-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add RESPONSE_CODE_DETAILS and CONNECTION_TERMINATION_DETAILS to access log #27903
Conversation
would be great to see an example of what this looks like |
@@ -41,6 +42,14 @@ const ( | |||
"\"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" " + | |||
"%UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% " + | |||
"%DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n" | |||
// EnvoyTextLogFormatIstio18 format for envoy text based access logs for Istio 1.8 onwards | |||
EnvoyTextLogFormatIstio18 = "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will this break people parsing output, or are they expected to be using json format?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's possible but I don't think we treat the log format as a stable API otherwise it seems we can never really update it? Also I think the user is probably using their customized access log format if they're going to parse it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I agree with you, just wanted to put out the comment in case someone else disagrees. I have used https://github.com/nitishm/engarde which does this but that doesn't mean its a valid use case.
sure, I'm waiting for my other istio/proxy PR (istio/proxy#3045) merged and then update Envoy in istio to test this PR and include the output. |
Sounds good. This sounds super useful |
really helpful |
/test integ-pilot-k8s-tests_istio |
Confused by your original example: |
Clearly useful, will approve if @istio/wg-policies-and-telemetry-maintainers approve |
to be clear, this is changing the default Istio format for access logs? @mandarjog @nrjpoddar what do we want to do for defaulting in a Telemetry API world to match this? This is currently NOT shared across "providers". |
I do think this is an API and it will break users who have tooling around log parsing. I would suggest that we create a global option to conditionally disable it in 1.9 with upgrade/release notes documentation around the impact of this change. |
@nrjpoddar The user should explicitly set the log format in |
@howardjohn Oh, sorry about that, it's from my test cluster that is using out-dated code. Updated the description to include the latest log based on this PR. |
I see, if that’s the case why do we need to change defaults? Shouldn’t we document how to update the default format and add these additional fields. Changing the default might be warranted if you can share issues filed by users where this info would have helped in debugging. Other way to think about this is we can document steps for logging these fields, add a warning about making them default next release but keep the default as is for a release and measure if we can get some feedback. |
RESPONSE_CODE_DETAILS and CONNECTION_TERMINATION_DETAILS are generally quite useful in troubleshooting why a request is denied, Envoy and many filters will set the two fields to give extra information of the deny, for example, RBAC filter could set it to include the name of the policy that caused the deny, the HTTP connection manager could set it to include the reason the stream is reset and by who (and there are more reasons can be set there), etc. The most relevant documentation I can find on istio.io is this one: https://istio.io/latest/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging, it tells how to enable the access log but doesn't mention the default value of The Mesh config doc (https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig) mentions the following:
It says And I believe we had changed the log format a few times before, the most recent I can find is this PR #16237 that adds the I can abandon this PR and just update the task to mention the two log operator but I'm afraid that would be much less useful and cannot be used if not all proxy version is up-to-date because the new log operator is only available in newer Envoy, and the |
I am in favor of enabling this by default for the reasons @yangminzhu mentioned. Users who are broken by this, are "wrong". We cannot make the entire project freeze just because we may break someones workflow. If you want to parse access logs, you should use JSON and/or define a stable format. This is no different then us changing an istiod log format. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving with a hold since there may not be consensus
Ok, I see your points and I agree with the benefits. Here are my asks:
@yangminzhu what do you think? We can do some of this in follow-on PRs if we agree on principle. |
This will be especially important as we transition to a fuller Telemetry API. We want to ensure that transition is seamless, and having tests around default behavior will help in that regard. |
Sure, will add one.
will do.
I can add some unit tests, does that sound good to you?
I think I can just update the PR to include the release note and unit test, will need a separate PR to update the istio.io documentation. Thanks! |
@yangminzhu I'm not the right person to ask unit vs integration tests for this as I'm not familiar with the code. If @douglas-reid or @mandarjog are happy with your test I'm good too, so check with them. |
ebd34c1
to
a617014
Compare
@nrjpoddar @douglas-reid @mandarjog added release note and unit tests, could you take a second look, thanks. |
/test unit-tests_istio |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for accommodating our suggestions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm, thanks for pushing this through.
These log operators should be very useful for troubleshooting and debugging in many cases.
Example Logs (RESPONSE_CODE_DETAILS): (
via_upstream
,filter_chain_not_found
,http1.codec_error
,rbac_access_denied_matched_policy[none]
)Example Logs (CONNECTION_TERMINATION_DETAILS): (
rbac_access_denied_matched_policy[ns[foo]-policy[httpbin]-rule[0]]
)[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[X] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Pull Request Attributes
Please check any characteristics that apply to this pull request.
[X] Does not have any changes that may affect Istio users.