mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-04 09:49:50 +00:00
remove unused policy_definition_total metric and state label
This commit is contained in:
Jiahui Feng
Cici Huang
parent
ce45a82346
commit
8e9232ef46
@ -223,7 +223,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm
|
|||||||
switch decision.Action {
|
switch decision.Action {
|
||||||
case ActionAdmit:
|
case ActionAdmit:
|
||||||
if decision.Evaluation == EvalError {
|
if decision.Evaluation == EvalError {
|
||||||
celmetrics.Metrics.ObserveAdmissionWithError(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
|
celmetrics.Metrics.ObserveAdmissionWithError(ctx, decision.Elapsed, definition.Name, binding.Name)
|
||||||
}
|
}
|
||||||
case ActionDeny:
|
case ActionDeny:
|
||||||
for _, action := range binding.Spec.ValidationActions {
|
for _, action := range binding.Spec.ValidationActions {
|
||||||
@ -234,13 +234,13 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm
|
|||||||
Binding: binding,
|
Binding: binding,
|
||||||
PolicyDecision: decision,
|
PolicyDecision: decision,
|
||||||
})
|
})
|
||||||
celmetrics.Metrics.ObserveRejection(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
|
celmetrics.Metrics.ObserveRejection(ctx, decision.Elapsed, definition.Name, binding.Name)
|
||||||
case admissionregistrationv1.Audit:
|
case admissionregistrationv1.Audit:
|
||||||
publishValidationFailureAnnotation(binding, i, decision, versionedAttr)
|
publishValidationFailureAnnotation(binding, i, decision, versionedAttr)
|
||||||
celmetrics.Metrics.ObserveAudit(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
|
celmetrics.Metrics.ObserveAudit(ctx, decision.Elapsed, definition.Name, binding.Name)
|
||||||
case admissionregistrationv1.Warn:
|
case admissionregistrationv1.Warn:
|
||||||
warning.AddWarning(ctx, "", fmt.Sprintf("Validation failed for ValidatingAdmissionPolicy '%s' with binding '%s': %s", definition.Name, binding.Name, decision.Message))
|
warning.AddWarning(ctx, "", fmt.Sprintf("Validation failed for ValidatingAdmissionPolicy '%s' with binding '%s': %s", definition.Name, binding.Name, decision.Message))
|
||||||
celmetrics.Metrics.ObserveWarn(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
|
celmetrics.Metrics.ObserveWarn(ctx, decision.Elapsed, definition.Name, binding.Name)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
@ -269,7 +269,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm
|
|||||||
Elapsed: auditAnnotation.Elapsed,
|
Elapsed: auditAnnotation.Elapsed,
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
celmetrics.Metrics.ObserveRejection(ctx, auditAnnotation.Elapsed, definition.Name, binding.Name, "active")
|
celmetrics.Metrics.ObserveRejection(ctx, auditAnnotation.Elapsed, definition.Name, binding.Name)
|
||||||
case AuditAnnotationActionExclude: // skip it
|
case AuditAnnotationActionExclude: // skip it
|
||||||
default:
|
default:
|
||||||
return fmt.Errorf("unsupported AuditAnnotation Action: %s", auditAnnotation.Action)
|
return fmt.Errorf("unsupported AuditAnnotation Action: %s", auditAnnotation.Action)
|
||||||
|
|||||||
@ -37,7 +37,6 @@ var (
|
|||||||
// ValidatingAdmissionPolicyMetrics aggregates Prometheus metrics related to validation admission control.
|
// ValidatingAdmissionPolicyMetrics aggregates Prometheus metrics related to validation admission control.
