I'm running the latest image build of Nidhogg (14f4e815a27dc8caaed62e0e9a5341e0f3b7fb31) with Kubernetes v1.21 and i am seeing lots of errors in the logs, even though Nidhogg seems to be working. I think the error is due to the deprecation of selfLink in Kubernetes v1.20: kubernetes/enhancements#1164

Here is the error (truncated for brevity):

E0622 23:00:36.723752       1 event.go:259] Could not construct reference to: '&v1.Node{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}
...
due to: 'selfLink was empty, can't make reference'. Will not report event: 'Normal' 'TaintsChanged'
...

Rather than directly setting a taint on a Node, manage conditions for the status of that Node and allow the control plane to then have another part of the controller rely on that condition information to taint the node.

To make this work, admission control could mutate incoming Nodes to have that condition imposed immediately, leaving that in place until there is evidence that the required DaemonSets are healthy and ready.

I'd like to now if it would be possible to add a feature to match the node with the selector of the daemonset itself instead of using the global nidhogg configuration for it.

Happy to work on this if it makes sense 👍

Thank you very much for Nidhogg!

I've just implemented it for the first time, but I'm seeing some behaviour that I'm not sure is correct, so would like to run it by you and see if there is something that I can do to fix it up.

I have the following YAML configuration:

    daemonsets:
    - name: fluentd-fluentd-elasticsearch
      namespace: fluentd
    - name: kiam-agent
      namespace: kiam
    - name: node-local-dns
      namespace: kube-system
    - name: weave-net
      namespace: kube-system
    nodeSelector:
      node-role.kubernetes.io/node: ""

With the above, I'm waiting on 4 critical daemonsets.

I have been looking at the Nidhogg logs as nodes are added to the cluster by the cluster-autoscaler.
What I'm finding is that initially taints are added by Nidhogg, but not for all of the 4 daemon sets.
Often it is 3 of them, which then clear, and the firstTimeReady gets set, and then a few seconds later the missing 4th taint is added, along with the other 3 and then they proceed to get removed again as things become ready.
This appears to give a 2 or 3 second window where pods may be able schedule onto the node even though it isn't quite ready yet.

An example of logs showing this follows:

{"level":"info","ts":1593498895.9255075,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":["nidhogg.uswitch.com/kiam.kiam-agent","nidhogg.uswitch.com/kube-system.node-local-dns","nidhogg.uswitch.com/kube-system.weave-net"],"taints removed":[],"taintLess":false,"firstTimeReady":""}
{"level":"info","ts":1593498895.9452868,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":[],"taints removed":["nidhogg.uswitch.com/kube-system.weave-net"],"taintLess":false,"firstTimeReady":""}
{"level":"info","ts":1593498896.1045887,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":[],"taints removed":["nidhogg.uswitch.com/kube-system.node-local-dns"],"taintLess":false,"firstTimeReady":""}
{"level":"info","ts":1593498896.1525385,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":[],"taints removed":["nidhogg.uswitch.com/kiam.kiam-agent"],"taintLess":true,"firstTimeReady":"2020-06-30T06:34:56Z"}
{"level":"info","ts":1593498899.199731,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":["nidhogg.uswitch.com/fluentd.fluentd-fluentd-elasticsearch"],"taints removed":[],"taintLess":false,"firstTimeReady":"2020-06-30T06:34:56Z"}
{"level":"info","ts":1593498899.5885453,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":["nidhogg.uswitch.com/kube-system.weave-net"],"taints removed":[],"taintLess":false,"firstTimeReady":"2020-06-30T06:34:56Z"}
{"level":"info","ts":1593498900.7854457,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":["nidhogg.uswitch.com/kube-system.node-local-dns"],"taints removed":[],"taintLess":false,"firstTimeReady":"2020-06-30T06:34:56Z"}
{"level":"info","ts":1593498901.1978955,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":["nidhogg.uswitch.com/kiam.kiam-agent"],"taints removed":[],"taintLess":false,"firstTimeReady":"2020-06-30T06:34:56Z"}
{"level":"info","ts":1593498916.6390643,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":[],"taints removed":["nidhogg.uswitch.com/kube-system.node-local-dns"],"taintLess":false,"firstTimeReady":"2020-06-30T06:34:56Z"}
{"level":"info","ts":1593498927.831887,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":[],"taints removed":["nidhogg.uswitch.com/kiam.kiam-agent"],"taintLess":false,"firstTimeReady":"2020-06-30T06:34:56Z"}
{"level":"info","ts":1593498935.2295878,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":[],"taints removed":["nidhogg.uswitch.com/kube-system.weave-net"],"taintLess":false,"firstTimeReady":"2020-06-30T06:34:56Z"}
{"level":"info","ts":1593498949.044196,"logger":"nidhogg","msg":"Updating Node taints","instance":"ip-10-8-108-84.ap-southeast-2.compute.internal","taints added":[],"taints removed":["nidhogg.uswitch.com/fluentd.fluentd-fluentd-elasticsearch"],"taintLess":true,"firstTimeReady":"2020-06-30T06:34:56Z"}

