Don't double account for requests going through the activator.

[markusthoemmes]

In what area(s)?

/area autoscale
/area networking

What version of Knative?

HEAD

Description

Today, we have 2 components informing the autoscaler about the state of the system: activator and queue-proxy (per pod). With activator throttling enabled we can now have the situation where the activator and the queue-proxies simultaneously send valid concurrency data. The autoscaler needs some adjustments in its algorithms to account for that (see #3289) but we also need to make sure that we do not double account for requests.

If a request is proxied by the activator today, both the activator and the receiving queue-proxy will increase their respective concurrency counters to report that.

We discussed 2 ways of fixing that:

Proposal 1: Discount in the activator

We can discount a request in the activator as soon as it hits the proxyRequest method (i.e. is handed off to Golang's ReverseProxy). However, that method has internal retries and we cannot know when the request is really proxied. That can make for blurriness in the autoscaler signal.

Proposal 2: Discount in the queue-proxy

The second proposal was to discount the request in the queue-proxy. The activator would set a header that will cause the queue-proxy to not take that request into consideration when accounting for it's observed concurrency. It's been pointed out that this is a potential attack vector as arbitrary users could set this header as well which would in turn render autoscaling of that revision inaccurate and could potentially choke the application.

[markusthoemmes]

/cc @k4leung4
/cc @mattmoor

[vvraskin]

Regarding the attack vector in Proposal 2. As it seems it is possible to sanitise headers on the latest master of Istio - istio/istio#8340 (I haven't tested it myself through). So we could restrict users from using certain system headers by pruning them if they are present. Maybe it is something we could benefit from after migrating to Istio 1.1?

[markusthoemmes]

Maybe, we shouldn't wait for Istio 1.1 with this though.

[markusthoemmes]

Talked to Kenny and he's going to take this on.

/assign @k4leung4

/milestone "Serving 0.5"

[knative-prow-robot]

@markusthoemmes: You must be a member of the knative/knative-milestone-maintainers github team to set the milestone.

Details

In response to this:

Talked to Kenny and he's going to take this on.

/assign @k4leung4

/milestone "Serving 0.5"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mattmoor]

/milestone "Serving 0.5"

[knative-prow-robot]

@mattmoor: The provided milestone is not valid for this repository. Milestones in this repository: [Ice Box, Needs Triage, Serving "v1" (ready for production), Serving 0.5]

Use /milestone clear to clear the milestone.

Details

In response to this:

/milestone "Serving 0.5"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k4leung4]

/milestone Serving 0.5

[k4leung4]

/assign @hohaichi
/assign @yanweiguo

As I won't be able to work on it any more.