|
||||||
type ValidatingAdmissionPolicyMetrics struct {
|
type ValidatingAdmissionPolicyMetrics struct {
|
||||||
policyCheck *metrics.CounterVec
|
policyCheck *metrics.CounterVec
|
||||||
policyDefinition *metrics.CounterVec
|
|
||||||
policyLatency *metrics.HistogramVec
|
policyLatency *metrics.HistogramVec
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -47,25 +46,16 @@ func newValidationAdmissionMetrics() *ValidatingAdmissionPolicyMetrics {
|
|||||||
Namespace: metricsNamespace,
|
Namespace: metricsNamespace,
|
||||||
Subsystem: metricsSubsystem,
|
Subsystem: metricsSubsystem,
|
||||||
Name: "check_total",
|
Name: "check_total",
|
||||||
Help: "Validation admission policy check total, labeled by policy and further identified by binding, enforcement action taken, and state.",
|
Help: "Validation admission policy check total, labeled by policy and further identified by binding and enforcement action taken.",
|
||||||
StabilityLevel: metrics.ALPHA,
|
StabilityLevel: metrics.ALPHA,
|
||||||
},
|
},
|
||||||
[]string{"policy", "policy_binding", "enforcement_action", "state"},
|
[]string{"policy", "policy_binding", "enforcement_action"},
|
||||||
)
|
|
||||||
definition := metrics.NewCounterVec(&metrics.CounterOpts{
|
|
||||||
Namespace: metricsNamespace,
|
|
||||||
Subsystem: metricsSubsystem,
|
|
||||||
Name: "definition_total",
|
|
||||||
Help: "Validation admission policy count total, labeled by state and enforcement action.",
|
|
||||||
StabilityLevel: metrics.ALPHA,
|
|
||||||
},
|
|
||||||
[]string{"state", "enforcement_action"},
|
|
||||||
)
|
)
|
||||||
latency := metrics.NewHistogramVec(&metrics.HistogramOpts{
|
latency := metrics.NewHistogramVec(&metrics.HistogramOpts{
|
||||||
Namespace: metricsNamespace,
|
Namespace: metricsNamespace,
|
||||||
Subsystem: metricsSubsystem,
|
Subsystem: metricsSubsystem,
|
||||||
Name: "check_duration_seconds",
|
Name: "check_duration_seconds",
|
||||||
Help: "Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding, state and enforcement action taken.",
|
Help: "Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding and enforcement action taken.",
|
||||||
// the bucket distribution here is based oo the benchmark suite at
|
// the bucket distribution here is based oo the benchmark suite at
|
||||||
// github.com/DangerOnTheRanger/cel-benchmark performed on 16-core Intel Xeon
|
// github.com/DangerOnTheRanger/cel-benchmark performed on 16-core Intel Xeon
|
||||||
// the lowest bucket was based around the 180ns/op figure for BenchmarkAccess,
|
// the lowest bucket was based around the 180ns/op figure for BenchmarkAccess,
|
||||||
@ -77,47 +67,40 @@ func newValidationAdmissionMetrics() *ValidatingAdmissionPolicyMetrics {
|
|||||||
Buckets: []float64{0.0000005, 0.001, 0.01, 0.1, 1.0},
|
Buckets: []float64{0.0000005, 0.001, 0.01, 0.1, 1.0},
|
||||||
StabilityLevel: metrics.ALPHA,
|
StabilityLevel: metrics.ALPHA,
|
||||||
},
|
},
|
||||||
[]string{"policy", "policy_binding", "enforcement_action", "state"},
|
[]string{"policy", "policy_binding", "enforcement_action"},
|
||||||
)
|
)
|
||||||
|
|
||||||
legacyregistry.MustRegister(check)
|
legacyregistry.MustRegister(check)
|
||||||
legacyregistry.MustRegister(definition)
|
|
||||||
legacyregistry.MustRegister(latency)
|
legacyregistry.MustRegister(latency)
|
||||||
return &ValidatingAdmissionPolicyMetrics{policyCheck: check, policyDefinition: definition, policyLatency: latency}
|
return &ValidatingAdmissionPolicyMetrics{policyCheck: check, policyLatency: latency}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Reset resets all validation admission-related Prometheus metrics.
|
// Reset resets all validation admission-related Prometheus metrics.
|
||||||
func (m *ValidatingAdmissionPolicyMetrics) Reset() {
|
func (m *ValidatingAdmissionPolicyMetrics) Reset() {
|
||||||
m.policyCheck.Reset()
|
m.policyCheck.Reset()
|
||||||
m.policyDefinition.Reset()
|
|
||||||
m.policyLatency.Reset()
|
m.policyLatency.Reset()
|
||||||
}
|
}
|
||||||
|
|
||||||
// ObserveDefinition observes a policy definition.
|
|
||||||
func (m *ValidatingAdmissionPolicyMetrics) ObserveDefinition(ctx context.Context, state, enforcementAction string) {
|
|
||||||
m.policyDefinition.WithContext(ctx).WithLabelValues(state, enforcementAction).Inc()
|
|
||||||
}
|
|
||||||
|
|
||||||
// ObserveAdmissionWithError observes a policy validation error that was ignored due to failure policy.
