Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PodSecurity] Aggregate identical warnings for multiple pods in a namespace #105889

Merged
merged 2 commits into from
Oct 26, 2021
Merged

[PodSecurity] Aggregate identical warnings for multiple pods in a namespace #105889

merged 2 commits into from
Oct 26, 2021

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Oct 25, 2021
edited
Loading

Addressing review comments from #103585.

First commit is by @njuptlzf

/kind feature

What this PR does / why we need it:

Fixes #103213

Aggregates identical warnings when validating multiple pods in a namespace

Benchmark comparison against master:

benchmark                                 old allocs     new allocs     delta
BenchmarkVerifyNamespace-12               54050          45041          -16.67%

benchmark                                 old bytes     new bytes     delta
BenchmarkVerifyNamespace-12               5401188       5030556       -6.86%

NONE

/assign @tallclair

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 25, 2021
@k8s-ci-robot
Copy link
Contributor

@liggitt: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Oct 25, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 25, 2021
@liggitt liggitt mentioned this pull request Oct 25, 2021
Closed
@liggitt liggitt added this to the v1.23 milestone Oct 25, 2021
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 25, 2021
@liggitt liggitt added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Oct 25, 2021
tallclair
tallclair reviewed Oct 25, 2021
View reviewed changes
staging/src/k8s.io/pod-security-admission/admission/admission.go
// prepend pod names to warnings
decoratePodWarnings(podWarningsToCount, podWarnings)
// put warnings in a deterministic order
sort.Strings(podWarnings)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a slight preference for sorting before prepending the pod names. It means warning messages would always be in approximately the same order, irrespective of how workloads are named / across namespaces, etc.
Also means that warnings with a common failure (as long as it's first) will be grouped together

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm... I think sorting by pod name makes more sense:

  1. that's the same order kubectl get pods returns
  2. the warning lines will start with the pod name
  3. the lexical ordering of the warnings isn't particularly meaningful

ordering by pod looks like this:

Warning: backend-j23h42: non-default capabilities, unrestricted capabilities
Warning: frontend-h23gf2: allowPrivilegeEscalation != false
Warning: myjob-g342hj (and 1 other pod): host namespaces, allowPrivilegeEscalation != false

ordering by warning looks like this:

Warning: frontend-h23gf2: allowPrivilegeEscalation != false
Warning: myjob-g342hj (and 1 other pod): host namespaces, allowPrivilegeEscalation != false
Warning: backend-j23h42: non-default capabilities, unrestricted capabilities

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'm fine with this 👍

@liggitt
Copy link
Member Author

liggitt commented Oct 26, 2021

/retest

tallclair
tallclair reviewed Oct 26, 2021
View reviewed changes
Copy link
Member

@tallclair tallclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 26, 2021
@k8s-ci-robot k8s-ci-robot merged commit c65a079 into kubernetes:master Oct 26, 2021
@liggitt liggitt deleted the aggregate-pods branch October 26, 2021 19:35
@liggitt liggitt mentioned this pull request Nov 3, 2021
Closed
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tallclair tallclair tallclair left review comments

@deads2k deads2k Awaiting requested review from deads2k

@krmayankk krmayankk Awaiting requested review from krmayankk

Assignees

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.

[PodSecurity] Aggregate identical warnings for multiple pods in a namespace
4 participants
@liggitt @k8s-ci-robot @tallclair @njuptlzf