The first line has added the taints for kiam, node-local-dns, and weave-net, but there is no taint added for fluentd yet.
The next 3 lines are the 3 taints it has being removed one by one, with the final one marking the node as taintLess and setting firstTimeReady.
Then the next line (roughly 3 seconds later) adds the fluentd taint that was previously missing.
It is these 3 seconds that I'm concerned about.
Next 3 more lines re-add the previous taints that were removed, and then the taints are all removed again until the node is ready.

It's not always fluentd that is the left until later, sometime it is node-local-dns instead.
And it's not always 3 taints that are initially addeded either; I've also seen just 2 of the taints added in the first line.
I haven't had it installed for long, but if it is useful I can collect more details and pass them on.

Howdy 👋

We (Pelotech) have recently started using Nidhogg. Our use-case is to manage taints to control pod scheduling while using Multus (along with other CNI plugins). We've encountered an issue or two related to outdated APIs (resulting in noisy warnings in logs), and have found some flakiness (seems to be due to an issue with the logic used to detect DaemonSet readiness). We also have thoughts about updating the config approach (to eliminate the ConfigMap).

From the unanswered issues and time since last commit, it seems like this project is more-or-less done/complete (and/or abandoned). Our intention is to update the code to current idiomatic Golang (e.g., Go modules, etc), to update the dependencies (esp. Kubernetes client), and update the readiness check.

In addition, we plan to update the API to remove everything related to NodeSelector and DaemonSet name, and to move that functionality into annotations/labels on the relevant DaemonSet. This approach would move all scheduling logic to the monitored DaemonSet, as well as which taint is related to which DaemonSet (instead of the current fixed taint naming: nidhogg.uswitch.com/$DS_NAMESPACE.$DS_NAME). This change, in particular, will be a major breaking, API change. In our view it will increase the flexibility and generality of Nidhogg.

If in fact USwitch is not continuing development of Nidhogg, once we've released an updated version, we'd be glad if you were willing to point to the new version in the README here. There are many places that link to uswitch/nidhogg and it would be ideal to ease discovery of a new iteration.

Will you accept a PR to direct future users to an updated and actively maintained fork?

Reason - we wanted to measure how fast our node is ready for scheduling.
This can be calculated by metrics from kube state metrics (unix timestamp) kube_node_created.
If we get metrics from taint controller about at what time(unix timestamp) node is marked ready.

we can make this calculation by subtracting those metrics.

How do you make this work with the cluster-autoscaler so it will not just keep spinning up nodes in the event of a daemonset failure? For example, if we set taints based on daemonsets A and B, and then there's an issue where daemonset B is broken and crashlooping, the autoscaler will just keep spinning up tainted nodes because it sees that there are pending pods. Is there a way to prevent this from happening?

It's not possible to invert a selector match or check label existence which would be nice for us.

Examples with kubectl:

kubectl get node -l !node-role.kubernetes.io/master


kubectl get node -l node-role.kubernetes.io/node

Thanks for your great work, @Joseph-Irving.

I have a question about nidhogg, if you don't mind. When kubernetes adds new nodes to the cluster (e.g. cluster-autoscaler), is it possible to have an untainted node during a small period of time (until the nidhogg controller applies the taint to it)?

I'm interested in knowing this because during that small period of time a pod might be scheduled on the node where the daemonsets are not ready yet.

can you publish new image as existing one is 1 year old and contains vulnerabilities