felixZdi
commented
6 months ago Same for v1.28.9
Open rgarcia89 opened 6 months ago
felixZdi
commented
6 months ago Same for v1.28.9
rgarcia89
commented
5 months ago @sabbour this validation could break the above mentioned deployment https://github.com/kubernetes/kubernetes/issues/124881
idogada-akamai
commented
5 months ago Any update on this?
Aaron-ML
commented
5 months ago Would love to see this resolved, this is creating log spam and alerts on our prometheus stack due to duplicate labels.
rgarcia89
commented
5 months ago @Aaron-ML I am also using the kube-prometheus-stack and have downgraded prometheus to v2.51.2 until it is fixed...
Aaron-ML
commented
5 months ago @Aaron-ML I am also using the kube-prometheus-stack and have downgraded prometheus to v2.51.2 until it is fixed...
We've mitigated it for now by temporarily removing the alert related to prometheus ingest failures. Hopefully this gets resolved soon.
rgarcia89
commented
4 months ago @chasewilson any update available?
bregtaca
commented
4 months ago @chasewilson can you please provide an update?
dsiperek-vendavo
commented
4 months ago Any updates on this issue?
chasewilson
commented
4 months ago @wedaly I know we'd investigated this. Could you add some clarity here?
wedaly
commented
4 months ago AKS creates the operator.tigera.io/v1 Installation resource that tells tigera-operator how to install Calico. In the installation CR, we're setting:
controlPlaneTolerations:
- key: CriticalAddonsOnly
operator: Existstigera-operator code appends this to the list of default tolerations for calico-kube-controllers, which already includes this toleration: https://github.com/tigera/operator/blob/b01279889cd2a625fde862afb7b41e27b9dcce19/pkg/render/kubecontrollers/kube-controllers.go#L648
I don't know the full context of why AKS sets this field in the installation CR, but it's been this way for a long time (I think as long ago as 2021).
I'm not yet sure why we added that or if it's safe to remove, as I can see controlPlaneTolerations referenced elsewhere in tigera-operator. This needs a bit more investigation to verify that it's safe, but if so I think AKS could remove controlPlaneTolerations to address this bug.
rgarcia89
commented
4 months ago @wedaly in that case it is being added by AKS installation resource and the tigera-operator.
Your liked line indicates that there is a next to the passed config parameters also some meta data appended:
Tolerations: append(c.cfg.Installation.ControlPlaneTolerations, rmeta.TolerateCriticalAddonsAndControlPlane...),If you follow the path you can see that in the toleration is already defined there:
TolerateCriticalAddonsOnly = corev1.Toleration{
Key: "CriticalAddonsOnly",
Operator: corev1.TolerationOpExists,
}Therefore you should be good to remove it from the AKS installation resource.
wedaly
commented
4 months ago Digging through the commit history in AKS, I see that the toleration was added as a repair item for a production issue during the migration to tigera-operator. The repair item is linked to this issue in GH: https://github.com/projectcalico/calico/issues/4525
However, I'm not sure how adding the toleration is related to the symptoms described in that issue. And all AKS clusters on supported k8s versions should be using tigera-operator now.
Seems like it should be safe to remove the toleration from the installation CR now.
rgarcia89
commented
3 months ago @wedaly any update here?
rgarcia89
commented
3 months ago @chasewilson @wedaly can we please get an update? This is currently holding us back from being able to update Prometheus.
wedaly
commented
2 months ago Apologies for the delayed response. The current plan is to remove controlPlaneTolerations from the installation CR to address this bug.
However, this change has the side-effect of adding two additional tolerations to Calico's typha deployment to tolerate every taint (https://github.com/tigera/operator/blob/8cbb161896a4ca641f885e668528cdb52de83f84/pkg/render/typha.go#L400). We believe this is safe, but any change like this carries some risk as it could affect many clusters.
For this reason, we are planning to remove controlPlaneTolerations only starting with the next Calico version released in AKS. This will be Calico 3.28 released in AKS k8s version 1.31, which will be previewed in September and generally available in October (schedule here).
I realize this doesn't provide an immediate solution to folks on earlier k8s versions that want to upgrade Prometheus, but we need to balance the severity of this bug against the risks of making a config change that would affect many AKS clusters.
Nastaliss
commented
3 days ago Hi,
I can see the 1.31.1 Kubernetes version is available in preview on AKS.
Can you confirm this fixes the Calico duplicate toleration ?
Describe the bug On AKS clusters with calico enabled a namespace calico-system is created. Within that we can find a deployment calico-kube-controllers. This deployment is currently labels twice with the CriticalAddonsOnly toleration. This leads to an error in prometheus starting v2.52.0 as with that version a check for duplicate samples has been introduced.
The above situation leads to such a situation, as the kube-state-metrics pod creates the same metric twice - due to the second existens of the CriticalAddonsOnly toleration. I had created a issue on the prometheus project, as I was expecting it to be a prometheus issue, which it isn't. https://github.com/prometheus/prometheus/issues/14089
Prometheus log output
Environment (please complete the following information):