add /livez as a liveness endpoint for kube-apiserver

go fmt

make func private

refactor config_test

Two primary refactorings:

1. config test checkPath method is now each a distinct test
run (which makes it easier to see what is actually failing)

2. TestNewWithDelegate's root path check now parses the json output and
does a comparison against a list of expected paths (no more whitespace
and ordering issues when updating this test, yay).

go fmt

modify and simplify existing integration test for readyz/livez

simplify integration test

set default rbac policy rules for livez

rename a few functions and the entrypoint command line argument (and etcetera)

simplify interface for installing readyz and livez and make auto-register completion a bootstrapped check

untangle some of the nested functions, restructure the code

Author: Han Kang

cmd/kube-apiserver/app/aggregator.go

@@ -153,7 +153,7 @@ func createAggregatorServer(aggregatorConfig *aggregatorapiserver.Config, delega
 		return nil, err
 	}
 
-	err = aggregatorServer.GenericAPIServer.AddHealthChecks(
+	err = aggregatorServer.GenericAPIServer.AddBootSequenceHealthChecks(
 		makeAPIServiceAvailableHealthCheck(
 			"autoregister-completion",
 			apiServices,

cmd/kube-apiserver/app/testing/BUILD

@@ -17,7 +17,6 @@ go_library(
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/registry/generic/registry:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/server/healthz:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
         "//staging/src/k8s.io/client-go/rest:go_default_library",

cmd/kube-apiserver/app/testing/testserver.go

@@ -31,7 +31,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/registry/generic/registry"
-	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
 	"k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
@@ -46,8 +45,6 @@ type TearDownFunc func()
 type TestServerInstanceOptions struct {
 	// DisableStorageCleanup Disable the automatic storage cleanup
 	DisableStorageCleanup bool
-	// Injected health
-	InjectedHealthChecker healthz.HealthChecker
 }
 
 // TestServer return values supplied by kube-test-ApiServer
@@ -151,13 +148,6 @@ func StartTestServer(t Logger, instanceOptions *TestServerInstanceOptions, custo
 		return result, fmt.Errorf("failed to create server chain: %v", err)
 	}
 
-	if instanceOptions.InjectedHealthChecker != nil {
-		t.Logf("Adding health check with delay %v %v", s.GenericServerRunOptions.MaxStartupSequenceDuration, instanceOptions.InjectedHealthChecker.Name())
-		if err := server.GenericAPIServer.AddDelayedHealthzChecks(s.GenericServerRunOptions.MaxStartupSequenceDuration, instanceOptions.InjectedHealthChecker); err != nil {
-			return result, err
-		}
-	}
-
 	errCh := make(chan error)
 	go func(stopCh <-chan struct{}) {
 		prepared, err := server.PrepareRun()

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go

@@ -197,7 +197,8 @@ func ClusterRoles() []rbacv1.ClusterRole {
 			ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"},
 			Rules: []rbacv1.PolicyRule{
 				rbacv1helpers.NewRule("get").URLs(
-					"/readyz", "/healthz", "/version", "/version/",
+					"/livez", "/readyz", "/healthz",
+					"/version", "/version/",
 					"/openapi", "/openapi/*",
 					"/api", "/api/*",
 					"/apis", "/apis/*",
@@ -217,7 +218,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 			ObjectMeta: metav1.ObjectMeta{Name: "system:public-info-viewer"},
 			Rules: []rbacv1.PolicyRule{
 				rbacv1helpers.NewRule("get").URLs(
-					"/readyz", "/healthz", "/version", "/version/",
+					"/livez", "/readyz", "/healthz", "/version", "/version/",
 				).RuleOrDie(),
 			},
 		},

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml

@@ -548,6 +548,7 @@ items:
     - /apis
     - /apis/*
     - /healthz
+    - /livez
     - /openapi
     - /openapi/*
     - /readyz
@@ -1185,6 +1186,7 @@ items:
   rules:
   - nonResourceURLs:
     - /healthz
+    - /livez
     - /readyz
     - /version
     - /version/

staging/src/k8s.io/apiserver/pkg/server/BUILD

@@ -22,6 +22,7 @@ go_test(
         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/json:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",

staging/src/k8s.io/apiserver/pkg/server/config.go

@@ -139,6 +139,8 @@ type Config struct {
 	DiscoveryAddresses discovery.Addresses
 	// The default set of healthz checks. There might be more added via AddHealthChecks dynamically.
 	HealthzChecks []healthz.HealthChecker
+	// The default set of livez checks. There might be more added via AddHealthChecks dynamically.
+	LivezChecks []healthz.HealthChecker
 	// The default set of readyz-only checks. There might be more added via AddReadyzChecks dynamically.
 	ReadyzChecks []healthz.HealthChecker
 	// LegacyAPIGroupPrefixes is used to set up URL parsing for authorization and for validating requests
@@ -165,9 +167,9 @@ type Config struct {
 
