diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go index edf5a788673..ad6530ffb7f 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go @@ -223,7 +223,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm switch decision.Action { case ActionAdmit: if decision.Evaluation == EvalError { - celmetrics.Metrics.ObserveAdmissionWithError(ctx, decision.Elapsed, definition.Name, binding.Name, "active") + celmetrics.Metrics.ObserveAdmissionWithError(ctx, decision.Elapsed, definition.Name, binding.Name) } case ActionDeny: for _, action := range binding.Spec.ValidationActions { @@ -234,13 +234,13 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm Binding: binding, PolicyDecision: decision, }) - celmetrics.Metrics.ObserveRejection(ctx, decision.Elapsed, definition.Name, binding.Name, "active") + celmetrics.Metrics.ObserveRejection(ctx, decision.Elapsed, definition.Name, binding.Name) case admissionregistrationv1.Audit: publishValidationFailureAnnotation(binding, i, decision, versionedAttr) - celmetrics.Metrics.ObserveAudit(ctx, decision.Elapsed, definition.Name, binding.Name, "active") + celmetrics.Metrics.ObserveAudit(ctx, decision.Elapsed, definition.Name, binding.Name) case admissionregistrationv1.Warn: warning.AddWarning(ctx, "", fmt.Sprintf("Validation failed for ValidatingAdmissionPolicy '%s' with binding '%s': %s", definition.Name, binding.Name, decision.Message)) - celmetrics.Metrics.ObserveWarn(ctx, decision.Elapsed, definition.Name, binding.Name, "active") + celmetrics.Metrics.ObserveWarn(ctx, decision.Elapsed, definition.Name, binding.Name) } } default: @@ -269,7 +269,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm Elapsed: auditAnnotation.Elapsed, }, }) - celmetrics.Metrics.ObserveRejection(ctx, auditAnnotation.Elapsed, definition.Name, binding.Name, "active") + celmetrics.Metrics.ObserveRejection(ctx, auditAnnotation.Elapsed, definition.Name, binding.Name) case AuditAnnotationActionExclude: // skip it default: return fmt.Errorf("unsupported AuditAnnotation Action: %s", auditAnnotation.Action) diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics/metrics.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics/metrics.go index 9f8a941105a..d1707eb60d2 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics/metrics.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics/metrics.go @@ -36,9 +36,8 @@ var ( // ValidatingAdmissionPolicyMetrics aggregates Prometheus metrics related to validation admission control. type ValidatingAdmissionPolicyMetrics struct { - policyCheck *metrics.CounterVec - policyDefinition *metrics.CounterVec - policyLatency *metrics.HistogramVec + policyCheck *metrics.CounterVec + policyLatency *metrics.HistogramVec } func newValidationAdmissionMetrics() *ValidatingAdmissionPolicyMetrics { @@ -47,25 +46,16 @@ func newValidationAdmissionMetrics() *ValidatingAdmissionPolicyMetrics { Namespace: metricsNamespace, Subsystem: metricsSubsystem, Name: "check_total", - Help: "Validation admission policy check total, labeled by policy and further identified by binding, enforcement action taken, and state.", + Help: "Validation admission policy check total, labeled by policy and further identified by binding and enforcement action taken.", StabilityLevel: metrics.ALPHA, }, - []string{"policy", "policy_binding", "enforcement_action", "state"}, - ) - definition := metrics.NewCounterVec(&metrics.CounterOpts{ - Namespace: metricsNamespace, - Subsystem: metricsSubsystem, - Name: "definition_total", - Help: "Validation admission policy count total, labeled by state and enforcement action.", - StabilityLevel: metrics.ALPHA, - }, - []string{"state", "enforcement_action"}, + []string{"policy", "policy_binding", "enforcement_action"}, ) latency := metrics.NewHistogramVec(&metrics.HistogramOpts{ Namespace: metricsNamespace, Subsystem: metricsSubsystem, Name: "check_duration_seconds", - Help: "Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding, state and enforcement action taken.", + Help: "Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding and enforcement action taken.", // the bucket distribution here is based oo the benchmark suite at // github.com/DangerOnTheRanger/cel-benchmark performed on 16-core Intel Xeon // the lowest bucket was based around the 180ns/op figure for BenchmarkAccess, @@ -77,47 +67,40 @@ func newValidationAdmissionMetrics() *ValidatingAdmissionPolicyMetrics { Buckets: []float64{0.0000005, 0.001, 0.01, 0.1, 1.0}, StabilityLevel: metrics.ALPHA, }, - []string{"policy", "policy_binding", "enforcement_action", "state"}, + []string{"policy", "policy_binding", "enforcement_action"}, ) legacyregistry.MustRegister(check) - legacyregistry.MustRegister(definition) legacyregistry.MustRegister(latency) - return &ValidatingAdmissionPolicyMetrics{policyCheck: check, policyDefinition: definition, policyLatency: latency} + return &ValidatingAdmissionPolicyMetrics{policyCheck: check, policyLatency: latency} } // Reset resets all validation admission-related Prometheus metrics. func (m *ValidatingAdmissionPolicyMetrics) Reset() { m.policyCheck.Reset() - m.policyDefinition.Reset() m.policyLatency.Reset() } -// ObserveDefinition observes a policy definition. -func (m *ValidatingAdmissionPolicyMetrics) ObserveDefinition(ctx context.Context, state, enforcementAction string) { - m.policyDefinition.WithContext(ctx).WithLabelValues(state, enforcementAction).Inc() -} - // ObserveAdmissionWithError observes a policy validation error that was ignored due to failure policy. -func (m *ValidatingAdmissionPolicyMetrics) ObserveAdmissionWithError(ctx context.Context, elapsed time.Duration, policy, binding, state string) { - m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "allow", state).Inc() - m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "allow", state).Observe(elapsed.Seconds()) +func (m *ValidatingAdmissionPolicyMetrics) ObserveAdmissionWithError(ctx context.Context, elapsed time.Duration, policy, binding string) { + m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "allow").Inc() + m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "allow").Observe(elapsed.Seconds()) } // ObserveRejection observes a policy validation error that was at least one of the reasons for a deny. -func (m *ValidatingAdmissionPolicyMetrics) ObserveRejection(ctx context.Context, elapsed time.Duration, policy, binding, state string) { - m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "deny", state).Inc() - m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "deny", state).Observe(elapsed.Seconds()) +func (m *ValidatingAdmissionPolicyMetrics) ObserveRejection(ctx context.Context, elapsed time.Duration, policy, binding string) { + m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "deny").Inc() + m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "deny").Observe(elapsed.Seconds()) } // ObserveAudit observes a policy validation audit annotation was published for a validation failure. -func (m *ValidatingAdmissionPolicyMetrics) ObserveAudit(ctx context.Context, elapsed time.Duration, policy, binding, state string) { - m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "audit", state).Inc() - m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "audit", state).Observe(elapsed.Seconds()) +func (m *ValidatingAdmissionPolicyMetrics) ObserveAudit(ctx context.Context, elapsed time.Duration, policy, binding string) { + m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "audit").Inc() + m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "audit").Observe(elapsed.Seconds()) } // ObserveWarn observes a policy validation warning was published for a validation failure. -func (m *ValidatingAdmissionPolicyMetrics) ObserveWarn(ctx context.Context, elapsed time.Duration, policy, binding, state string) { - m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "warn", state).Inc() - m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "warn", state).Observe(elapsed.Seconds()) +func (m *ValidatingAdmissionPolicyMetrics) ObserveWarn(ctx context.Context, elapsed time.Duration, policy, binding string) { + m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "warn").Inc() + m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "warn").Observe(elapsed.Seconds()) } diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics/metrics_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics/metrics_test.go index 7c9e3e75998..682cf691638 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics/metrics_test.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics/metrics_test.go @@ -31,7 +31,6 @@ type metricsObserver func() func TestNoUtils(t *testing.T) { metrics := []string{ - "apiserver_validating_admission_policy_definition_total", "apiserver_validating_admission_policy_check_total", "apiserver_validating_admission_policy_check_duration_seconds", } @@ -44,53 +43,43 @@ func TestNoUtils(t *testing.T) { { desc: "observe policy admission", want: ` - # HELP apiserver_validating_admission_policy_check_duration_seconds [ALPHA] Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding, state and enforcement action taken. + # HELP apiserver_validating_admission_policy_check_duration_seconds [ALPHA] Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding and enforcement action taken. # TYPE apiserver_validating_admission_policy_check_duration_seconds histogram - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.0000005"} 0 - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.001"} 0 - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.01"} 0 - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.1"} 0 - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="1"} 0 - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="+Inf"} 1 - apiserver_validating_admission_policy_check_duration_seconds_sum{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 