google · cirocosta · Aug 28, 2017 · Aug 29, 2017 · Sep 8, 2017 · Sep 8, 2017
diff --git a/container/docker/factory.go b/container/docker/factory.go
@@ -110,6 +110,9 @@ type dockerFactory struct {
 
 	dockerAPIVersion []int
 
+	enforceLabelWhitelist bool
+	labelWhitelist        []string
+
 	ignoreMetrics container.MetricSet
 
 	thinPoolName    string
@@ -145,6 +148,8 @@ func (self *dockerFactory) NewContainerHandler(name string, inHostNamespace bool
 		self.thinPoolName,
 		self.thinPoolWatcher,
 		self.zfsWatcher,
+		self.enforceLabelWhitelist,
+		self.labelWhitelist,
 	)
 	return
 }
@@ -309,7 +314,7 @@ func ensureThinLsKernelVersion(kernelVersion string) error {
 }
 
 // Register root container before running this function!
-func Register(factory info.MachineInfoFactory, fsInfo fs.FsInfo, ignoreMetrics container.MetricSet) error {
+func Register(factory info.MachineInfoFactory, fsInfo fs.FsInfo, ignoreMetrics container.MetricSet, enforceLabelWhitelist bool, labelWhiteList []string) error {
 	client, err := Client()
 	if err != nil {
 		return fmt.Errorf("unable to communicate with docker daemon: %v", err)
@@ -354,18 +359,20 @@ func Register(factory info.MachineInfoFactory, fsInfo fs.FsInfo, ignoreMetrics c
 
 	glog.Infof("Registering Docker factory")
 	f := &dockerFactory{
-		cgroupSubsystems:   cgroupSubsystems,
-		client:             client,
-		dockerVersion:      dockerVersion,
-		dockerAPIVersion:   dockerAPIVersion,
-		fsInfo:             fsInfo,
-		machineInfoFactory: factory,
-		storageDriver:      storageDriver(dockerInfo.Driver),
-		storageDir:         RootDir(),
-		ignoreMetrics:      ignoreMetrics,
-		thinPoolName:       thinPoolName,
-		thinPoolWatcher:    thinPoolWatcher,
-		zfsWatcher:         zfsWatcher,
+		cgroupSubsystems:      cgroupSubsystems,
+		client:                client,
+		dockerVersion:         dockerVersion,
+		dockerAPIVersion:      dockerAPIVersion,
+		enforceLabelWhitelist: enforceLabelWhitelist,
+		labelWhitelist:        labelWhiteList,
+		fsInfo:                fsInfo,
+		machineInfoFactory:    factory,
+		storageDriver:         storageDriver(dockerInfo.Driver),
+		storageDir:            RootDir(),
+		ignoreMetrics:         ignoreMetrics,
+		thinPoolName:          thinPoolName,
+		thinPoolWatcher:       thinPoolWatcher,
+		zfsWatcher:            zfsWatcher,
 	}
 
 	container.RegisterContainerHandlerFactory(f, []watcher.ContainerWatchSource{watcher.Raw})

diff --git a/container/docker/handler.go b/container/docker/handler.go
@@ -84,6 +84,12 @@ type dockerContainerHandler struct {
 	// Time at which this container was created.
 	creationTime time.Time
 
+	// indicates whether labels should be collected
+	enforceLabelWhitelist bool
+
+	// labels whitelisted for collection
+	labelWhitelist []string
+
 	// Metadata associated with the container.
 	labels map[string]string
 	envs   map[string]string
@@ -153,6 +159,8 @@ func newDockerContainerHandler(
 	thinPoolName string,
 	thinPoolWatcher *devicemapper.ThinPoolWatcher,
 	zfsWatcher *zfs.ZfsWatcher,
+	enforceLabelWhitelist bool,
+	labelWhitelist []string,
 ) (container.ContainerHandler, error) {
 	// Create the cgroup paths.
 	cgroupPaths := make(map[string]string, len(cgroupSubsystems.MountPoints))
@@ -208,23 +216,25 @@ func newDockerContainerHandler(
 
 	// TODO: extract object mother method
 	handler := &dockerContainerHandler{
-		id:                 id,
-		client:             client,
-		name:               name,
-		machineInfoFactory: machineInfoFactory,
-		cgroupPaths:        cgroupPaths,
-		cgroupManager:      cgroupManager,
-		storageDriver:      storageDriver,
-		fsInfo:             fsInfo,
-		rootFs:             rootFs,
-		poolName:           thinPoolName,
-		zfsFilesystem:      zfsFilesystem,
-		rootfsStorageDir:   rootfsStorageDir,
-		envs:               make(map[string]string),
-		ignoreMetrics:      ignoreMetrics,
-		thinPoolWatcher:    thinPoolWatcher,
-		zfsWatcher:         zfsWatcher,
-		zfsParent:          zfsParent,
+		id:                    id,
+		client:                client,
+		name:                  name,
+		machineInfoFactory:    machineInfoFactory,
+		cgroupPaths:           cgroupPaths,
+		cgroupManager:         cgroupManager,
+		storageDriver:         storageDriver,
+		enforceLabelWhitelist: enforceLabelWhitelist,
+		labelWhitelist:        labelWhitelist,
+		fsInfo:                fsInfo,
+		rootFs:                rootFs,
+		poolName:              thinPoolName,
+		zfsFilesystem:         zfsFilesystem,
+		rootfsStorageDir:      rootfsStorageDir,
+		envs:                  make(map[string]string),
+		ignoreMetrics:         ignoreMetrics,
+		thinPoolWatcher:       thinPoolWatcher,
+		zfsWatcher:            zfsWatcher,
+		zfsParent:             zfsParent,
 	}
 