|
// ObserveAdmissionWithError observes a policy validation error that was ignored due to failure policy.
|
||||||
func (m *ValidatingAdmissionPolicyMetrics) ObserveAdmissionWithError(ctx context.Context, elapsed time.Duration, policy, binding, state string) {
|
func (m *ValidatingAdmissionPolicyMetrics) ObserveAdmissionWithError(ctx context.Context, elapsed time.Duration, policy, binding string) {
|
||||||
m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "allow", state).Inc()
|
m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "allow").Inc()
|
||||||
m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "allow", state).Observe(elapsed.Seconds())
|
m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "allow").Observe(elapsed.Seconds())
|
||||||
}
|
}
|
||||||
|
|
||||||
// ObserveRejection observes a policy validation error that was at least one of the reasons for a deny.
|
// ObserveRejection observes a policy validation error that was at least one of the reasons for a deny.
|
||||||
func (m *ValidatingAdmissionPolicyMetrics) ObserveRejection(ctx context.Context, elapsed time.Duration, policy, binding, state string) {
|
func (m *ValidatingAdmissionPolicyMetrics) ObserveRejection(ctx context.Context, elapsed time.Duration, policy, binding string) {
|
||||||
m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "deny", state).Inc()
|
m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "deny").Inc()
|
||||||
m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "deny", state).Observe(elapsed.Seconds())
|
m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "deny").Observe(elapsed.Seconds())
|
||||||
}
|
}
|
||||||
|
|
||||||
// ObserveAudit observes a policy validation audit annotation was published for a validation failure.
|
// ObserveAudit observes a policy validation audit annotation was published for a validation failure.
|
||||||
func (m *ValidatingAdmissionPolicyMetrics) ObserveAudit(ctx context.Context, elapsed time.Duration, policy, binding, state string) {
|
func (m *ValidatingAdmissionPolicyMetrics) ObserveAudit(ctx context.Context, elapsed time.Duration, policy, binding string) {
|
||||||
m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "audit", state).Inc()
|
m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "audit").Inc()
|
||||||
m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "audit", state).Observe(elapsed.Seconds())
|
m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "audit").Observe(elapsed.Seconds())
|
||||||
}
|
}
|
||||||
|
|
||||||
// ObserveWarn observes a policy validation warning was published for a validation failure.
|
// ObserveWarn observes a policy validation warning was published for a validation failure.
|
||||||
func (m *ValidatingAdmissionPolicyMetrics) ObserveWarn(ctx context.Context, elapsed time.Duration, policy, binding, state string) {
|
func (m *ValidatingAdmissionPolicyMetrics) ObserveWarn(ctx context.Context, elapsed time.Duration, policy, binding string) {
|
||||||
m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "warn", state).Inc()
|
m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "warn").Inc()
|
||||||
m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "warn", state).Observe(elapsed.Seconds())
|
m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "warn").Observe(elapsed.Seconds())
|
||||||
}
|
}
|
||||||
|
|||||||
@ -31,7 +31,6 @@ type metricsObserver func()
|
|||||||
func TestNoUtils(t *testing.T) {
|
func TestNoUtils(t *testing.T) {
|
||||||
|
|
||||||
metrics := []string{
|
metrics := []string{
|
||||||
"apiserver_validating_admission_policy_definition_total",
|
|
||||||
"apiserver_validating_admission_policy_check_total",
|
"apiserver_validating_admission_policy_check_total",
|
||||||
"apiserver_validating_admission_policy_check_duration_seconds",
|
"apiserver_validating_admission_policy_check_duration_seconds",
|
||||||
}
|
}
|
||||||
@ -44,53 +43,43 @@ func TestNoUtils(t *testing.T) {
|
|||||||
{
|
{
|
||||||
desc: "observe policy admission",
|
desc: "observe policy admission",
|
||||||
want: `
|
want: `
|
||||||
# HELP apiserver_validating_admission_policy_check_duration_seconds [ALPHA] Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding, state and enforcement action taken.
|
# HELP apiserver_validating_admission_policy_check_duration_seconds [ALPHA] Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding and enforcement action taken.
