ROX-30739: Docs for process baseline auto locking #100444
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * operating/evaluate-security-risks.adoc | ||
| :_mod-docs-content-type: CONCEPT | ||
| [id="auto-lock-process-baselines-known-limitations_{context}"] | ||
| = Auto-lock process baselines known limitations | ||
|
|
||
| [role="_abstract"] | ||
| Central, Central DB, and Sensor consume more CPU and memory resources when process baseline auto-lock is enabled. This can lead to CPU throttling and pods crashing due to running out of memory. | ||
|
|
||
| The following results were obtained from tests with 1,000 deployments in which 5,000 process were spawned every 30 seconds (166.67 processes per second). The test was run with the feature enabled and disabled. Resource usage was compared between the two tests. For the tests the process baseline generation duration was set to three minutes and the rate of process creation did not change after the baseline generation period ended. | ||
|
|
||
| * Sensor used 24 Mb more memory. | ||
| * The difference in Sensor memory usage did not appear to increase with time. | ||
| * Sensor CPU usage increased by 0.14 CPUs. | ||
| * Central used 175 Mb more memory. | ||
| * The rate of increase of Central memory usage was 65 Kb per second greater with auto-lock enabled. | ||
| * Central CPU usage increased by 0.12 CPUs. | ||
| * Central DB used 296 Mb more memory with auto-lock enabled. | ||
| * The difference in Central DB memory usage did not appear to increase over time. | ||
| * Central DB CPU usage was low and increased by 0.03 CPUs. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * operating/evaluate-security-risks.adoc | ||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="auto-lock-process-baselines_{context}"] | ||
| = Configuring auto-lock for process baselines | ||
|
|
||
| [role="_abstract"] | ||
| You can configure {product-title-short} to automatically lock process baselines when they leave the observation period. The auto-lock feature must be enabled in both Central and in the secured cluster. Disabling the feature after it has been enabled does not unlock process baselines that have been locked by the feature. | ||
|
|
||
| .Procedure | ||
|
|
||
| . In the {ocp} web console, go to the {product-title-short} Operator page. | ||
| . In the top navigation menu, select *Secured Cluster*. | ||
| . Click the instance name, for example, *stackrox-secured-cluster-services*. | ||
| . Use one of the following methods to change the setting: | ||
| * In the *Form view*, under *Process baselines settings* -> *Auto Lock*, select *Enabled* or *Disabled*. | ||
| * Click *YAML* to open the YAML editor and locate the `spec.processBaselines.autoLock` attribute. Change to `Enabled` or `Disabled`. | ||
| . Click *Save.* | ||
| . To enable or disable the feature in Central, set the `ROX_AUTO_LOCK_PROCESS_BASELINES` environment variable. The default value is `true`. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * operating/evaluate-security-risks.adoc | ||
| :_mod-docs-content-type: REFERENCE | ||
| [id="bulk-locking-and-unlocking-process-baselines_{context}"] | ||
| = Bulk locking and unlocking process baselines | ||
|
|
||
| [role="_abstract"] | ||
| You can lock or unlock all process baselines in a cluster by using API endpoints. You can specify an optional set of namespaces to limit the action to just those namespaces. The API endpoints are as follows: | ||
|
|
||
| * `/v1/processbaselines/bulk/lock` | ||
| * `/v1/processbaselines/bulk/unlock` | ||
|
|
||
| The following example shows the input for the endpoints: | ||
|
|
||
|
There was a problem hiding this comment. needs the correct tag - see: https://github.com/openshift/openshift-docs/blob/main/contributing_to_docs/doc_guidelines.adoc#code-blocks-command-syntax-and-example-output for example |
||
| [source,json] | ||
| ---- | ||
| { | ||
| "cluster_id": "aeaaaaaa-0000-0000-0000-000000000000", | ||
| "namespaces": [ | ||
| "stackrox", | ||
| "gmp-system" | ||
| ] | ||
| } | ||
| ---- | ||
|
|
||
| These endpoints return success or an error. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I normally only see a general level of detail included for test results like these in user documentation. Basically, what users need to know is the takeaway from these tests and the results.
example: Testing of this feature with 1,000 deployments where 5,000 processes were spawned every 30 seconds showed that resource usage increased when baseline auto-locking was enabled.
You could list the bullet points here, but I think what you want to get at is, is enabling this something that will affect performance or something else about the user experience? Then you might need to say something like "Depending on the number of deployments, Sensor and Central can use more memory and possibly affect performance." (or whatever the actual case is) As a user, will they look at the bullets and know that Central using 175 mb more memory will cause a slowdown (for example)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I clarified the potential negative consequences of enabling the feature in the abstract.