GEP 3388 Retry Budget API Implementation

[ericdbishop]

What type of PR is this?

/kind documentation
/kind feature

What this PR does / why we need it:

Implements GEP-3388: Retry Budgets

Which issue(s) this PR fixes:

Fixes #3388

Does this PR introduce a user-facing change?:

adds a new BackendTrafficPolicy with ability to configure budgeted retries

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ericdbishop
Once this PR has been reviewed and has the lgtm label, please assign robscott for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @ericdbishop. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ericdbishop]

Planning to correct this description (previously discussed here), but I'm also considering changing Retry to RetryBudget so we can better capture the distinction between a constrained budget on retries, versus the static count retries that are configured within HTTPRoute. I think CommonRetryPolicy is okay but would also be curious if we think RetryBudgetPolicy would be more self-explanatory.

[mikemorris]

CommonRetryPolicy was originally an abstraction from the initial "two possible approaches" proposal just to minimize duplication - agreed that the Common* prefix is probably no longer appropriate, but not quite sure what the correct name should be here:

1. I feel like *Policy implies a top-level resource like BackendTrafficPolicy that is actually an impl of the policy attachment pattern, not a sub-resource.
2. We could just collapse the fields into BackendTrafficPolicy inline, but I like the way SessionPersistence is broken out currently - it feels like it will be more composable if we add additional functionality to BackendTrafficPolicy
3. I'm not quite sure yet if we do indeed want to narrow the scope down to RetryBudget or choose a name that could allow additional fields within this stanza.

[ericdbishop]

I agree with those points, I think it makes sense to leave the retry budget configuration broken out from BackendTrafficPolicy instead of inline. I could see replacing the name CommonRetryPolicy with something like RetryConstraint if we wanted to allow for the possibility down the line of constraining retries based off of something other than a budget.

[ericdbishop]

I took some liberty here in renaming Retry and the CommonRetryPolicy struct to RetryConstraint, but open to better suggestions.

[ericdbishop]

Previous comment on validation. The maximum valid argument for BudgetPercent should be 100 as that is effectively the same as having no retry budget at all, but should the minimum value we allow be 0? Should users be allowed to block all retries in that way?

[ericdbishop]

I set the minimum as 0 for the time being.

[ericdbishop]

What's the minimum viable set of fields here for an implementation to say that they support retry budgets?

Link to comment.

Given confirmation that Envoy's retry_budget spec could be modified to include a parameter that matches BudgetInterval, I think it would be safe to require that implementations should include all fields to be considered supporting retry budgets.

But that being said, I could see how BudgetInterval could be excluded to match Envoy's existing retry budget behavior which @mikemorris detailed here, making only MinRetryRate and BudgetPercent truly necessary.

[mikemorris]

I could see how BudgetInterval could be excluded to match Envoy's existing retry budget behavior

In the context of @tonya11en's comment at #3573 (comment) and envoyproxy/envoy#30205 (comment), even though this could be possible to enable, I'm unsure if it would actually be desireable even for Envoy-based implementations of Gateway API?

This additionally has some bearing on the semantic meaning of budgetInterval: 0 (weird, effectively a rate with a division by zero unless we use it as a shorthand for Envoy's current behavior) vs if we want to prescribe a default interval when omitting the field entirely (which could make UX more concise).

[ericdbishop]

I do think having a default budgetInterval would make sense, going off of the default I see for Linkerd's ttl parameter, maybe 10s is reasonable? Agree about the meaning of budgetInterval: 0 being strange. Also, since it is a duration, it would require a unit of time. It does seem more desirable to require implementations to include all three parameters after seeing that additional context.

[ericdbishop]

This entire description requires wordsmithing.

[ericdbishop]

@mikemorris @robscott @kflynn @youngnick @dprotaso Hi team, would appreciate an initial review as this PR is already pretty large. I cherry-picked/followed some of @dprotaso's changes from #3588 so would appreciate clarification if I correctly created a separate API group, thanks!

[ericdbishop]

Are we opinionated on what should be returned to the client after the targeted backend's retry budget has been exceeded? Envoy returns a 503, in addition to setting an x-envoy-overloaded header on the downstream response.

[robscott]

No strong opinion on this. I can see a case for a SHOULD instead of a MUST here, but probably better to start with more restrictive language and loosen if necessary in the future. On that note, recommend capitalizing all of the RFC 2119 keywords.

[mikemorris]

I would somewhat expect this would more logically be a 429 response, @kflynn how does Linkerd handle this?

[htuch]

Why would 429 apply here? Per https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429, this is a signal to the client that it has exceeded some limit, but in this case it is the load balancer that has exceeded the budget. From the client's perspective, it may have sent only a single request (ever), so a 429 seem to be strange.

[mikemorris]

That makes sense to me @htuch that it may not be any individual client's fault that the service is unavailable, thanks for helping to clarify this.

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[robscott]

Thanks @ericdbishop!

[robscott]

This specific form of target ref is missing a way to target an individual port on a Service. That may be fine, just want to call it out for future readers.

[robscott]

This doesn't sound quite right. It's not the backend that's rejecting retries here right?

[robscott]

How are requests measured here? What if there were 1000 requests to the Gateway, but 100 of them were retried 3 times each, does that count as 100 or 300 here?

[robscott]

No strong opinion on this. I can see a case for a SHOULD instead of a MUST here, but probably better to start with more restrictive language and loosen if necessary in the future. On that note, recommend capitalizing all of the RFC 2119 keywords.

[robscott]

We need some more work on this, but I'd argue that we should have a concept of "this field MUST be supported if you support this feature" (retry budgets in this case).

/cc @youngnick @mlavacca @shaneutt

[robscott]

Seems like something we'll want to define a min and max value for.

[htuch]

TBC is backend here referencing an individual target host or a service? Envoy's retry budget is a cluster setting.

[htuch]

I think this is safe given it's an override for very low volume traffic. That said, features that make use of absolute rates and capacities, that are maintained in a single proxy instance (e.g. Envoy's circuit breakers), tend to behave unpredictably when the Gateway is not just a single proxy instance but autoscaled or part of some multi-tenant deployment with an opaque number of instances. For example, here, if we set minRetryRate to something like 1 per second, any given backend service might see anything from 1 to 10k retries per second if there are 1-10k proxy instances backing the Gateway, even if the budget is configured to try deter traffic on the higher end.

Again, I don't think it's an acute issue as we're setting a minimum traffic volume, and the retry budget needs some context specific tuning to make sense in any case, but it's something end users of limits and controls set service-wide should be aware of when using a feature on a multi-instance Gateway implementation.

[mikemorris]

Hmmm, yep definitely understand - similar consideration would apply for for local vs global rate limiting. I haven't seen any actual requests for or implementations of global retry budgeting, it is an interesting problem but agree tuning based on rough expected scale feels like it could be acceptable for now?