forked from kubernetes/kubernetes
-
Notifications
You must be signed in to change notification settings - Fork 99
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request kubernetes#123611 from ritazh/authz-mcmetrics
Add authz webhook matchcondition metrics
- Loading branch information
Showing
12 changed files
with
517 additions
and
86 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
120 changes: 120 additions & 0 deletions
120
staging/src/k8s.io/apiserver/pkg/authorization/cel/metrics.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
/* | ||
Copyright 2024 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package cel | ||
|
||
import ( | ||
"context" | ||
"sync" | ||
"time" | ||
|
||
"k8s.io/component-base/metrics" | ||
"k8s.io/component-base/metrics/legacyregistry" | ||
) | ||
|
||
// MatcherMetrics defines methods for reporting matchCondition metrics | ||
type MatcherMetrics interface { | ||
// RecordAuthorizationMatchConditionEvaluation records the total time taken to evaluate matchConditions for an Authorize() call to the given authorizer | ||
RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration) | ||
// RecordAuthorizationMatchConditionEvaluationFailure increments if any evaluation error was encountered evaluating matchConditions for an Authorize() call to the given authorizer | ||
RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string) | ||
// RecordAuthorizationMatchConditionExclusion records increments when at least one matchCondition evaluates to false and excludes an Authorize() call to the given authorizer | ||
RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string) | ||
} | ||
|
||
type NoopMatcherMetrics struct{} | ||
|
||
func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration) { | ||
} | ||
func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string) { | ||
} | ||
func (NoopMatcherMetrics) RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string) { | ||
} | ||
|
||
type matcherMetrics struct{} | ||
|
||
func NewMatcherMetrics() MatcherMetrics { | ||
RegisterMetrics() | ||
return matcherMetrics{} | ||
} | ||
|
||
const ( | ||
namespace = "apiserver" | ||
subsystem = "authorization" | ||
) | ||
|
||
var ( | ||
authorizationMatchConditionEvaluationErrorsTotal = metrics.NewCounterVec( | ||
&metrics.CounterOpts{ | ||
Namespace: namespace, | ||
Subsystem: subsystem, | ||
Name: "match_condition_evaluation_errors_total", | ||
Help: "Total number of errors when an authorization webhook encounters a match condition error split by authorizer type and name.", | ||
StabilityLevel: metrics.ALPHA, | ||
}, | ||
[]string{"type", "name"}, | ||
) | ||
authorizationMatchConditionExclusionsTotal = metrics.NewCounterVec( | ||
&metrics.CounterOpts{ | ||
Namespace: namespace, | ||
Subsystem: subsystem, | ||
Name: "match_condition_exclusions_total", | ||
Help: "Total number of exclusions when an authorization webhook is skipped because match conditions exclude it.", | ||
StabilityLevel: metrics.ALPHA, | ||
}, | ||
[]string{"type", "name"}, | ||
) | ||
authorizationMatchConditionEvaluationSeconds = metrics.NewHistogramVec( | ||
&metrics.HistogramOpts{ | ||
Namespace: namespace, | ||
Subsystem: subsystem, | ||
Name: "match_condition_evaluation_seconds", | ||
Help: "Authorization match condition evaluation time in seconds, split by authorizer type and name.", | ||
Buckets: []float64{0.001, 0.005, 0.01, 0.025, 0.1, 0.2, 0.25}, | ||
StabilityLevel: metrics.ALPHA, | ||
}, | ||
[]string{"type", "name"}, | ||
) | ||
) | ||
|
||
var registerMetrics sync.Once | ||
|
||
func RegisterMetrics() { | ||
registerMetrics.Do(func() { | ||
legacyregistry.MustRegister(authorizationMatchConditionEvaluationErrorsTotal) | ||
legacyregistry.MustRegister(authorizationMatchConditionExclusionsTotal) | ||
legacyregistry.MustRegister(authorizationMatchConditionEvaluationSeconds) | ||
}) | ||
} | ||
|
||
func ResetMetricsForTest() { | ||
authorizationMatchConditionEvaluationErrorsTotal.Reset() | ||
authorizationMatchConditionExclusionsTotal.Reset() | ||
authorizationMatchConditionEvaluationSeconds.Reset() | ||
} | ||
|
||
func (matcherMetrics) RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string) { | ||
authorizationMatchConditionEvaluationErrorsTotal.WithContext(ctx).WithLabelValues(authorizerType, authorizerName).Inc() | ||
} | ||
|
||
