Adds whitelisting of docker labels [#1730] #1735
Conversation
|
Hi @cirocosta. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
cirocosta
changed the title
|
/ok-to-test |
|
If we only had one flag, how would we differentiate between "send all labels" and "send no labels"? I think having two is fine. |
|
In docker/handler.go:GetSpec(), we should check to see if we are enforcing the whitelist and if "restartcount" is in the whitelist before adding "restartcount" as a label" |
|
Oh, I totally missed restartcount, nice catch! About the naming ( However, I think it only makes sense if we include Thx!
|
This commit adds two extra flags to 'docker':
- docker_label_metadata_whitelist:
indicates a set of labels to be retrieved from the containers
when 'no_labels' is specified.
- docker_no_labels:
forces no fetching of docker container labels.
As 'noLabels' is meant to be enforced for all labels, 'restartcount' (a label) must also be checked against the set of labels whitelisted in such case.
|
Hey @dashpole, sorry for the delay, only found time today; could you please take a look once again? I also updated the 'docs' document related to runtime configs, do you think the format is appropriate? I'm having some problems manually testing the I ran a container using and also initiated then when I start which leads to an error in am I doing something wrong here? Thx! |
| // retrieve desired labels | ||
| for _, exposedLabel := range labelWhitelist { | ||
| labelValue, present := ctnr.Config.Labels[exposedLabel] | ||
| if !present { |
There was a problem hiding this comment.
nit: condense this
if labelValue, present := ctnr.Config.Labels[exposedLabel]; present {
handler.labels[exposedLabel] = labelValue
}
| @@ -53,6 +53,8 @@ import ( | |||
|
|
|||
| var globalHousekeepingInterval = flag.Duration("global_housekeeping_interval", 1*time.Minute, "Interval between global housekeepings") | |||
| var logCadvisorUsage = flag.Bool("log_cadvisor_usage", false, "Whether to log the usage of the cAdvisor container") | |||
| var enforceLabelWhitelist = flag.Bool("enforce_label_whitelist", false, "enforces label whitelisting") | |||
| var labelWhitelist = flag.String("label_whitelist", "", "comma-separated list of label keys that are allowed to be collected for docker and rkt containers") | |||
There was a problem hiding this comment.
dont specify the runtime here: ... "collected for containers"
| @@ -39,6 +39,16 @@ From [glog](https://github.com/golang/glog) here are some flags we find useful: | |||
| --vmodule=: comma-separated list of pattern=N settings for file-filtered logging | |||
| ``` | |||
|
|
|||
| ## Labels | |||
|
|
|||
| Both Docker and Rkt labels support restricting the amount of labels collected by `cadvisor`. | |||
There was a problem hiding this comment.
I would omit runtimes here as well: " cadvisor can restrict the set of labels it collects from containers. This can be useful in ensuring metrics have a consistent set of labels."
|
I am not sure. I would not worry about the rkt integration (dont make any changes there). Once this is merged, ill open an issue to track that these flags do not have rkt or cri-o support. |
|
Any chances that this comes up into master? The Patch is awesome, we used it to monitor our swarm cluster. |
|
@dashpole, @cirocosta - I'd be super interested in these changes as well, because we heavily rely on labels on our containers for a bunch of other reasons which aren't really applicable to Prometheus monitoring. If it's just a matter of addressing those nitpicks (and resolving the recent merge conflicts), I'd be happy to get that done, sign the CLA, and contribute changes back. Was that all you'd be looking to address with this or are there other changes made of late that should be considered? |
|
closing in favor of #1984 |
Hey,
going after #1730, the PR adds two flags:
-docker_no_labels: forces no retrieval of labels-docker_label_whitelist: whitelists labels to be retrieved in casedocker_no_labelsis setThe first flag is useful not only for a proper implementation of the second but also for those that don't need labels at all but receive them in push-based systems (like InfluxDB).
Do you think it makes sense to keep them separate? I wondered if we could force
docker_no_labelsviadocker_label_whitelist=""(empty slice), but that didn't feel very right (I prefer the explicitness of having both).Also, should I add an integration test for this behavior? Should I add a handler test?
Thanks!
Without
docker_no_labels, we expect receiving all the labels:With
docker_no_labels, 0 labels:With
docker_no_labelsanddocker_label_metadata_whitelist=com.docker.compose.servicewe expect receiving only the label whitelisted:With
docker_label_metadata_whitelistbut nodocker_no_labelswe expect receiving all labels: