-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix default auditing options. #60739
Conversation
// Don't validate the unused options. | ||
return nil | ||
} | ||
config := options.BatchConfig |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What will happen if --audit-log-batch-max-wait is set to zero?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will hotloop. Not great, but not exactly invalid. I'd prefer to leave it as-is here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM
Log backend defaults to blocking mode (backwards compatability)
This is still a rollback. I think batching behavior is better by default
@@ -101,3 +101,7 @@ func (b *backend) processEvents(ev ...*auditinternal.Event) error { | |||
return b.w.RestClient.Post().Body(&list).Do() | |||
}).Error() | |||
} | |||
|
|||
func (b *backend) String() string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not Name()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This way just supports calling fmt.Sprintf("%s", ...)
, and resolves to something if String isn't set. I opted not to add it to the backend interface. But I don't have a strong preference, it's sort of a hack to get the test working.
I am OK with it, if the new behavior is well documented. |
Re: default to batch - I think we should merge this (revert defaults), and then follow up with a separate PR to change just the log default (maybe wait for 1.11). I could add a release note or help text stating that the default will change in the future. |
func (u union) String() string { | ||
var backendStrings []string | ||
for _, backend := range u.backends { | ||
backendStrings = append(backendStrings, fmt.Sprintf("%s", backend)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: why not backend.String() instead of printf("%s", ...)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The backend interface doesn't have string. I could add String() (or just Name()) to the interface, or try to cast to fmt.Stringer
here, but I thought the Sprintf
was simpler. I don't have any real preference though...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's fine as it is then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd actually prefer to have a dedicated method in the interface. Otherwise you have to have implicit knowledge that stringifying a backend should give a short name of the backend, not e.g. full struct
if err := validateBackendBatchConfig(pluginwebhook.PluginName, o.LogOptions.BatchOptions.BatchConfig); err != nil { | ||
allErrors = append(allErrors, err) | ||
if o.WebhookOptions.enabled() { | ||
if err := validateBackendBatchOptions(pluginwebhook.PluginName, o.WebhookOptions.BatchOptions); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the pattern we have everywhere else is to pass o.WebhookOptions
to the validate func and check for nil (and ConfigFile) locally. This style complicates the code by making complexity non-local.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
if o.LogOptions.MaxSize < 0 { | ||
allErrors = append(allErrors, fmt.Errorf("--audit-log-maxsize %v can't be a negative number", o.LogOptions.MaxSize)) | ||
// Check validities of MaxAge, MaxBackups and MaxSize of log options, if file log backend is enabled. | ||
if o.LogOptions.enabled() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the whole block belongs into validateLogOptions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
As I've mentioned in #60719 (comment) I think this PR should be merged before the freeze, the default parameters for the log backend should change. I don't think it's possible currently to limit the number of goroutines running at the same time in the batching backend, so our option would be either to set the low flush timeout or low max batch size. The former is better, since the chance to have events ordered is higher and it allows to avoid write contention. |
/unassign |
Discussed with @crassirostris, I think we should try and get this into 1.10. I'll address the comments in the next hour. |
[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process @crassirostris @sttts @tallclair Pull Request Labels
|
Addressed feedback. I think the only unresolved issue is whether I should just add a "Name()" method to the backend interface. |
|
@@ -116,15 +116,15 @@ func NewAuditOptions() *AuditOptions { | |||
WebhookOptions: AuditWebhookOptions{ | |||
BatchOptions: AuditBatchOptions{ | |||
Mode: ModeBatch, | |||
BatchConfig: defaultLogBatchConfig, | |||
BatchConfig: pluginbuffered.NewDefaultBatchConfig(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@crassirostris please confirm that these settings are what we want.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, though it's preferrable to merge this PR after #60926, to avoid showing regressions in the scale tests
Looks good structurally. Please squash. @crassirostris ptal at the default config: #60739 (comment) |
- Log backend defaults to blocking mode (backwards compatability) - Fix webhook validation - Add options test
/approve Leaving final lgtm to @crassirostris |
@tallclair Please unhold when #60926 is merged to avoid breaking scale tests /lgtm |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Make log audit backend configurable in GCE This PR will allow to enable audit logging batching by default in e2e tests, after #60739 is merged. This is an important step to prevent a regression in scale tests. /cc @tallclair @sttts /assign @roberthbailey Robert, please approve ```release-note NONE ```
@tallclair PTAL at test output |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: crassirostris, sttts, tallclair The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
#60926 is merged. @crassirostris can you remove your hold? |
@ericchiang Thanks for pointing this out, done |
Automatic merge from submit-queue (batch tested with PRs 60737, 60739, 61080, 60968, 60951). If you want to cherry-pick this change to another branch, please follow the instructions here. |
Which issue(s) this PR fixes:
Fixes #60719
Special notes for your reviewer:
This PR is an alternative fix to #60727. If the rollback goes in first, I'll rebase this on a roll-forward.
Release note:
-->