Skip to content

Return NotFound for unknown pod names#11540

Merged
adleong merged 2 commits intomainfrom
alex/not-found-grpc
Nov 1, 2023
Merged

Return NotFound for unknown pod names#11540
adleong merged 2 commits intomainfrom
alex/not-found-grpc

Conversation

@adleong
Copy link
Member

@adleong adleong commented Oct 26, 2023

Fixes #11065

When an inbound proxy receives a request with a canonical name of the form hostname.service.namespace.svc.cluster.domain, we assume that hostname is the hostname of the pod as described in https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-hostname-and-subdomain-fields. However, pods are also addressable with pod-ip.service.namespace.svc.cluster.domain. When the destination controller gets a profile request of this form, we attempt to find a pod with hostname of pod-ip and return an error with gRPC status Unknown since this will not exist.

It is expected that this profile lookup will fail since we cannot have service profiles for individual pods. However, returning a gRPC status Unknown for these requests brings the reported success rate of the destination controller down. Instead we should return these as gRPC status NotFound so that these responses don't get reported as server errors.

@adleong adleong requested a review from a team as a code owner October 26, 2023 22:05
mateiidavid
mateiidavid reviewed Oct 27, 2023
View reviewed changes
Copy link
Member

@mateiidavid mateiidavid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Simple and straight to the point. I tested it and it works well.

One tiny suggestion. The change is made in getEndpointByHostname() which in turn will be called from getOrNewPodPublisher. In the latter, we are already formatting the error (see the linked snippet)

linkerd2/controller/api/destination/watcher/pod_watcher.go

Lines 277 to 283 in 29e6683

if hostname != "" {
pod, err = pw.getEndpointByHostname(hostname, service)
if err != nil {
return nil, fmt.Errorf("failed to get pod for hostname %s: %w", hostname, err)
}
ip = pod.Status.PodIP
} else {

This yields the following error message:

:; go run controller/script/destination-client/main.go -token "{}" -path 10-23-0-37.nginx-svc.default.svc.cluster.local:80  -method getProfile
FATA[0000] rpc error: code = NotFound desc = failed to get pod for hostname 10-23-0-37: rpc error: code = NotFound desc = no pod found in Endpoints default/nginx-svc for hostname 10-23-0-37
exit status 1

If we take the formatting out of the calling function (pod watcher one) the error should look nicer:

:; go run controller/script/destination-client/main.go -token "{}" -path 10-23-0-37.nginx-svc.default.svc.cluster.local:80  -method getProfile
FATA[0000] rpc error: code = NotFound desc = no pod found in Endpoints default/nginx-svc for hostname 10-23-0-37
exit status 1

alpeb
alpeb approved these changes Nov 1, 2023
View reviewed changes
Copy link
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍

@adleong adleong merged commit 8c42a50 into main Nov 1, 2023
@adleong adleong deleted the alex/not-found-grpc branch November 1, 2023 22:44
olix0r added a commit that referenced this pull request Nov 2, 2023
@olix0r
edge-23.11.1
149d51d 
This edge release fixes two bugs in the Destination controller that could cause
outbound connections to hang indefinitely.

* helm: Introduce configurable values for protocol detection ([#11536])
* destination: Fix GetProfiles error when address is opaque and unmeshed ([#11556])
* destination: Return NotFound for unknown pod names ([#11540])
* proxy: Log controller errors at WARN
* proxy: Fix grpc_status metric labels for inbound traffic

[#11536]: #11536
[#11556]: #11556
[#11540]: #11540
@olix0r olix0r mentioned this pull request Nov 2, 2023
Merged
olix0r added a commit that referenced this pull request Nov 2, 2023
@olix0r
edge-23.11.1 (#11558)
14beb89 
This edge release fixes two bugs in the Destination controller that could cause
outbound connections to hang indefinitely.

* helm: Introduce configurable values for protocol detection ([#11536])
* destination: Fix GetProfiles error when address is opaque and unmeshed ([#11556])
* destination: Return NotFound for unknown pod names ([#11540])
* proxy: Log controller errors at WARN
* proxy: Fix grpc_status metric labels for inbound traffic

[#11536]: #11536
[#11556]: #11556
[#11540]: #11540
@annismckenzie
Copy link

annismckenzie commented Apr 9, 2024

Could this fix be backported to / included in the 2.14 release branch? Since linkerd/linkerd2-proxy#2499 was merged and released in v2.14.3 we're now experiencing a lot of log spam when using headless services (as explained in the description above).

@wmorgan
Copy link
Member

wmorgan commented May 2, 2024

@annismckenzie Unfortunately we are no longer backporting to 2.14 except for critical security patches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alpeb alpeb alpeb approved these changes

+1 more reviewer

@mateiidavid mateiidavid mateiidavid approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Failed requests to destination when using headless services

5 participants

@adleong @annismckenzie @wmorgan @alpeb @mateiidavid