very slow apply performance due to openapi schema reparsing

[juliantaylor]

What happened:
kubectl apply is very slow in reading manifest files. It appears to be the case that kubectl rereads its configuration several times per manifest it is supposed to apply which gets extremely slow, several minutes when applying large amount of manifests.

How to reproduce it (as minimally and precisely as possible):

$ cat kubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /tmp/cluster.pem
    server: https://cluster.url
  name: cluster
contexts:
- context:
    cluster: cluster
    user: user
  name: cluster-user
current-context: cluster-user
kind: Config
preferences: {}
users:
- name: user
  user:
    token: ...

for i in {1..10}; do echo '{  "apiVersion": "v1",  "kind": "Namespace",   "metadata": { "name": "ns'$i'" }}' ; done > manifests
$ cat manifests
{  "apiVersion": "v1",  "kind": "Namespace",   "metadata": { "name": "ns1" }}
{  "apiVersion": "v1",  "kind": "Namespace",   "metadata": { "name": "ns2" }}
{  "apiVersion": "v1",  "kind": "Namespace",   "metadata": { "name": "ns3" }}
...

Now run following dry-run kubectl and observe how often it opens (and reads) the certificate-authority file cluster.pem:

$ kubectl version
Client Version: v1.31.0
Kustomize Version: v5.4.2

$ for i in {1..10}; do echo '{  "apiVersion": "v1",  "kind": "Namespace",   "metadata": { "name": "ns'$i'" }}' ; done > manifests
$ KUBECONFIG=config GOMAXPROCS=2 strace -f -e openat apply --dry-run=client  -f manifests|& grep cluster.pem -c
27
# run in 1 second
$ for i in {1..100}; do echo '{  "apiVersion": "v1",  "kind": "Namespace",   "metadata": { "name": "ns'$i'" }}' ; done > manifests
$ KUBECONFIG=config GOMAXPROCS=2 strace -f -e openat apply --dry-run=client  -f manifests|& grep cluster.pem -c
207
# run in 12 seconds

Increasing the number of objects in the manifests file increase the times it reads the cluster certificate from its configuration which does not seem necessary.
edit: see below, the real problem is repeated json decoding of the the openapi schema documents

When applying more manifests the time before kubectl even contacts the server increases to several minutes which can be very relevant for e.g. CI test runs.

The problem should not be the the manifest parsing time, as e.g. python yaml or the golang yq version can parse these manifests in a fraction of the time it takes kubectl.

[ardaguclu]

What about passing --dry-run=server or using --server-side?, the same situation occurs in server-side apply as well?.

[juliantaylor]

yes, the problem occurs before it even starts talking to the server regarding the manifests (and after it has setup its resource caches from the servers api-resources)

[ardaguclu]

There might be a latency in discovery endpoint. Could you please run by increasing the log verbosity (-v=9) and check that exactly which endpoint is so slow?.

[juliantaylor]

it is not an endpoint that is slow, it is spending all its team reading the certificate authority over and over again at 100%-150% cpu usage

[juliantaylor]

here is the output with network log:

$ kubectl apply --dry-run=client -f manifests -v 6 |& ts 
Dez 05 13:31:33 I1205 13:31:33.126524  397199 loader.go:395] Config loaded from file:  config
Dez 05 13:31:33 I1205 13:31:33.159773  397199 round_trippers.go:553] GET server/openapi/v3?timeout=32s 200 OK in 30 milliseconds
Dez 05 13:31:33 I1205 13:31:33.191357  397199 round_trippers.go:553] GET server/openapi/v3/api/v1?hash=......&timeout=32s 200 OK in 25 milliseconds

<<< 11 seconds of reading cluster.pem >>

Dez 05 13:31:44 I1205 13:31:44.831916  397199 round_trippers.go:553] GET .../api/v1/namespaces/ns1 404 Not Found in 6 milliseconds

[juliantaylor]

if you give me some pointers how to create a cpu profile I can pinpoint the exact cause for you, I'm not very familiar with golang tooling.

[ardaguclu]

Reading the cluster.pem shouldn't take 11 seconds. I'd recommend checking the output by running highest verbosity (i.e. -v=99).

[juliantaylor]

please read my full report, reading the cluster pem does not take 11 seconds, reading the cluster pem hundreds of times (it seems twice per input manifest) and the other code associated with loading the kubeconfig does.

adding -v99 does not change the output as you do not log anything for that part of the code

Dez 05 13:40:14 I1205 13:40:14.767803  397762 cached_discovery.go:77] returning cached discovery info from .../crd.projectcalico.org/v1/serverresources.json


<<< 11 seconds of reading clsuter.pem +whatver else kubectl does with the config >>


Dez 05 13:40:24 I1205 13:40:24.913038  397762 round_trippers.go:466] curl -v -XGET  -H "Accept: application/json" -H "User-Agent: kubectl/v1.30.6 (linux/amd64) kubernetes/00f20d4" 'servernamespaces/ns1'

[juliantaylor]

using --validate=false removes the performance problem

[ardaguclu]

Validation interacts with the API server as in here. I think, there is an issue on your cluster. What is your cluster version?

[ardaguclu]

/remove-kind bug
/kind support