Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APIServerTracing: Respect trace context only for privileged users #127053

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

APIServerTracing: Respect trace context only for privileged users #127053

wants to merge 5 commits into from

Conversation

dashpole
Copy link
Contributor

@dashpole dashpole commented Sep 1, 2024
edited
Loading

Second attempt at #123807, but including system:monitoring

What type of PR is this?

/kind feature

What this PR does / why we need it:

Move the tracing filter to after the authorization filter, and only respect the incoming context for requests from the privileged system:master and system:monitoring groups.

This has some downsides:

  • Tracing from authorization isn't part of the APIServer trace

Which issue(s) this PR fixes:

Fixes #103186

Special notes for your reviewer:

See discussions in:

Does this PR introduce a user-facing change?

Respect the incoming trace context for authenticated requests to the kube-apiserver for APIServer tracing.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-instrumentation/0034-distributed-tracing-kep.md

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 1, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 1, 2024
@dims
Copy link
Member

dims commented Sep 2, 2024

/test all

@dashpole dashpole force-pushed the tracing_context_propagation branch from 4d4d483 to 35d2f0e Compare November 15, 2024 15:23
@dashpole
Copy link
Contributor Author

/test all

@k8s-ci-robot k8s-ci-robot added area/cloudprovider area/dependency Issues or PRs related to dependency changes area/kube-proxy area/kubectl area/kubelet sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. labels Nov 21, 2024
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. labels Nov 21, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dashpole
Once this PR has been reviewed and has the lgtm label, please assign dims, khenidak, smarterclayton, sttts for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. wg/device-management Categorizes an issue or PR as relevant to WG Device Management. labels Nov 21, 2024
@dashpole
Copy link
Contributor Author

/test all

@dashpole
Copy link
Contributor Author

/sig instrumentation

@k8s-ci-robot k8s-ci-robot added the sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. label Nov 21, 2024
@dashpole
Copy link
Contributor Author

/test all

@dashpole
Copy link
Contributor Author

I'll split out the dependency update into its own PR

@dashpole dashpole mentioned this pull request Nov 21, 2024
Open
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 13, 2024
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dgrisonnet dgrisonnet Awaiting requested review from dgrisonnet

@ncdc ncdc Awaiting requested review from ncdc

Assignees
No one assigned
Labels
area/apiserver area/cloudprovider area/dependency Issues or PRs related to dependency changes area/kube-proxy area/kubectl area/kubelet area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. wg/device-management Categorizes an issue or PR as relevant to WG Device Management.
Projects
SIG Auth
Status: Pre-triage follow-up
SIG CLI
Status: Needs Triage
SIG Node CI/Test Board
Status: Archive-it
SIG Node: Dynamic Resource Allocation
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Re-entrant apiserver calls are not part of the same trace
3 participants
@dashpole @k8s-ci-robot @dims