Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Temporary implementation of count metrics for PodSecurityPolicy #57346

Merged
merged 1 commit into from
Dec 20, 2017
Merged

Temporary implementation of count metrics for PodSecurityPolicy #57346

merged 1 commit into from
Dec 20, 2017

Conversation

tallclair
Copy link
Member

What this PR does / why we need it:

Alternative proposal to #57173

We need rejection counts in order to turn on the PodSecurityPolicy controller. Comprehensive metrics were added for all admission controllers in 1.9, but backporting all those metrics was deemed to risky. So instead, this PR only enables the metrics on the PodSecurityPolicy controller.

Which issue(s) this PR fixes:
Fixes #55030

Special notes for your reviewer:
Most of the diff is tests & boiler plate. Most prod code changes are contained in metrics.go, with a small hook in admission.go.

This deviates from the metrics in HEAD, but some amount of drift between 1.8 and 1.9 is inevitable, due to the admission refactorings that went into 1.9.

Release note:

Add prometheus metrics for the PodSecurityPolicy admission controller

@tallclair tallclair added cherrypick-candidate kind/bug Categorizes issue or PR as related to a bug. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Dec 18, 2017
@tallclair tallclair added this to the v1.8 milestone Dec 18, 2017
@tallclair tallclair requested a review from sttts December 18, 2017 19:29
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Dec 18, 2017
@k8s-github-robot k8s-github-robot added do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. milestone/incomplete-labels labels Dec 18, 2017
@sttts
Copy link
Contributor

sttts commented Dec 18, 2017

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 18, 2017
@tallclair
Copy link
Member Author

/assign @liggitt

For PSP approval.

@ixdy
Copy link
Member

ixdy commented Dec 18, 2017

Sorry, those bazel failures were me (kubernetes/test-infra#5990). Working on a fix.

@tallclair
Copy link
Member Author

Oops, @liggitt isn't an admission approver.

/unassign @liggitt
/assign @deads2k

@k8s-ci-robot k8s-ci-robot assigned deads2k and unassigned liggitt Dec 18, 2017
deads2k
deads2k reviewed Dec 18, 2017
View reviewed changes
plugin/pkg/admission/security/podsecuritypolicy/admission.go Outdated
func (c *podSecurityPolicyPlugin) Admit(a admission.Attributes) error {
func (c *podSecurityPolicyPlugin) Admit(a admission.Attributes) (err error) {
defer func() {
ObserveAdmit(err != nil, a)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't look correct. Just considering the final return of this function, won't this give your the wrong value for rejected?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess maybe I don't understand what the final value is. I'm expecting err to be a particular instance that may or may not be the one returned, so the final return value isn't reflected in the value of err at the point at which you're called.

I'm not new to golang and I'd say that if I don't know the answer right off, this code is rather confusing.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The named return value is always going to be the final return (as long as it's not shadowed), but since err is often shadowed I can see how this would be confusing. I'll wrap an internal admit to make it more clear.

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 18, 2017
@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 18, 2017
@deads2k
Copy link
Contributor

deads2k commented Dec 19, 2017

The named return value is always going to be the final return (as long as it's not shadowed), but since err is often shadowed I can see how this would be confusing. I'll wrap an internal admit to make it more clear.

Thanks, that helps.

/lgtm
/approve no-issue

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 19, 2017
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, sttts, tallclair

Associated issue: #55030

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@deads2k
Copy link
Contributor

deads2k commented Dec 19, 2017

Oh, and if you catch it before it merges, a squash.

@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 19, 2017
@tallclair
Copy link
Member Author

Squashed. Reapplying LGTM.

@tallclair tallclair added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 19, 2017
@ixdy
Copy link
Member

ixdy commented Dec 19, 2017

/retest

@tallclair tallclair added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Dec 20, 2017
@tallclair
Copy link
Member Author

/retest

@k8s-github-robot
Copy link

[MILESTONENOTIFIER] Milestone Pull Request Needs Approval

@deads2k @jpbetz @sttts @tallclair @kubernetes/sig-auth-misc

Action required: This pull request must have the status/approved-for-milestone label applied by a SIG maintainer. If the label is not applied within 6 days, the pull request will be moved out of the v1.8 milestone.

Pull Request Labels
  • sig/auth: Pull Request will be escalated to these SIGs if needed.
  • priority/important-soon: Escalate to the pull request owners and SIG owner; move out of milestone after several unsuccessful escalation attempts.
  • kind/bug: Fixes a bug discovered during the current release.
Help

@jpbetz jpbetz added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. and removed cherrypick-candidate do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. labels Dec 20, 2017
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

1 similar comment
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue.

@k8s-github-robot k8s-github-robot merged commit 24d0563 into kubernetes:release-1.8 Dec 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k deads2k left review comments

@sttts sttts Awaiting requested review from sttts

Assignees

@jpbetz jpbetz

@sttts sttts

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. milestone/needs-approval priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.8
Development

Successfully merging this pull request may close these issues.
9 participants
@tallclair @sttts @ixdy @deads2k @k8s-ci-robot @k8s-github-robot @fejta-bot @jpbetz @liggitt