🐛 manager: fix infinite CPU spin in runnableGroup.Start on context cancellation

[atharrva01]

Summary

This PR fixes a control-flow bug in the manager startup lifecycle where runnableGroup.Start() could enter an infinite loop when the context is cancelled before all runnables signal readiness.
The issue could cause manager startup or shutdown to hang indefinitely while consuming CPU.

---

Impact

Before this change, the manager could:

• Spin indefinitely at 100% CPU after context cancellation
• Hang forever during startup if any runnable fails its readiness check
• Hang during SIGTERM / shutdown while waiting for runnables
• Leak goroutines stuck inside Start()

These scenarios are common in real deployments (RBAC misconfigurations, cache sync failures, API server unavailability), making the issue both user-visible and hard to diagnose.

---

Steps to Reproduce

Scenario 1: Startup failure

1. Start a manager with a runnable whose cache sync fails (e.g. missing RBAC)
2. The runnable never signals readiness
3. Start() waits forever and the manager never becomes ready

Scenario 2: Shutdown during startup

1. Start the manager
2. Send SIGTERM before all runnables become ready
3. Context is cancelled, but Start() keeps looping and burns CPU

---

Root Cause

The startup loop correctly listens for ctx.Done(), but does not exit the loop when the context is cancelled.

case <-ctx.Done():
    if err := ctx.Err(); !errors.Is(err, context.Canceled) {
        retErr = err
    }
    // loop continues → ctx.Done() fires forever

Since ctx.Done() is a closed channel after cancellation, the select immediately re-selects it on every iteration, causing a tight busy loop.

---

Fix

Exit the startup loop immediately when the context is cancelled:

case <-ctx.Done():
    if err := ctx.Err(); !errors.Is(err, context.Canceled) {
        retErr = err
    }
    return

This ensures:

• The startup loop terminates correctly
• Errors are propagated to the caller
• Shutdown and startup behave predictably

---

Behavior After Fix

• Manager startup fails fast instead of hanging
• Shutdown completes cleanly without CPU spin
• No goroutine leaks from stuck Start() calls
• Already-started runnables continue running on their own context and are cleaned up via StopAndWait()

---

Verification

• ✅ Code compiles successfully
• ✅ go vet passes
• ✅ Existing unit tests pass
• ⚠️ Integration tests require envtest binaries (not available in this environment)

---

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: atharrva01 / name: Atharva Borade (4e1d027, 8b18f6f, 8deb807, ab2c563, b0f36fd, c00cf65)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: atharrva01
Once this PR has been reviewed and has the lgtm label, please assign joelanford for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Welcome @atharrva01!

It looks like this is your first PR to kubernetes-sigs/controller-runtime 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/controller-runtime has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @atharrva01. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[atharrva01]

hi @inteon @vincepri This fixes a startup/shutdown hang where runnableGroup.Start() could spin indefinitely after context cancellation by returning immediately on ctx.Done().

[sbueringer]

Nice catch, thx!

PTAL at the CLA: #3440 (comment)

/ok-to-test

[atharrva01]

hi @sbueringer I’ve added a focused regression test covering the context-cancellation path in runnableGroup.Start(). I ran the unit test locally; integration tests require envtest binaries, so CI should cover those. Thanks for the suggestion!

[sbueringer]

@atharrva01 The 🐛 prefix in the PR title I added was intentional. We use this to generate release notes and without it the "PR title verifier" action will block merging this PR

[atharrva01]

hi @sbueringer Thanks for the clarification! 👍
I’ve kept that manager: prefix as suggested.

[sbueringer]

Feel free to ping me for review once the CLA is done

[atharrva01]

Hi @sbueringer, the Easy CLA is now completed ✅
Whenever you have time, I’ve pinged you for review as suggested. Thanks!

