This adds an Authentication/Authorization filter through Kubernetes'
TokenReview / SubjectAccessReview resources.
The client config for kube-state-metrics needs a clusterrole for
* apiGroups: authentication.k8s.io, resources: tokenreviews, verbs: create
* apiGroups: authorization.k8s.io, resources: subjectaccessreviews, verbs: create
The Prometheus client needs a clusterrole for
* nonResourceURLs: "/metrics", verbs: get
This change allows user-controlled limits on how many objects KSM will
list from the API. This is helpful to prevent resource exhaustion on
KSM, in case the API creates too many resources.
The object limit it set globally and applied per resource watched.
pkg/metric_generator/generator.go:32:22: 16 bytes saved: struct with 96 pointer bytes could be 80
pkg/metrics_store/metrics_store.go:31:19: 40 bytes saved: struct with 64 pointer bytes could be 24
pkg/options/options.go:42:14: 24 bytes saved: struct of size 384 could be 360
internal/store/builder.go:67:14: 8 bytes saved: struct of size 200 could be 192
internal/store/pod.go:1351:16: 8 bytes saved: struct with 16 pointer bytes could be 8
internal/store/pod.go:1477:20: 8 bytes saved: struct with 16 pointer bytes could be 8
internal/store/testutils.go:32:30: 16 bytes saved: struct with 136 pointer bytes could be 120
pkg/metricshandler/metrics_handler.go:46:21: 8 bytes saved: struct of size 104 could be 96
internal/discovery/types.go:39:19: 32 bytes saved: struct with 88 pointer bytes could be 56
pkg/customresourcestate/config.go:51:15: 16 bytes saved: struct with 112 pointer bytes could be 96
pkg/customresourcestate/config.go:134:16: 8 bytes saved: struct with 88 pointer bytes could be 80
pkg/customresourcestate/config.go:150:13: 8 bytes saved: struct with 40 pointer bytes could be 32
pkg/customresourcestate/config_metrics_types.go:29:18: 8 bytes saved: struct with 64 pointer bytes could be 56
pkg/customresourcestate/config_metrics_types.go:42:17: 8 bytes saved: struct with 40 pointer bytes could be 32
pkg/customresourcestate/registry_factory.go:125:21: 8 bytes saved: struct with 40 pointer bytes could be 32
pkg/customresourcestate/registry_factory.go:212:20: 16 bytes saved: struct with 88 pointer bytes could be 72
pkg/customresourcestate/registry_factory.go:377:23: 8 bytes saved: struct with 104 pointer bytes could be 96
pkg/customresourcestate/registry_factory.go:497:21: 8 bytes saved: struct with 64 pointer bytes could be 56
pkg/customresourcestate/registry_factory.go:549:13: 8 bytes saved: struct with 24 pointer bytes could be 16
Add automatic detection of container and system memory limits to control
the Go `GOMEMLIMIT` garbage collector feature. This helps reduced OOMs
by triggering GC when the process approaches system limits.
Signed-off-by: SuperQ <superq@gmail.com>
There are a few documented scenarios where `kube-state-metrics` will
lock up(#995, #1028). I believe a much simpler solution to ensure
`kube-state-metrics` doesn't lock up and require a restart to server
`/metrics` requests is to add default read and write timeouts and to
allow them to be configurable. At Grafana, we've experienced a few
scenarios where `kube-state-metrics` running in larger clusters falls
behind and starts getting scraped multiple times. When this occurs,
`kube-state-metrics` becomes completely unresponsive and requires a
reboot. This is somewhat easily reproduceable(I'll provide a script in
an issue) and causes other critical workloads(KEDA, VPA) to fail in
weird ways.
Adds two flags:
- `server-read-timeout`
- `server-write-timeout`
Updates the metrics http server to set the `ReadTimeout` and
`WriteTimeout` to the configured values.
This uses code pieces from prometheus/alertmanager in https://github.com/prometheus/alertmanager/blob/main/config/coordinator.go#LL56C26-L56C26
licensed under Apache-2.0.
kube_state_metrics_config_hash{type="config", filename="config.yml"} 4.0061079457904e+13
kube_state_metrics_config_last_reload_success_timestamp_seconds{type="config", filename="config.yml"} 1.6697483049487052e+09
kube_state_metrics_config_last_reload_successful{type="config",
filename="config.yml"} 1
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
s/pflags/cobra/g:
* Use spf13/cobra to handle all flags and sub-commands.
* Remove all spf13/pflag usage, and fallback to the in-build flag
package if, and when needed.
* Add completion support.
Signed-off-by: Pranshu Srivastava <rexagod@gmail.com>
Support filtering label allowlist by "*", which will expand to the
enabled resources, while infering their values based on its value(s).
Signed-off-by: Pranshu Srivastava <rexagod@gmail.com>
... to only monitor all known custom-resource configurations instead of
listing each of them explicitly
Signed-off-by: Mario Constanti <mario@constanti.de>
Remediate:
G104: Errors unhandled.
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32
G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server
G304: Potential file inclusion via variable
G601: Implicit memory aliasing in for loop.
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
This is more flexible than the env variable, as a configuration can still set an env variable and use substitution in the args. e.g.,
```yaml
args:
- --custom-resource-state.config
- $(KSM_CUSTOM_RESOURCE_STATE_CONFIG)
env:
...
```
yshngg
Rashmi Chandrashekar
Manuel Rüger
Pranshu Srivastava
Catherine Fang
SuperQ
pokom
蓝宝石的傻话
Damien Grisonnet
Benjamin Jorand
Kubernetes Prow Robot
Mario Constanti
noah
Noah Perks Sloan
Julian van den Berkmortel
Min Wang
Sylvain Rabot
Lan Liang
Mikulas (Mike) Dite