 	// This represents the maximum amount of time it should take for apiserver to complete its startup
 	// sequence and become healthy. From apiserver's start time to when this amount of time has
-	// elapsed, /healthz will assume that unfinished post-start hooks will complete successfully and
+	// elapsed, /livez will assume that unfinished post-start hooks will complete successfully and
 	// therefore return true.
-	MaxStartupSequenceDuration time.Duration
+	LivezGracePeriod time.Duration
 	// ShutdownDelayDuration allows to block shutdown for some time, e.g. until endpoints pointing to this API server
 	// have converged on all node. During this time, the API server keeps serving, /healthz will return 200,
 	// but /readyz will return failure.
@@ -278,6 +280,7 @@ func NewConfig(codecs serializer.CodecFactory) *Config {
 		DisabledPostStartHooks:      sets.NewString(),
 		HealthzChecks:               append([]healthz.HealthChecker{}, defaultHealthChecks...),
 		ReadyzChecks:                append([]healthz.HealthChecker{}, defaultHealthChecks...),
+		LivezChecks:                 append([]healthz.HealthChecker{}, defaultHealthChecks...),
 		EnableIndex:                 true,
 		EnableDiscovery:             true,
 		EnableProfiling:             true,
@@ -286,7 +289,7 @@ func NewConfig(codecs serializer.CodecFactory) *Config {
 		MaxMutatingRequestsInFlight: 200,
 		RequestTimeout:              time.Duration(60) * time.Second,
 		MinRequestTimeout:           1800,
-		MaxStartupSequenceDuration:  time.Duration(0),
+		LivezGracePeriod:            time.Duration(0),
 		ShutdownDelayDuration:       time.Duration(0),
 		// 10MB is the recommended maximum client request size in bytes
 		// the etcd server should accept. See
@@ -509,15 +512,16 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
 		preShutdownHooks:       map[string]preShutdownHookEntry{},
 		disabledPostStartHooks: c.DisabledPostStartHooks,
 
-		healthzChecks:              c.HealthzChecks,
-		readyzChecks:               c.ReadyzChecks,
-		readinessStopCh:            make(chan struct{}),
-		maxStartupSequenceDuration: c.MaxStartupSequenceDuration,
+		healthzChecks:    c.HealthzChecks,
+		livezChecks:      c.LivezChecks,
+		readyzChecks:     c.ReadyzChecks,
+		readinessStopCh:  make(chan struct{}),
+		livezGracePeriod: c.LivezGracePeriod,
 
 		DiscoveryGroupManager: discovery.NewRootAPIsHandler(c.DiscoveryAddresses, c.Serializer),
 
 		maxRequestBodyBytes: c.MaxRequestBodyBytes,
-		healthzClock:        clock.RealClock{},
+		livezClock:          clock.RealClock{},
 	}
 
 	for {
@@ -563,9 +567,7 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
 		if skip {
 			continue
 		}
-
-		s.healthzChecks = append(s.healthzChecks, delegateCheck)
-		s.readyzChecks = append(s.readyzChecks, delegateCheck)
+		s.AddHealthChecks(delegateCheck)
 	}
 
 	s.listedPathProvider = routes.ListedPathProviders{s.listedPathProvider, delegationTarget}

staging/src/k8s.io/apiserver/pkg/server/config_test.go

@@ -26,6 +26,7 @@ import (
 	"reflect"
 	"testing"
 
+	"k8s.io/apimachinery/pkg/util/json"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/client-go/informers"
@@ -135,31 +136,36 @@ func TestNewWithDelegate(t *testing.T) {
 	// Wait for the hooks to finish before checking the response
 	<-delegatePostStartHookChan
 	<-wrappingPostStartHookChan
-
-	checkPath(server.URL, http.StatusOK, `{
-  "paths": [
-    "/apis",
-    "/bar",
-    "/foo",
-    "/healthz",
-    "/healthz/delegate-health",
-    "/healthz/log",
-    "/healthz/ping",
-    "/healthz/poststarthook/delegate-post-start-hook",
-    "/healthz/poststarthook/generic-apiserver-start-informers",
-    "/healthz/poststarthook/wrapping-post-start-hook",
-    "/healthz/wrapping-health",
-    "/metrics",
-    "/readyz",
-    "/readyz/delegate-health",
-    "/readyz/log",
-    "/readyz/ping",
-    "/readyz/poststarthook/delegate-post-start-hook",
-    "/readyz/poststarthook/generic-apiserver-start-informers",
-    "/readyz/poststarthook/wrapping-post-start-hook",
-    "/readyz/shutdown"
-  ]
-}`, t)
+	expectedPaths := []string{
+		"/apis",
+		"/bar",
+		"/foo",
+		"/healthz",
+		"/healthz/delegate-health",
+		"/healthz/log",
+		"/healthz/ping",
+		"/healthz/poststarthook/delegate-post-start-hook",
+		"/healthz/poststarthook/generic-apiserver-start-informers",
+		"/healthz/poststarthook/wrapping-post-start-hook",
+		"/healthz/wrapping-health",
+		"/livez",
+		"/livez/delegate-health",
+		"/livez/log",
+		"/livez/ping",
+		"/livez/poststarthook/delegate-post-start-hook",
+		"/livez/poststarthook/generic-apiserver-start-informers",
+		"/livez/poststarthook/wrapping-post-start-hook",
+		"/metrics",
+		"/readyz",
+		"/readyz/delegate-health",
+		"/readyz/log",
+		"/readyz/ping",
+		"/readyz/poststarthook/delegate-post-start-hook",
+		"/readyz/poststarthook/generic-apiserver-start-informers",
+		"/readyz/poststarthook/wrapping-post-start-hook",
+		"/readyz/shutdown",
+	}
+	checkExpectedPathsAtRoot(server.URL, expectedPaths, t)
 	checkPath(server.URL+"/healthz", http.StatusInternalServerError, `[+]ping ok
 [+]log ok
 [-]wrapping-health failed: reason withheld
@@ -181,22 +187,57 @@ healthz check failed
 }
 
