Earlier this year, DeisLabs released Krustlet, a project to implement Kubelet
in Rust. 1 2 Kubelet is the component of Kubernetes that
runs on each node which is assigned Pods by the control plane and runs them on
its node. Krustlet defines a flexible API in the kubelet crate, which allows
developers to build Kubelets to run new types of workloads. The project
includes two such examples, which can run Web Assembly workloads on WASI or
waSCC runtimes. 3 4 Beyond this, I have been working to
develop a Rust Kubelet for traditional Linux containers using the Container
Runtime Interface (CRI). 5 6
Over the last few releases, Krustlet has focused on expanding the functionality of these Web Assembly Kubelets, such as adding support for init containers, fixing small bugs, and log streaming. This, in turn, has built quite a bit of interest in alternative workloads and node architectures on Kubernetes, as well as demonstrated the many strengths of Rust for development of these types of applications.
For the v0.5.0 release, we turned our attention to the internal architecture
of Krustlet, in particular how Pods move through their lifecycle, how
developers write this logic, and how updates to the Kubernetes control plane
are handled. 7 We settled upon a state machine implementation
which should result in fewer bugs and greater fault tolerance. This refactoring
resulted in substantial changes for consumers of our API; however we believe
this will result in code that is much easier to reason about and maintain. For
an excellent summary of these changes, and description of how you can migrate
code that depends on the kubelet crate, please see Taylor Thomas' excellent
Release Notes.
In this post I will share a deep dive into our new architecture and the
development journey which led to it.
The Trailhead
Before v0.5.0, developers wishing to implement a Kubelet using Krustlet
primarily needed to implement the Provider trait, which allowed them to write
methods for handling events like add, delete, and logs for Pods scheduled
to that node. This offered a lot of flexibility, but was a very low-level API.
We identified a number of issues with this architecture:
- The entire lifecycle of a Pod was defined in 1 or 2 monolithic methods of the
Providertrait. This resulted in messy code and a very poor understanding of error handling in the many phases of a Pod’s lifecycle. - Pod and Container status patches to the Kubernetes control plane were
scattered throughout the codebase, both in the
kubeletcrate and theProviderimplementations. This made it very difficult to reason about what was actually reported back to the user and when, and involved lot of repeated code. - Unlike the Go Kubelet, if Krustlet encountered an error it would report the error back to Kubernetes and then (most of the time) end execution of the Pod. There was no built-in notion of the reconciliation loop that one expects from Kubernetes.
- We recognized that a lot of these issues were left to each developer to
solve, but were things that any Kubelet would need to handle. We wanted to
move this kind of logic into the
kubeletcrate, so that each provider did not have to reinvent things.
Our Mission
At its core, Kubernetes relies on declarative (mostly immutable) manifests, and
controllers which run reconciliation loops to drive cluster state to match this
configuration. Kubelet is no exception to this, with its focus being
indivisible units of work, or Pods. Kubelet simply monitors for changes to Pods
that have been assigned to it by kube-scheduler, and runs a loop to attempt
to run this work on its node. In fact, I would describe Kubelet as no different
from any other Kubernetes controller, except that it has the additional
first-class capability for streaming logs and exec sessions. However these
capabilities, as they are implemented in Krustlet, are orthogonal to this
discussion.
Our goal with this rewrite was to ensure that Krustlet would mirror the official Kubelet’s behavior as closely as possible. We found that many details about this behavior are undocumented, and spent considerable time running the application to infer its behavior and inspecting the Go source code. Our understanding is as follows:
- The Kubelet watches for Events on Pods that have been scheduled to it by
kube-scheduler. - When a Pod is added, the Kubelet enters a control loop to attempt to run the
Pod which only exits when the Pod is
Completed(all containers exit successfully) orTerminated(Pod is marked for deletion via the control plane and execution is interrupted). - Within the control loop, there are various steps such as
Image Pull,Starting, etc., as well as back-off steps which wait some time before retrying the Pod. At each of these steps, the Kubelet updates the control plane.