10 - apiserver_validating_admission_policy_check_duration_seconds_count{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 1 - # HELP apiserver_validating_admission_policy_check_total [ALPHA] Validation admission policy check total, labeled by policy and further identified by binding, enforcement action taken, and state. + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="0.0000005"} 0 + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="0.001"} 0 + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="0.01"} 0 + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="0.1"} 0 + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="1"} 0 + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="+Inf"} 1 + apiserver_validating_admission_policy_check_duration_seconds_sum{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com"} 10 + apiserver_validating_admission_policy_check_duration_seconds_count{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com"} 1 + # HELP apiserver_validating_admission_policy_check_total [ALPHA] Validation admission policy check total, labeled by policy and further identified by binding and enforcement action taken. # TYPE apiserver_validating_admission_policy_check_total counter - apiserver_validating_admission_policy_check_total{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 1 + apiserver_validating_admission_policy_check_total{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com"} 1 `, observer: func() { - Metrics.ObserveAdmissionWithError(context.TODO(), time.Duration(10)*time.Second, "policy.example.com", "binding.example.com", "active") + Metrics.ObserveAdmissionWithError(context.TODO(), time.Duration(10)*time.Second, "policy.example.com", "binding.example.com") }, }, { desc: "observe policy rejection", want: ` - # HELP apiserver_validating_admission_policy_check_duration_seconds [ALPHA] Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding, state and enforcement action taken. + # HELP apiserver_validating_admission_policy_check_duration_seconds [ALPHA] Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding and enforcement action taken. # TYPE apiserver_validating_admission_policy_check_duration_seconds histogram - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.0000005"} 0 - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.001"} 0 - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.01"} 0 - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.1"} 0 - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="1"} 0 - apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="+Inf"} 1 - apiserver_validating_admission_policy_check_duration_seconds_sum{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 10 - apiserver_validating_admission_policy_check_duration_seconds_count{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 1 - # HELP apiserver_validating_admission_policy_check_total [ALPHA] Validation admission policy check total, labeled by policy and further identified by binding, enforcement action taken, and state. + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="0.0000005"} 0 + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="0.001"} 0 + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="0.01"} 0 + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="0.1"} 0 + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="1"} 0 + apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="+Inf"} 1 + apiserver_validating_admission_policy_check_duration_seconds_sum{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com"} 10 + apiserver_validating_admission_policy_check_duration_seconds_count{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com"} 1 + # HELP apiserver_validating_admission_policy_check_total [ALPHA] Validation admission policy check total, labeled by policy and further identified by binding and enforcement action taken. # TYPE apiserver_validating_admission_policy_check_total counter - apiserver_validating_admission_policy_check_total{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 1 + apiserver_validating_admission_policy_check_total{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com"} 1 `, observer: func() { - Metrics.ObserveRejection(context.TODO(), time.Duration(10)*time.Second, "policy.example.com", "binding.example.com", "active") - }, - }, - { - desc: "observe policy definition", - want: `# HELP apiserver_validating_admission_policy_definition_total [ALPHA] Validation admission policy count total, labeled by state and enforcement action. - # TYPE apiserver_validating_admission_policy_definition_total counter - apiserver_validating_admission_policy_definition_total{enforcement_action="deny",state="active"} 1 - `, - observer: func() { - Metrics.ObserveDefinition(context.TODO(), "active", "deny") + Metrics.ObserveRejection(context.TODO(), time.Duration(10)*time.Second, "policy.example.com", "binding.example.com") }, }, }