 func checkPath(url string, expectedStatusCode int, expectedBody string, t *testing.T) {
-	resp, err := http.Get(url)
-	if err != nil {
-		t.Fatal(err)
-	}
-	dump, _ := httputil.DumpResponse(resp, true)
-	t.Log(string(dump))
+	t.Run(url, func(t *testing.T) {
+		resp, err := http.Get(url)
+		if err != nil {
+			t.Fatal(err)
+		}
+		dump, _ := httputil.DumpResponse(resp, true)
+		t.Log(string(dump))
 
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		t.Fatal(err)
-	}
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			t.Fatal(err)
+		}
 
-	if e, a := expectedBody, string(body); e != a {
-		t.Errorf("%q expected %v, got %v", url, e, a)
-	}
-	if e, a := expectedStatusCode, resp.StatusCode; e != a {
-		t.Errorf("%q expected %v, got %v", url, e, a)
-	}
+		if e, a := expectedBody, string(body); e != a {
+			t.Errorf("%q expected %v, got %v", url, e, a)
+		}
+		if e, a := expectedStatusCode, resp.StatusCode; e != a {
+			t.Errorf("%q expected %v, got %v", url, e, a)
+		}
+	})
+}
+
+func checkExpectedPathsAtRoot(url string, expectedPaths []string, t *testing.T) {
+	t.Run(url, func(t *testing.T) {
+		resp, err := http.Get(url)
+		if err != nil {
+			t.Fatal(err)
+		}
+		dump, _ := httputil.DumpResponse(resp, true)
+		t.Log(string(dump))
+
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			t.Fatal(err)
+		}
+		var result map[string]interface{}
+		json.Unmarshal(body, &result)
+		paths, ok := result["paths"].([]interface{})
+		if !ok {
+			t.Errorf("paths not found")
+		}
+		pathset := sets.NewString()
+		for _, p := range paths {
+			pathset.Insert(p.(string))
+		}
+		expectedset := sets.NewString(expectedPaths...)
+		for _, p := range pathset.Difference(expectedset) {
+			t.Errorf("Got %v path, which we did not expect", p)
+		}
+		for _, p := range expectedset.Difference(pathset) {
+			t.Errorf(" Expected %v path which we did not get", p)
+		}
+	})
 }

staging/src/k8s.io/apiserver/pkg/server/genericapiserver.go

@@ -146,14 +146,19 @@ type GenericAPIServer struct {
 	preShutdownHooksCalled bool
 
 	// healthz checks
-	healthzLock                sync.Mutex
-	healthzChecks              []healthz.HealthChecker
-	healthzChecksInstalled     bool
-	readyzLock                 sync.Mutex
-	readyzChecks               []healthz.HealthChecker
-	readyzChecksInstalled      bool
-	maxStartupSequenceDuration time.Duration
-	healthzClock               clock.Clock
+	healthzLock            sync.Mutex
+	healthzChecks          []healthz.HealthChecker
+	healthzChecksInstalled bool
+	// livez checks
+	livezLock            sync.Mutex
+	livezChecks          []healthz.HealthChecker
+	livezChecksInstalled bool
+	// readyz checks
+	readyzLock            sync.Mutex
+	readyzChecks          []healthz.HealthChecker
+	readyzChecksInstalled bool
+	livezGracePeriod      time.Duration
+	livezClock            clock.Clock
 	// the readiness stop channel is used to signal that the apiserver has initiated a shutdown sequence, this
 	// will cause readyz to return unhealthy.
 	readinessStopCh chan struct{}
@@ -281,7 +286,12 @@ func (s *GenericAPIServer) PrepareRun() preparedGenericAPIServer {
 	}
 
 	s.installHealthz()
-	s.installReadyz(s.readinessStopCh)
+	s.installLivez()
+	err := s.addReadyzShutdownCheck(s.readinessStopCh)
+	if err != nil {
+		klog.Errorf("Failed to install readyz shutdown check %s", err)
+	}
+	s.installReadyz()
 
 	// Register audit backend preShutdownHook.
 	if s.AuditBackend != nil {