New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Antrea Network Policy Audit Logging Deduplication and Unit Tests #2294
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2294 +/- ##
==========================================
+ Coverage 60.09% 65.04% +4.95%
==========================================
Files 281 282 +1
Lines 22243 25545 +3302
==========================================
+ Hits 13366 16617 +3251
+ Misses 7467 7393 -74
- Partials 1410 1535 +125
Flags with carried forward coverage won't be shown. Click here to find out more.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall
8628df6
to
7fbbd19
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
now that we have deduplication support and we are making the logging logic more complex, we should have unit tests for this. It should be possible to pass a log.Logger object which captures log message for testing purposes.
23ced17
to
903e38d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
f017a21
to
34eb14e
Compare
|
/test-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor nits but otherwise lgtm
Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Signed-off-by: Qiyue Yao <yaoq@vmware.com>
|
/test-all |
| anpLogger: log.New(logOutput, "", log.Ldate|log.Lmicroseconds), | ||
| logDeduplication: logRecordDedupMap{logMap: make(map[string]*logDedupRecord)}, | ||
| } | ||
| klog.V(2).Infof("Initialized Antrea-native Policy Logger for audit logging with log file '%s'", logFile) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you are going to make a change, better to change this logging to structured logging too.
| actual := <-mockAnpLogger.logged | ||
| assert.Contains(t, actual, expectedLogWithCount(expected, 9)) | ||
| actual = <-mockAnpLogger.logged | ||
| assert.Contains(t, actual, expected) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test requires the clock and go routine scheduling works precisely. I think it may be flaky when the testbed is overloaded, could you try go test -count 100 to see if it's stable?
|
Unrelated Kind test failure (in TestFlowAggregator/IPv4/IntraNodeFlows). @srikartati FYI |
@dreamtalen added the pod label test. Could you take a look at this? |
Sure, I'm trying to reproduce it locally. |
…rea-io#2294) Added log deduplication for Antrea Network Policy Audit Logging. - Directly log if disposition is Allow, use 1 sec buffer otherwise. - For each log, create an entry in the global map, which includes a 1 sec timer and counter. - Increase count upon receiving a duplication log. - Write to new log when timer stops, include [count, duration] for the log additionally. example: `2021/06/24 23:56:41.346165 AntreaPolicyIngressRule AntreaNetworkPolicy:default/test-anp2 Drop 44900 SRC: 10.10.2.5 DEST: 10.10.1.10 84 ICMP [2 packets in 1.011379442s]` Changed Controller structure. - Removed `loggingEnabled`, which was set to always equal to `antreaPolicyEnabled`. - Added `AntreaPolicyLogger`, used for audit logging. Added unit tests for Antrea Network Policy Audit Logging. - Allow: directly log once. - Drop: log once, no additional log info. - DedupDrop: log once, include duplicate log info. - Multi DedupDrop: two different logs, includes duplicate log info.
…t Tests (#2578) This is a follow up PR for [Antrea Network Policy Audit Logging Deduplication and Unit Tests](#2294) to address comments. - Converted back to include both `antreaPolicyEnabled` and `loggingEnabled` for extensible usage. - Changed `AntreaPolicyLogger` method naming. - Moved `bufferLength` to a member of `AntreaPolicyLogger` to avoid confusion. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Added log deduplication for Antrea Network Policy Audit Logging.
example:
2021/06/24 23:56:41.346165 AntreaPolicyIngressRule AntreaNetworkPolicy:default/test-anp2 Drop 44900 SRC: 10.10.2.5 DEST: 10.10.1.10 84 ICMP [2 packets in 1.011379442s]Changed Controller structure.
loggingEnabled, which was set to always equal toantreaPolicyEnabled.AntreaPolicyLogger, used for audit logging.Added unit tests for Antrea Network Policy Audit Logging.
Testing:
ping -i 0.2 <ip-address>