I'll fix up the minor stuff in a bit.

ug, the splitting of component config + go client is a mess.

@thockin comments addressed, rebased, tests now passing.

Here's what is going to happen. A Service update (create) will arrive. We sync it. Then an Endpoints update will arrive very soon thereafter. It will get stuck behind this delay. In practice, this adds at least 2 seconds to every Service creation. More if anyone tweaks that flag. Maybe not a huge deal, but worth thinking about. Can we do better?

We could do a semaphore thing and start with something like 3 tokens. Add a new token every interval up to max 3. This would give low-load systems enough freedom to enact changes right away and would bandwidth-limit high-load systems.

I'm just spitballing here...

It will get stuck behind this delay. In practice, this adds at least 2 seconds to every Service creation. More if anyone tweaks that flag. Maybe not a huge deal, but worth thinking about. Can we do better?

It will add 2 seconds to the last service, not every, as they will be batched, but I'm not terribly concerned about that. I'm far more concerned about controlling the thrashing at this point, and this puts an simple control knob on that.

We could do a semaphore thing and start with something like 3 tokens. Add a new token every interval up to max 3. This would give low-load systems enough freedom to enact changes right away and would bandwidth-limit high-load systems.

I'd like to profile before adding any more complexity. For us, the largest concern is the high amount of churn on large clusters, not the update-SLO on endpoints. In profiling, the longest delay is typically on the docker pull which is orders of magnitude greater then this delay. So keeping it simple makes the most sense, unless there is a use case that I'm missing.?.?

other comments have been addressed.

It will get stuck behind this delay. In practice, this adds at least 2 seconds to every Service creation. More if anyone tweaks that flag. Maybe not a huge deal, but worth thinking about. Can we do better?

It will add 2 seconds to the last service, not every, as they will be batched, but I'm not terribly concerned about that. I'm far more concerned about controlling the thrashing at this point, and this puts an simple control knob on that.

Maybe I am misunderstanding the flow. The Service create will trigger OnServiceUpdate(), which will sync. That sets the timestamp. 10ms later, the Endpoints update will trigger OnEndpointsUpdate(), which will set a timer for 1990 ms later. If the normal pattern is these two operations being highly temporally coupled, it seems we should design for that case, no?

10ms later, the Endpoints update will trigger OnEndpointsUpdate(), which will set a timer for 1990 ms later. If the normal pattern is these two operations being highly temporally coupled, it seems we should design for that case, no?

In a slow churn single operator environment, perhaps.
Ours is a high-churn, dense, multi-tenant environment, and tuning for that case doesn't make a lot of sense. Because within that window there are literally 100s or 1000s of updates. As daniel points out here: #26637 (comment)

@timothysc @thockin I did a patch yesterday to cut down on non-important Service/Endpoint changes, which does seem to reduce the need for resyncs somewhat. I'm currently looking into how to do an iptables diff to figure out if we really need to resync for the periodic loop, but that's a lot harder as Kube doesn't write rules in the same way as iptables-save reads them back, so we effectively have to create an iptables-save rule parser.

I know Tim said at one point that "by the time we get to iptables-restore the work is all pretty much done", but that's not the case. The Go side is fine, but it's the kernel contention of iptables-restore that is the problem for most of our customers. When I benchmarked with 4.7 kernels and 6 or 8000 iptables rules, I was getting hundreds of ms runtime for a single iptables-restore. The Go-side time for generating those rules was incidental. So I think we can get some good mileage from simply not calling iptables-restore when we don't need to.

Jenkins GCI GKE smoke e2e failed for commit 1cb97b8. Full PR test history.

The magic incantation to run this job again is @k8s-bot gci gke e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

Automatic merge from submit-queue

@k8s-oncall @thockin @timothysc - it seems that this PR broke gke-slow suite (it's mostly red since then and nothing is merging)

@saad-ali ^^

@bprashanth I merged your PR #36282. Does this need to be reverted as well?

@saad-ali - I didn't see that PR, maybe that one actually fix the problem.

Looks like #36282 just needs a timing shift, which makes sense, but I'm wondering how the assortment of other suites didn't catch this?

It's still very likely this broke slow suite. My pr was supposed to be a short term mitigation till we've had a chance to debug #36281 (suite is still flaking), @MrHohn

Yes, looks like PR #36282 took care of it. https://k8s-gubernator.appspot.com/builds/kubernetes-jenkins/logs/kubernetes-e2e-gci-gke-slow/ has been green since.

are you sure? akf right now but last I checked it flaked this morning and the pr went in last night. I just don't want to cry wolf without evidence :)

There are multiple slow suites, the one I looked at, kubernetes-e2e-gci-gke-slow, has been green since PR #36282 went in at 12:37 AM PDT. Same with kubernetes-e2e-gce-slow. However, kubernetes-e2e-gke-slow failed as recently as 2016-11-05 1:23 PM PDT. So it's possible PR #36282 just reduced the frequency of failure, but need a smoking gun to revert this PR.

Did I just forget to read time? I see 8 flakes since 12:30 AM last night.
This pr is surely contributing to the janky performance observed in #36281

Because of the way kubeproxy is structured, we're inserting a token into the bucket every 2 seconds for the iptables update, and sending a no-op update down the watch every second (2 every 2 seconds, scheduler and kube-controller-manager). So we end up filling the queue with no-op endpoint updates and blocking an interesting service update.

@timothysc if you're interested in doing this right you should look at the watch processing pipeline. This pr calls Accept() holding the syncProxyRules lock (https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/iptables/proxier.go#L782, https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/iptables/proxier.go#L422), which is effective a time.Sleep(1 or 2 seconds) given what I described above. The on update functions receive a snapshot of endpoints/services on every update. Meaning:

t:1 (bucket empty)
no-op update
no-op snapshot
lock
accept () <- sleep(2)

next no-op update
next no-op snapshot
lock <- block

svc update
svc snapshot
lock <- block

t:3 (bucket has a token)
t:1 process no-op snapshot
next no-op update
next no-op snapshot
lock <- block

this can essentially go on forever just processing no-op updates from the endpoint handler because go's locks aren't fair. Note that the "burst" will only help if you actually get 0 updates for a while such that you accumulate enough tokens.

What we were doing previous is also bad, but the no-op updates would run asap leaving the channel empty for more important updates.

I will probably send a pr to default it to the old behavior soonish. We can fix this as a bug during code freeze.

Ah, @MrHohn has empirical evidence #36281 (comment)