Page MenuHomePhabricator
Create Task
Maniphest T419992

Alert if calico BGP sessions are not established on any kubernetes worker
Closed, DuplicatePublic
Actions

Description

We have recently observed conditions where some kubernetes workers (in the dse-k8s-eqiad cluster) were put into service without functional BGP sessions.
The result of this is that pods were scheduled but had no connectivity and this caused errors.

We have some checks in place from the switch side, such as those in team-wmcs/bgp.yaml, but nothing yet which monitors calico from the host side.

We could perhaps use the output from calicoctl node status and make this available via a prometheus::node_textfile resource.

A working calico node shows output similar to this:

btullis@dse-k8s-worker1018:~$ sudo calicoctl node status
Calico process is running.

IPv4 BGP status
+--------------+---------------+-------+----------+-------------+
| PEER ADDRESS |   PEER TYPE   | STATE |  SINCE   |    INFO     |
+--------------+---------------+-------+----------+-------------+
| 10.64.181.1  | node specific | up    | 12:26:02 | Established |
+--------------+---------------+-------+----------+-------------+

IPv6 BGP status
+-------------------+---------------+-------+----------+-------------+
|   PEER ADDRESS    |   PEER TYPE   | STATE |  SINCE   |    INFO     |
+-------------------+---------------+-------+----------+-------------+
| 2620:0:861:13b::1 | node specific | up    | 12:26:02 | Established |
+-------------------+---------------+-------+----------+-------------+

When the switch port isn't fully configured, so the BGP sessions are not established, the output looks like this:

btullis@dse-k8s-worker1018:~$ sudo calicoctl node status
Calico process is running.

IPv4 BGP status
+--------------+---------------+-------+----------+--------------------------------+
| PEER ADDRESS |   PEER TYPE   | STATE |  SINCE   |              INFO              |
+--------------+---------------+-------+----------+--------------------------------+
| 10.64.181.1  | node specific | start | 11:56:58 | Active Socket: Connection      |
|              |               |       |          | refused                        |
+--------------+---------------+-------+----------+--------------------------------+

IPv6 BGP status
+-------------------+---------------+-------+----------+--------------------------------+
|   PEER ADDRESS    |   PEER TYPE   | STATE |  SINCE   |              INFO              |
+-------------------+---------------+-------+----------+--------------------------------+
| 2620:0:861:13b::1 | node specific | start | 11:56:58 | Active Socket: Connection      |
|                   |               |       |          | refused                        |
+-------------------+---------------+-------+----------+--------------------------------+

This check could be useful for any kubernetes worker node.

Related Objects

Event Timeline

BTullis created this task.Mar 13 2026, 2:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2026, 2:04 PM
BTullis added a project: Sustainability (Incident Followup).Mar 13 2026, 2:07 PM
cmooney added a comment.Mar 13 2026, 4:30 PM

Thanks for the task @BTullis

While we can take an approach similar to the WMCS team (alerting on the switch-side status), it occurs to me a likely cause of a problem would be the switch isn't configured. In which case the series for that host won't be exported by the switch and we won't get an alert.

I did a quick-check online and it appears that calico-node in the open-source version doesn't provide any bgp stats out of the box. So we probably would need to somehow export the status as you show from calicoctl.

cmooney triaged this task as Low priority.Mar 16 2026, 2:22 PM
MoritzMuehlenhoff merged a task: T419991: Alert if calico BGP sessions are not established on any kubernetes worker.Mar 16 2026, 2:22 PM
Gehel moved this task from Incoming to Observability on the Data-Platform-SRE board.Mar 17 2026, 8:39 AM
BTullis mentioned this in T418582: Add dse-k8s-worker102[4-8] to the dse-k8s-eqiad cluster.Mar 19 2026, 2:41 PM
MLechvien-WMF subscribed.Apr 10 2026, 12:41 PM

@BTullis is this linked to T419457: dse-k8s control plane OOM ? If yes, could you please add the corresponding incident in description; if not could you remove the Incident Followup tag?

This is to make sure we track follow-ups accurately

ayounsi subscribed.May 4 2026, 2:30 PM

This looks like a duplicate of T356877: Increase visibility of kubernetes network status (and subtask like T423851: Collect calico BGP metrics) but for a different team. I think you can apply the same kind of monitoring for your services.

MLechvien-WMF added subscribers: Blake, JMeybohm.Wed, Jun 17, 8:44 AM

@Blake @BTullis can we dedup those tasks (or create a dependency)?

Re: the Incident Follow-up tag, I wonder if there is immediate risk vs what is more feature request. cc @JMeybohm if this needs discussion in Kubernetes WIG

JMeybohm closed this task as a duplicate of T356877: Increase visibility of kubernetes network status.Wed, Jun 17, 8:49 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits