Rewrite finalURLTemplate used only for metrics because of dynamic client change

[wenjiaswe]

What this PR does / why we need it:
When new easy-to-use dynamic client introduced in #62913, name and namespace are appended in url and ends up in request.pathPrefix, so original function finalURLTemplate was not able to replace the name of namespaces with string "{namespace}", which cause the overwhelming metrics issue mentioned in #68115 .

This PR edited finalURLTemplate function to replace the name of namespace with string "{namespace}" in the pathPrefix for dynamic client.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #68115

Special notes for your reviewer:

1. As mentioned in issue Histogram metrics generating overwhelming number of prometheus metrics #68115,

This seems to be a pretty critical bug. Will mark it for v1.12. Please triage.

Please help to review the PR asap if possible. Thanks very much in advance!

2. This fix only fix the namespace. The name is also impacted since name should be replaced by {name} in finalURLTemplate. The name string is appended to url directly without a prefix like /name/, which is different from namespaces (/namespaces/ACTUALNAMESPACE), it might involve more than just parse the request.pathPrefix. Since it does not impact the metrics, and also considering the time sensitivity during the code freeze, maybe we could consider fix it later? Please let me know if it actually does have impact that big enough to impact 1.12 release.

@saad-ali what do yo think?

Release note:

fix a bug that overwhelming number of prometheus metrics are generated because $NAMESPACE is not replaced by string "{namespace}"

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[wenjiaswe]

/cc @deads2k @caesarxuchao @roycaihw

[wenjiaswe]

/kind bug

[roycaihw]

/ok-to-test

[wenjiaswe]

/retest

[wenjiaswe]

/milestone v1.12

[k8s-ci-robot]

@wenjiaswe: You must be a member of the kubernetes/kubernetes-milestone-maintainers github team to set the milestone.

In response to this:

/milestone v1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[roycaihw]

Thanks for the PR! I left some comments. Given finalURLTemplate is only used by metrics, and prometheus metrics seem to prune resource {name} from URL, I'm okay with fixing {namespace} first and have {name} as a followup after code freeze. I'm not familiar with metrics so I cannot tell the impact.

[roycaihw]

One concern is:

• if the resource name is "namespaces" (e.g. a node called "namespaces");
• if r.baseURL.Path contains "/namespaces/"

I'm not sure if we have constraints (e.g. resources cannot be named "namespaces") that could help us rule out the two cases above. If not, you could check if r.pathPrefix contains r.baseURL.Path, and ignore the baseURL part during parsing. The rest of pathPrefix should follow Kubernetes API convention format (legacy group v.s. named group; cluster-scoped v.s. namespaced).

This also helps you parse the {name} segment.

[roycaihw]

Another case is the namespace kind, where the url is /api/v1/namespaces/{name}

[wenjiaswe]

I checked in my local cluster, it seems like I can create a namespace called "namespace" with no problem. But in that case, the replaceNamespace4DynamicClient function can still handle it by blindly replace whatever segment is following /namespaces/ with {namespace}. r.baseURL and pathPrefix are separate in rest.Request. So I don't get how would checking r.pathPrefix and r.baseURL.Path help?

For example, as in testcase now, if full url is "http://localhost/pre1/namespaces/ns/r1", then r.pathPrefix is "/pre1/namespaces/ns/r1". r.baseURL is "http://localhost"

[lavalamp]

I am a little skeptical of this approach, but maybe you can make it work. :)

You at least need to check more than one path segment. Here's some test cases off the top of my head.

• /api/v1/namespaces/kube-system/services/monitoring-heapster is about a service; it should match.
• /api/v1/namespaces/kube-system is about a namespace; it should NOT match (kube-system is the name of the resource in this case, which is not inside a namespace).
• /apis/apps/v1/namespaces/foo/deployments/bar is about resource bar in namespace foo, it should match.
• /apis/apps/v1/namespaces/namespaces/deployments/namespaces is about resource namespaces in namespace namespaces, it should match.

[wenjiaswe]

I just pushed a new commit after talking to @roycaihw offline. It parses the request.pathPrefix based on the type of API groups, either in /api/v1... format for legacy group or /apis/apps/v1... format for named group.

Based on @lavalamp comment, I think there is no rule on nomenclature rule... As far as Daniel's concern, the first, third and forth case should all be fine. However, both Haowei and Daniel mentioned that if we have a dynamic resource client that has no namespace but has a resource called "namespaces", then current fix would blindly replace the segment after the resource name with "{namespace}", which is wrong...

In that case, we will need to pass the dynamicResourceClient struct to rest/request.go so it knows exactly what the structure is instead of blind string manipulation. And it would be more than "only have to do the analysis if you have no hits for the namespace being set." as @deads2k original suggested, let me do more analysis and see if it would have impact on other parts than just metrics.

[roycaihw]

/api/v1/namespaces/kube-system is about a namespace; it should NOT match

Given the fact that user can choose to set pathPrefix, resource and resourceName at the same time, a pathPrefix can also be part of a /api/v1/namespaces/kube-system/services/monitoring-heapster request, in which case it should match.

We either need to involve more fields in Request into the detection logic, or use some other approach (e.g. modify the dynamic client)

[roycaihw]

nit: you don't need to redefine expected here

[wenjiaswe]

Thanks! Addressed.

[lavalamp]

I would have expected apis/namespaces/{namespace}/namespaces/{name}?

[lavalamp]

wait no I got confused :)

This is correct.

[lavalamp]

I'd expect{namespace} here too?

[lavalamp]

Scratch this, it's correct.

[lavalamp]

/lgtm
/approve

Test cases seem thorough :)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lavalamp, wenjiaswe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/client-go/OWNERS [lavalamp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alvaroaleman]

@wenjiaswe This is a pretty big issue actually, is there a chance this fix can get cherrrypicked/backported to 1.11?

[wenjiaswe]

@alvaroaleman thanks for reminding! Let me see if I could get the final fix #68690 done soon enough, then I will back port the final fix. Otherwise I will back port this one first.

[lavalamp]

It's probably best to just backport this fix, and only worry about getting the final fix into master. Since the behavior should be the same?

…

On Wed, Sep 19, 2018 at 9:41 AM Wenjia ***@***.***> wrote: @alvaroaleman <https://github.com/alvaroaleman> thanks for reminding! Let me see if I could get the final fix #68690 <#68690> done soon enough, then I will back port the final fix. Otherwise I will back port this one first. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#68530 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAnglpOZwJ8ZW6Gg2GNoytKW3LvS0I5yks5ucnPRgaJpZM4WkeXY> .

[wenjiaswe]

@lavalamp you are right, the worries we had about this temp fix doesn't exist in 1.11 anyway. I opened a PR for backporting. Thanks.