fix: get container ID from kube rather than docker

[rudoi]

Issue #, if available:

#365

Description of changes:

Gets container ID from Kubernetes rather than Docker. This makes the CNI runtime-agnostic.

When using containerd instead of Docker, the CNI essentially skips allocating addresses for all pods because it can't find containers to associate them with. The current retry logic doesn't fail hard when the CNI is unable to connect to a Docker sock. New pods appear to successfully obtain IP addresses, but when the CNI pod restarts, these IPs will all be freed because the CNI will be unable to connect to Docker and therefore will skip allocating IPs for all pods on the host.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[mogren]

Ran conformance tests and everything looks good. Thanks, this was a nice cleanup, just a small logging comment.

I'll update our dependencies in another PR, guess we don't need the docker client import any more.

[liwenwu-amazon]

This change needs to be carefully tested out to make sure no same IP can be allocated to different Pods.
ipamD does NOT preserve IP allocations pool state through its restart
During ipamD restart, it first builds IP warm Pool info from instance metadata service, then it talks to Docker to find out the all running Pod's IPs and take running Pod IPs out of IP warm pool. After this, it then responds CNI-ADD request.

To get same info from kube, you need to make sure ipamD have learned all running Pod IPs before start accepting CNI-ADD.

[mogren]

Thanks @liwenwu-amazon, that is good to know. We won't merge this without some more testing.

[rudoi]

@mogren / @liwenwu-amazon

I dumped the list of ENIs on a host running 5 pods, 3 of which were hostNetwork=true, and saw that 2 were allocated as expected. Then, I kill'd the aws-k8s-agent process, causing the pod to restart. After the CNI plugin came back online, I captured the ENI list again and there was no diff between the two ENI dumps.

FWIW, I've been running a cluster off of this branch with several nodes and several dozen pods for about 10 days. A few of the CNI daemonset pods have restarts for various reasons, but I haven't seen any issues so far with duplicate IP allocation.

If there's anything more specific I should run some tests for, please let me know. I'm curious to understand how getting the container ID from kube API vs Docker has an impact on how IPs are allocated. It doesn't seem like the container ID is ever read again after the initial fetch.

[liwenwu-amazon]

@rudoi @mogren I think you should try to restart ipamD while Pods are being scaled up and down rapidly. And make sure there is no race condition when using kube API. Here is one example:

• Assumes IP warm pool have 200 IPs, and have allocated 150 IPs to Pods, e.g. IP1 ... IP150
• then ipamD restart
• ipamD rebuild its IP warm pool to have 200 IPs
• ipamD starts watching PODs from K8S API Server
• it start learning pods that were using IP1 to IP 150
• what if K8S server schedule a new Pod before ipamD finish learning pods (IP1 to IP150), then it might give one of those IP (IP1 to IP150) to this new Pod.

With Docker API, the ipamD make sure it finds out all running Pod before start accepting CNI-add request.

[rudoi]

Understood, @liwenwu-amazon. Thanks for clarifying. I'll try my hardest to cause that race. 😄

[mogren]

@rudoi Hi again!

I like this change, and I think we have some great integration tests to test this. I still bumped this change out to the v1.6 Milestone since I'm trying to get v1.5 out soon. Would you care to rebase this change against the latest master?

[rudoi]

@rudoi Hi again!

I like this change, and I think we have some great integration tests to test this. I still bumped this change out to the v1.6 Milestone since I'm trying to get v1.5 out soon. Would you care to rebase this change against the latest master?

Hi @mogren! Rebased, made sure tests are passing, etc. Looking forward to seeing the integration tests! I did some stress testing last week but I wasn't totally satisfied with my scenarios.

[dadux]

@rudoi - thanks for this PR.

We are about to deploy some of our clusters with this fix - so hopefully we'll get some real world use case before it gets merged into 1.6.

[rudoi]

@dadux - awesome, looking forward to seeing the results!

We've been running this for about 3 weeks in real clusters and have not run into anything yet. -fingers crossed-

[dadux]

Hi @mogren - what is preventing this to get merged ?

Happy to provide some help if needed !

[rudoi]

Happy to help out as well!

[mogren]

Hey @dadux and @rudoi! I just wanted to run a few more tests to try and catch any potential edge cases. Everything looks good on my end, so thanks a lot. Sorry it took so long to verify the change.