|
||||||
# TYPE apiserver_validating_admission_policy_check_duration_seconds histogram
|
# TYPE apiserver_validating_admission_policy_check_duration_seconds histogram
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.0000005"} 0
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="0.0000005"} 0
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.001"} 0
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="0.001"} 0
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.01"} 0
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="0.01"} 0
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.1"} 0
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="0.1"} 0
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="1"} 0
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="1"} 0
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="+Inf"} 1
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",le="+Inf"} 1
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_sum{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 10
|
apiserver_validating_admission_policy_check_duration_seconds_sum{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com"} 10
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_count{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 1
|
apiserver_validating_admission_policy_check_duration_seconds_count{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com"} 1
|
||||||
# HELP apiserver_validating_admission_policy_check_total [ALPHA] Validation admission policy check total, labeled by policy and further identified by binding, enforcement action taken, and state.
|
# HELP apiserver_validating_admission_policy_check_total [ALPHA] Validation admission policy check total, labeled by policy and further identified by binding and enforcement action taken.
|
||||||
# TYPE apiserver_validating_admission_policy_check_total counter
|
# TYPE apiserver_validating_admission_policy_check_total counter
|
||||||
apiserver_validating_admission_policy_check_total{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 1
|
apiserver_validating_admission_policy_check_total{enforcement_action="allow",policy="policy.example.com",policy_binding="binding.example.com"} 1
|
||||||
`,
|
`,
|
||||||
observer: func() {
|
observer: func() {
|
||||||
Metrics.ObserveAdmissionWithError(context.TODO(), time.Duration(10)*time.Second, "policy.example.com", "binding.example.com", "active")
|
Metrics.ObserveAdmissionWithError(context.TODO(), time.Duration(10)*time.Second, "policy.example.com", "binding.example.com")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
desc: "observe policy rejection",
|
desc: "observe policy rejection",
|
||||||
want: `
|
want: `
|
||||||
# HELP apiserver_validating_admission_policy_check_duration_seconds [ALPHA] Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding, state and enforcement action taken.
|
# HELP apiserver_validating_admission_policy_check_duration_seconds [ALPHA] Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding and enforcement action taken.
|
||||||
# TYPE apiserver_validating_admission_policy_check_duration_seconds histogram
|
# TYPE apiserver_validating_admission_policy_check_duration_seconds histogram
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.0000005"} 0
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="0.0000005"} 0
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.001"} 0
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="0.001"} 0
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.01"} 0
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="0.01"} 0
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="0.1"} 0
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="0.1"} 0
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="1"} 0
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="1"} 0
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active",le="+Inf"} 1
|
apiserver_validating_admission_policy_check_duration_seconds_bucket{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",le="+Inf"} 1
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_sum{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 10
|
apiserver_validating_admission_policy_check_duration_seconds_sum{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com"} 10
|
||||||
apiserver_validating_admission_policy_check_duration_seconds_count{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 1
|
apiserver_validating_admission_policy_check_duration_seconds_count{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com"} 1
|
||||||
# HELP apiserver_validating_admission_policy_check_total [ALPHA] Validation admission policy check total, labeled by policy and further identified by binding, enforcement action taken, and state.
|
# HELP apiserver_validating_admission_policy_check_total [ALPHA] Validation admission policy check total, labeled by policy and further identified by binding and enforcement action taken.
|
||||||
# TYPE apiserver_validating_admission_policy_check_total counter
|
# TYPE apiserver_validating_admission_policy_check_total counter
|
||||||
apiserver_validating_admission_policy_check_total{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com",state="active"} 1
|
apiserver_validating_admission_policy_check_total{enforcement_action="deny",policy="policy.example.com",policy_binding="binding.example.com"} 1
|
||||||
`,
|
`,
|
||||||
observer: func() {
|
observer: func() {
|
||||||
Metrics.ObserveRejection(context.TODO(), time.Duration(10)*time.Second, "policy.example.com", "binding.example.com", "active")
|
Metrics.ObserveRejection(context.TODO(), time.Duration(10)*time.Second, "policy.example.com", "binding.example.com")
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
desc: "observe policy definition",
|
|
||||||
want: `# HELP apiserver_validating_admission_policy_definition_total [ALPHA] Validation admission policy count total, labeled by state and enforcement action.
|
|
||||||
# TYPE apiserver_validating_admission_policy_definition_total counter
|
|
||||||
apiserver_validating_admission_policy_definition_total{enforcement_action="deny",state="active"} 1
|
|
||||||
`,
|
|
||||||
observer: func() {
|
|
||||||
Metrics.ObserveDefinition(context.TODO(), "active", "deny")
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user