We recognized this pretty quickly as a finite-state machine design pattern, which consists of infallible state handlers and valid state transitions. This allows us to address the issues mentioned above:
- Break up the
Providertrait methods for running the Pod into short, single-focus state handler methods. - Consolidate status patch code to where a Pod enters a given state.
- Include error and back-off states in the state graph, and only stop
attempting to execute a Pod on
TerminatedorComplete. - Move as much of this logic into
kubeletas possible so that providers need only focus on implementing the state handlers.
With this architecture it becomes very easy to understand the behavior of the application, and strengthens our confidence that the application will not enter undefined behavior. In addition, we felt that Rust would allow us to achieve our goals while presenting an elegant API to developers, and with full compile-time enforcement of our state machine rules.
Our Animal Guide
When first discussing the requirements of our state machine, and the daunting task of integrating it with the existing Krustlet codebase, we recalled an excellent blog post, Pretty State Machine Patterns in Rust, by Ana Hobden (hoverbear), which I think has inspired a lot of Rust developers. The post explores patterns in Rust for implementing state machines which satisfy a number of constraints and leverage Rust’s type system. I encourage you to read the original post, but for the sake of this discussion I will paraphrase the final design pattern here:
struct StateMachine<S> {
state: S,
}
struct StateA;
impl StateMachine<StateA> {
fn new() -> Self {
StateMachine {
state: StateA
}
}
}
struct StateB;
impl From<StateMachine<StateA>> for StateMachine<StateB> {
fn from(val: StateMachine<StateA>) -> StateMachine<StateB> {
StateMachine {
state: StateB
}
}
}
struct StateC;
impl From<StateMachine<StateB>> for StateMachine<StateC> {
fn from(val: StateMachine<StateB>) -> StateMachine<StateC> {
StateMachine {
state: StateC
}
}
}
fn main() {
let in_state_a = StateMachine::new();
// Does not compile because `StateC` is not `From<StateMachine<StateB>>`.
// let in_state_c = StateMachine::<StateC>::from(in_state_a);
let in_state_b = StateMachine::<StateB>::from(in_state_a);
// Does not compile because `in_state_a` was moved in the line above.
// let in_state_b_again = StateMachine::<StateB>::from(in_state_a);
let in_state_c = StateMachine::<StateC>::from(in_state_b);
}
Ana introduces a number of requirements for a good state machine implementation, and achieves them with concise and easily interpretable code. In particular, these requirements (some based on the definition of a state machine, and some on ergonomics) were a high priority for us:
- One state at a time.
- Capability for shared state.
- Only explicitly defined transitions should be permitted.
- Any error messages should be easy to understand.
- As many errors as possible should be identified at compile-time.
In the next section I will discuss some additional requirements that we introduced and how these impacted the solution. In particular, we relaxed some of Ana’s goals in exchange for greater flexibility, while satisfying those listed above.
Tribulation
We were off to a great start, but it was time to consider how we want
downstream developers to interact with our new state machine API. In
particular, while the Kubelets we are familiar with all follow roughly the same
Pod lifecycle, we wanted developers to be able to implement arbitrary state
machines for their Kubelet. For example, some workloads or architectures may
need to have additional provisioning states for infrastructure or data, or
to introduce post-run states for proper garbage collection of resources.
Additionally, it felt like an anti-pattern to have a parent method (main in
the example above) which defines the logic for progressing through the states,
as this felt like having two sources of truth and was not something we could
implement on behalf of our downstream developers for arbitrary state machines.
Ana had discussed how to hold the state machine in a parent structure using an
enum, but it felt clunky to introduce large match statements which could
introduce runtime errors.