func (matcherMetrics) RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string) { | ||
authorizationMatchConditionExclusionsTotal.WithContext(ctx).WithLabelValues(authorizerType, authorizerName).Inc() | ||
} | ||
|
||
func (matcherMetrics) RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration) { | ||
elapsedSeconds := elapsed.Seconds() | ||
authorizationMatchConditionEvaluationSeconds.WithContext(ctx).WithLabelValues(authorizerType, authorizerName).Observe(elapsedSeconds) | ||
} |
81 changes: 81 additions & 0 deletions
81
staging/src/k8s.io/apiserver/pkg/authorization/cel/metrics_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
/* | ||
Copyright 2024 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package cel | ||
|
||
import ( | ||
"context" | ||
"strings" | ||
"testing" | ||
"time" | ||
|
||
"k8s.io/component-base/metrics/legacyregistry" | ||
"k8s.io/component-base/metrics/testutil" | ||
) | ||
|
||
func TestRecordAuthorizationMatchConditionEvaluationFailure(t *testing.T) { | ||
testCases := []struct { | ||
desc string | ||
metrics []string | ||
name string | ||
authztype string | ||
want string | ||
}{ | ||
{ | ||
desc: "evaluation failure total", | ||
metrics: []string{ | ||
"apiserver_authorization_match_condition_evaluation_errors_total", | ||
"apiserver_authorization_match_condition_exclusions_total", | ||
"apiserver_authorization_match_condition_evaluation_seconds", | ||
}, | ||
name: "wh1.example.com", | ||
authztype: "Webhook", | ||
want: ` | ||
# HELP apiserver_authorization_match_condition_evaluation_errors_total [ALPHA] Total number of errors when an authorization webhook encounters a match condition error split by authorizer type and name. | ||
# TYPE apiserver_authorization_match_condition_evaluation_errors_total counter | ||
apiserver_authorization_match_condition_evaluation_errors_total{name="wh1.example.com",type="Webhook"} 1 | ||
# HELP apiserver_authorization_match_condition_evaluation_seconds [ALPHA] Authorization match condition evaluation time in seconds, split by authorizer type and name. | ||
# TYPE apiserver_authorization_match_condition_evaluation_seconds histogram | ||
apiserver_authorization_match_condition_evaluation_seconds_bucket{name="wh1.example.com",type="Webhook",le="0.001"} 0 | ||
apiserver_authorization_match_condition_evaluation_seconds_bucket{name="wh1.example.com",type="Webhook",le="0.005"} 0 | ||
apiserver_authorization_match_condition_evaluation_seconds_bucket{name="wh1.example.com",type="Webhook",le="0.01"} 0 | ||
apiserver_authorization_match_condition_evaluation_seconds_bucket{name="wh1.example.com",type="Webhook",le="0.025"} 0 | ||
apiserver_authorization_match_condition_evaluation_seconds_bucket{name="wh1.example.com",type="Webhook",le="0.1"} 0 | ||
apiserver_authorization_match_condition_evaluation_seconds_bucket{name="wh1.example.com",type="Webhook",le="0.2"} 0 | ||
apiserver_authorization_match_condition_evaluation_seconds_bucket{name="wh1.example.com",type="Webhook",le="0.25"} 0 | ||
apiserver_authorization_match_condition_evaluation_seconds_bucket{name="wh1.example.com",type="Webhook",le="+Inf"} 1 | ||
apiserver_authorization_match_condition_evaluation_seconds_sum{name="wh1.example.com",type="Webhook"} 1 | ||
apiserver_authorization_match_condition_evaluation_seconds_count{name="wh1.example.com",type="Webhook"} 1 | ||
# HELP apiserver_authorization_match_condition_exclusions_total [ALPHA] Total number of exclusions when an authorization webhook is skipped because match conditions exclude it. | ||
# TYPE apiserver_authorization_match_condition_exclusions_total counter | ||
apiserver_authorization_match_condition_exclusions_total{name="wh1.example.com",type="Webhook"} 1 | ||
`, | ||
}, | ||
} | ||
|
||
for _, tt := range testCases { | ||
t.Run(tt.desc, func(t *testing.T) { | ||
ResetMetricsForTest() | ||
m := NewMatcherMetrics() | ||
m.RecordAuthorizationMatchConditionEvaluationFailure(context.Background(), tt.authztype, tt.name) | ||
m.RecordAuthorizationMatchConditionExclusion(context.Background(), tt.authztype, tt.name) | ||
m.RecordAuthorizationMatchConditionEvaluation(context.Background(), tt.authztype, tt.name, time.Duration(1*time.Second)) | ||
if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(tt.want), tt.metrics...); err != nil { | ||
t.Fatal(err) | ||
} | ||
}) | ||
} | ||
} |
Oops, something went wrong.