[sbueringer]

Thx, just some minor findings

[sbueringer]

Let's use t.Context() instead of context.Background(), same below (see linter findings)

[sbueringer]

Maybe let's use 5s or so just to make sure we don't get a flake in CI. 100ms should be enough, but not sure how slow CI might be

[atharrva01]

hi @sbueringer I’ve updated the test to use t.Context() and relaxed the timeout to avoid potential CI flakes, as suggested. Changes are pushed, retriggering CI now.

/retest

[sbueringer]

@atharrva01 One more linter finding (please see the lint/test results below :))

[atharrva01]

hi @sbueringer Thanks for catching that , there was one remaining context.Background() in the test.
I’ve replaced it with t.Context() to satisfy lint. Changes are pushed.

[sbueringer]

Looks like there's an issue, not sure if in prod or test code

WARNING: DATA RACE
Write at 0x00c0006184e0 by goroutine 191:
  runtime.closechan()
      /home/prow/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/src/runtime/chan.go:414 +0x0
  sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).Start.func1.deferwrap1()
      /home/prow/go/src/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:170 +0x33
  runtime.deferreturn()
      /home/prow/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/src/runtime/panic.go:589 +0x5d
  sync.(*Once).doSlow()
      /home/prow/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/src/sync/once.go:78 +0xd1
  sync.(*Once).Do()
      /home/prow/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/src/sync/once.go:69 +0x44
  sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).Start()
      /home/prow/go/src/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:169 +0xb5
  sigs.k8s.io/controller-runtime/pkg/manager.init.func5.3.1()
      /home/prow/go/src/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group_test.go:181 +0xca

Previous read at 0x00c0006184e0 by goroutine 238:
  runtime.chansend()
      /home/prow/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/src/runtime/chan.go:176 +0x0
  sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1.1()
      /home/prow/go/src/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:249 +0xc4

Goroutine 191 (running) created at:
  sigs.k8s.io/controller-runtime/pkg/manager.init.func5.3()
      /home/prow/go/src/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group_test.go:178 +0xf9
  github.com/onsi/ginkgo/v2/internal.(*Suite).runNode.func3()
      /home/prow/go/pkg/mod/github.com/onsi/ginkgo/v2@v2.27.2/internal/suite.go:942 +0x6ed

Goroutine 238 (running) created at:
  sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1()
      /home/prow/go/src/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:246 +0xfc
  sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.gowrap1()
      /home/prow/go/src/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:284 +0x41
==================
panic: send on closed channel

goroutine 281 [running]:
sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1.1()
	/home/prow/go/src/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:249 +0xc5
created by sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1 in goroutine 279
	/home/prow/go/src/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:246 +0xfd
FAIL	sigs.k8s.io/controller-runtime/pkg/manager	5.433s

https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/kubernetes-sigs_controller-runtime/3440/pull-controller-runtime-test/2018359601396715520 (see https://storage.googleapis.com/kubernetes-ci-logs/pr-logs/pull/kubernetes-sigs_controller-runtime/3440/pull-controller-runtime-test/2018359601396715520/build-log.txt)

[atharrva01]

hi @sbueringer Thanks for the clarification request, this turned out to be a real concurrency issue in runnableGroup, not just a test artifact.

Start() was closing startReadyCh while readiness goroutines could still send on it, which caused a data race and send on closed channel panic depending on timing. Tests just made this easier to reproduce.

Removing the channel close exposed a second shutdown issue: Start() could block waiting for readiness when StopAndWait() cancelled the group context and all senders had already exited.

The fix now handles both sides explicitly: senders stop on r.ctx.Done(), and Start() exits readiness waiting on either ctx.Done() or r.ctx.Done(). This avoids races and deadlocks while preserving normal startup behavior.

Unit tests and go test -race pass locally; envtest-based integration tests should be covered by CI.

[sbueringer]

I got why we can't close the channel in the other cases above, but I think we can still close it here

[sbueringer]

I think this has to be the first case otherwise this will still send always on startReadyCh

[sbueringer]

I think the 100ms are outdated