We knew that to allow arbitrary state machines we would need a State trait to
mark types as valid states. We felt that it would be possible for this trait to
have a next() method which runs the state and then returns the next State
to transition to, and we wanted our code to be able to simply call next()
repeatedly to drive the machine to completion. This pattern, we soon found,
introduced a number of challenges.
/// Rough pseudocode of our plan.
trait State {
/// Do work for this state and return next state.
async fn next(self) -> impl State;
}
fn drive_state_machine(mut state: impl State) {
loop {
state = state.next().await;
}
}
What does next() return?
Within our loop, we are repeatedly overwriting a local variable with
different types that all implement State. Without our parent method, or
wrapper enum, there was not a straightforward way for Rust to know how to
store these objects on the stack. Needless to say, the Rust compiler was
displeased. We spent some time pair programming with the Rust Playground on
solutions to this, and settled on using trait objects (Box<dyn State>), which
moves the object itself to the heap.
Utilizing the heap violates one of Ana’s original goals, and we learned that
the use of trait objects introduces a lot of (necessary) limitations on the
trait itself, including that it disallows generic methods and referencing Self in return types.
8 This does not prevent us from achieving our goals, but is
limiting and reduces performance due to the use of dynamic dispatch. We will
continue to explore stack-based solutions.
With the use of trait objects, there are only two options for the return type
of next(), which we captured with an enum:
pub enum Transition {
/// Transition to a new state.
Next(Box<dyn State>),
/// End execution of state machine with result.
Complete(Result<()>)
}
A Bit of Folly
We briefly explored one option for avoiding boxed traits: rather than iterating
on a trait object, we could define a recursive function, which accepts a state,
runs its handler, and then calls itself with the next state. This would place
all of our state objects on the stack by growing it with each recursive call,
and felt like a very interesting solution which leveraged Rust’s new
impl Trait feature, as well as the async_recursion crate. Of course we
realized that this was not acceptable because Pods regularly get caught in
loops (such as image pull / image pull backoff), which would grow the stack
without limit. Another drawback was that with concrete generic types,
Transition had to have an enum variant for each state that could be
transitioned to in a given state handler, making it impractical to support more
than a few outgoing edges in the state graph.
/// Represents result of state execution and which state to transition to.
pub enum Transition<S, E> {
/// Advance to next state.
Advance(S),
/// Transition to error state.
Error(E),
/// This is a terminal node of the state graph.
Complete(Result<()>),
}
#[async_recursion::async_recursion]
/// Recursively evaluate state machine until a state returns Complete.
pub async fn run_to_completion(state: impl State) -> Result<()> {
let transition = { state.next().await? };
match transition {
Transition::Advance(s) => run_to_completion(s).await,
Transition::Error(s) => run_to_completion(s).await,
Transition::Complete(result) => result,
}
}
Kubernetes-specific Behavior
A simpler task was adding behavior to the State trait to support our needs.
This included adding context to the next() method, such as the Pod manifest
and a generic type, PodState, to serve as shared data between state handlers.
This data is not shared between Pods, so state handlers from different Pods
can execute simultaneously. For any state shared between Pods, we chose to
leave it to developers to implement concurrency controls, which should make it
much more obvious to them when one Pod’s execution is blocking another’s.
Next, we added a second method that would be called upon when entering a state, which should produce a JSON patch for the Pod status associated with that state. This update is then sent to the Kubernetes control plane by our API, and this is ideally the one place in the code where Pod status patches are applied.
With all this in mind, we end up with a trait and a function to iteratively drive it to completion:
#[async_trait::async_trait]
/// A trait representing a node in the state graph.
pub trait State<PodState>: Sync + Send + 'static + std::fmt::Debug {
/// Run state handler and return next state or complete.
async fn next(
// We *are* able to use `Self` here, allowing us to move the object,
// and preventing reuse.
self: Box<Self>,
// Pod state shared between state handlers.
pod_state: &mut PodState,
// Pod manifest.
pod: &Pod,
) -> anyhow::Result<Transition<PodState>>;
/// Returns JSON status patch to apply when entering this state.
async fn json_status(
&self,
pod_state: &mut PodState,
pod: &Pod,
) -> anyhow::Result<serde_json::Value>;
}
/// Iteratively evaluate state machine until it returns Complete.
pub async fn run_to_completion<PodState: Send + Sync + 'static>(
client: &kube::Client,
state: impl State<PodState>,
pod_state: &mut PodState,
pod: &Pod,
) -> anyhow::Result<()> {
let api: Api<KubePod> = Api::namespaced(client.clone(), pod.namespace());
let mut state: Box<dyn State<PodState>> = Box::new(state);
loop {
let patch = state.json_status(pod_state, &pod).await?;
let data = serde_json::to_vec(&patch)?;
api.patch_status(&pod.name(), &PatchParams::default(), data)
.await?;
let transition = { state.next(pod_state, &pod).await? };
state = match transition {
Transition::Next(s) => {
s.state
}
Transition::Complete(result) => {
break result;
}
};
}
}
How to enforce edges
The last issue that we tackled was how to enforce constraints on which state
transitions are valid. When we moved to using trait objects, we effectively
made our state machine a fully connected graph. When objects are boxed and
returned as trait objects, their type is effectively lost, except for the trait
they implement. This meant that state handlers could return anything that is
State, and it would compile. We wanted to find a way to explicitly define
valid state transitions, as shown in Ana’s solution, and transparently
enforce this with the API we had developed.
This resulted in a devious plan. Under the guise of providing a nice
static method to handle Boxing for the user, we would add a where clause to
ensure that a directed edge trait is implemented between the two States.
Finally, the state itself would be wrapped in a struct with a private field,
which would prevent manual construction of Transition::Next without using
this static method (outside of the kublet crate, at least).
/// Implementor can transition to state `S`.
pub trait TransitionTo<S> {}
pub struct StateHolder {
// This field is private.
state: Box<dyn State>
}
impl Transition {
pub fn next<ThisState: State, NextState: State>(
_t: ThisState,
n: NextState
) -> Transition where ThisState: TransitionTo<NextState>,
{
Transition::Next(StateHolder { state: Box::new(s) })
}
}
A state handler could then transition to a valid state by returning:
Transition::next(self, NextStateObject)
The drawback here is that it is a little clunky to pass self to this
static method. We explored the use of generics or PhantomData to clean up
this API, however the nature of using trait objects means that we cannot
reference Self in the return type of next(), so that type information
cannot be part of Transition. This would seem to prevent type inference here,
and require the user to explicitly specify self in one form or another.
Our Trail Camp for this Release
Having developed our state machine API, developers can now implement a Kubelet
by defining their states and edges, and then supplying three new associated
types and one new method when implementing the Provider trait:
InitialState: Stateis the entrypoint of the state machine.TerminatedState: Stateis jumped to when a Pod is marked for deletion.PodStateis the type used for storing state that is shared between the state handlers of a Pod.fn initialize_pod_stateis called to create aPodStatefor a new Pod. Any state shared between Pods should be injected here.
