2020-11-17 16:06:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.19 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5051