We suggest placing each state type and it’s State implementation in its own
file or module for easier navigation of the code, a pattern that was used for
both our WASI and waSCC Kubelets. Here is an example definition of a state
machine for a very simple provider that starts and then runs until it is
terminated:
struct PodState;
struct Starting;
#[async_trait::async_trait]
impl State<PodState> for Starting {
async fn next(
self: Box<Self>,
pod_state: &mut PodState,
pod: &Pod,
) -> anyhow::Result<Transition<PodState>> {
// TODO: start workload
Ok(Transition::next(Running))
}
async fn json_status(
&self,
pod_state: &mut PodState,
pod: &Pod,
) -> anyhow::Result<serde_json::Value> {
Ok(serde_json::json!(null))
}
}
struct Running;
#[async_trait::async_trait]
impl State<PodState> for Running {
async fn next(
self: Box<Self>,
pod_state: &mut PodState,
pod: &Pod,
) -> anyhow::Result<Transition<PodState>> {
// Run forever
loop {
tokio::time::delay_for(std::time::Duration::from_secs(10)).await;
}
}
async fn json_status(
&self,
pod_state: &mut PodState,
pod: &Pod,
) -> anyhow::Result<serde_json::Value> {
Ok(serde_json::json!(null))
}
}
impl TransitionTo<Running> for Starting {}
struct Terminated;
#[async_trait::async_trait]
impl State<PodState> for Terminated {
async fn next(
self: Box<Self>,
pod_state: &mut PodState,
pod: &Pod,
) -> anyhow::Result<Transition<PodState>> {
// TODO: interrupt workload
Ok(Transition::Complete(Ok(())))
}
async fn json_status(
&self,
pod_state: &mut PodState,
pod: &Pod,
) -> anyhow::Result<serde_json::Value> {
Ok(serde_json::json!(null))
}
}
struct ExampleProvider;
impl Provider for ExampleProvider {
type PodState = PodState;
type InitialState = Starting;
type TerminatedState = Terminated;
/// Use this hook to inject state shared between Pods into `PodState`
/// before it is passed to the state machine.
async fn initialize_pod_state(
&self,
pod: &Pod
) -> anyhow::Result<Self::PodState> {
Ok(PodState)
}
}
Lessons Learned
We believe that this API leads to much more maintainable Provider
implementations, and allows us to enjoy compile-time enforcement of our state
machine constraints. We will continue to make less-intrusive refinements to
this API, with the main goal of improving ergonomics.
One area for refinement, which we explored during this process and will continue to explore, is the use of macros for defining states. As it stands, there is a fair amount of boilerplate that must be implemented for each state. We found, however, that compiler errors originating from macros were extremely opaque, and we would like to identify a better solution.
In general, we were pleasantly surprised by this “fearless refactoring”. In our
planning phase, Rust’s type system allowed us to develop specific functionality
using some placeholder types in Rust Playground, and be confident the code
could drop into our larger codebase. Then, we added our new functionality and
worked iteratively to integrate it into the crate: commenting out some old
code, finding all of its call sites and use cases, and then working in our new
code. All in, the kubelet crate itself took around fifteen hours to convert.
Next, it was time to update our included WASI and waSCC Kubelets. We quickly
discovered that the layout of our repository (all-in-one, using cargo
workspaces) presented some issues. We could not split up our two conversions
into separate pull requests without our test cases failing on both, it was
clear that we had outgrown this monorepo style. We made do for this project,
but have taken steps to begin splitting these crates into separate
repositories.
One final lesson, the waSCC Kubelet is slightly simpler than the WASI Kubelet. While designing the API to be as flexible as possible, I primarily referenced the waSCC code, as we had decided that I would convert it before we attempted the WASI conversion. This resulted in some growing pains (felt mostly by Matt Fisher, who took the lead on the WASI conversion), as we found that container status patches were much more complex for this Kubelet, and were necessary to satisfy our end-to-end test suite. Going forward, we will be extending our state machine API to simplify the process of updating single container statuses.
The Open Road
I hope that this has been an interesting deep dive into our new architecture, as well as some good lessons learned from the trenches. I was pleasantly surprised at the practicality of such an invasive refactoring in the Rust ecosystem. The team got a much better feel for some of the more nuanced aspects of Rust’s type system, which will be very useful when trying to leverage it in the future.
Besides this release, the Krustlet project has a busy and exciting Fall
scheduled, leading up to a v1.0.0 release loosely planned for Q1 2021. Our
major initiatives are:
-
Volume Mounting via Container Storage Interface (CSI).
-
Networking via Container Networking Interface (CNI).
-
Turn-key setup with several major Kubernetes flavors.