 	// We assume that if Inspect fails then the container is not known to docker.
@@ -242,7 +252,14 @@ func newDockerContainerHandler(
 
 	// Add the name and bare ID as aliases of the container.
 	handler.aliases = append(handler.aliases, strings.TrimPrefix(ctnr.Name, "/"), id)
-	handler.labels = ctnr.Config.Labels
+
+	if enforceLabelWhitelist {
+		handler.labels = map[string]string{}
+	} else {
+		handler.labels = ctnr.Config.Labels
+	}
+
+	handler.labelWhitelist = labelWhitelist
 	handler.image = ctnr.Config.Image
 	handler.networkMode = ctnr.HostConfig.NetworkMode
 	handler.deviceID = ctnr.GraphDriver.Data["DeviceId"]
@@ -274,6 +291,15 @@ func newDockerContainerHandler(
 		}
 	}
 
+	// retrieve desired labels
+	for _, exposedLabel := range labelWhitelist {
+		labelValue, present := ctnr.Config.Labels[exposedLabel]
+		if !present {
+			continue
+		}
+		handler.labels[exposedLabel] = labelValue
+	}
+
 	// split env vars to get metadata map.
 	for _, exposedEnv := range metadataEnvs {
 		for _, envVar := range ctnr.Config.Env {
@@ -382,13 +408,27 @@ func (self *dockerContainerHandler) GetSpec() (info.ContainerSpec, error) {
 	spec, err := common.GetSpec(self.cgroupPaths, self.machineInfoFactory, self.needNet(), hasFilesystem)
 
 	spec.Labels = self.labels
-	// Only adds restartcount label if it's greater than 0
-	if self.restartCount > 0 {
-		spec.Labels["restartcount"] = strconv.Itoa(self.restartCount)
-	}
 	spec.Envs = self.envs
 	spec.Image = self.image
 
+	// Only adds restartcount label if it's greater than 0 and is
+	// a whitelisted label in case enforceWhitelist is set.
+	if self.restartCount < 1 {
+		return spec, err
+	}
+
+	if self.enforceLabelWhitelist {
+		for _, label := range self.labelWhitelist {
+			if label != "restartCount" {
+				continue
+			}
+
+			spec.Labels["restartcount"] = strconv.Itoa(self.restartCount)
+		}
+	} else {
+		spec.Labels["restartcount"] = strconv.Itoa(self.restartCount)
+	}
+
 	return spec, err
 }
 

diff --git a/container/rkt/factory.go b/container/rkt/factory.go
@@ -33,6 +33,10 @@ type rktFactory struct {
 
 	cgroupSubsystems *libcontainer.CgroupSubsystems
 
+	enforceLabelWhitelist bool
+
+	labelWhitelist []string
+
 	fsInfo fs.FsInfo
 
 	ignoreMetrics container.MetricSet
@@ -54,7 +58,7 @@ func (self *rktFactory) NewContainerHandler(name string, inHostNamespace bool) (
 	if !inHostNamespace {
 		rootFs = "/rootfs"
 	}
-	return newRktContainerHandler(name, client, self.rktPath, self.cgroupSubsystems, self.machineInfoFactory, self.fsInfo, rootFs, self.ignoreMetrics)
+	return newRktContainerHandler(name, client, self.rktPath, self.cgroupSubsystems, self.machineInfoFactory, self.fsInfo, rootFs, self.ignoreMetrics, self.enforceLabelWhitelist, self.labelWhitelist)
 }
 
 func (self *rktFactory) CanHandleAndAccept(name string) (bool, bool, error) {
@@ -67,7 +71,7 @@ func (self *rktFactory) DebugInfo() map[string][]string {
 	return map[string][]string{}
 }
 
-func Register(machineInfoFactory info.MachineInfoFactory, fsInfo fs.FsInfo, ignoreMetrics container.MetricSet) error {
+func Register(machineInfoFactory info.MachineInfoFactory, fsInfo fs.FsInfo, ignoreMetrics container.MetricSet, enforceLabelWhitelist bool, labelWhiteList []string) error {
 	_, err := Client()
 	if err != nil {
 		return fmt.Errorf("unable to communicate with Rkt api service: %v", err)
@@ -88,11 +92,13 @@ func Register(machineInfoFactory info.MachineInfoFactory, fsInfo fs.FsInfo, igno
 
 	glog.Infof("Registering Rkt factory")
 	factory := &rktFactory{
-		machineInfoFactory: machineInfoFactory,
-		fsInfo:             fsInfo,
-		cgroupSubsystems:   &cgroupSubsystems,
-		ignoreMetrics:      ignoreMetrics,
-		rktPath:            rktPath,
+		machineInfoFactory:    machineInfoFactory,
+		fsInfo:                fsInfo,
+		enforceLabelWhitelist: enforceLabelWhitelist,
+		labelWhitelist:        labelWhiteList,
+		cgroupSubsystems:      &cgroupSubsystems,
+		ignoreMetrics:         ignoreMetrics,
+		rktPath:               rktPath,
 	}
 	container.RegisterContainerHandlerFactory(factory, []watcher.ContainerWatchSource{watcher.Rkt})
 	return nil

diff --git a/container/rkt/handler.go b/container/rkt/handler.go
@@ -72,7 +72,7 @@ type rktContainerHandler struct {
 	apiPod *rktapi.Pod
 }
 
-func newRktContainerHandler(name string, rktClient rktapi.PublicAPIClient, rktPath string, cgroupSubsystems *libcontainer.CgroupSubsystems, machineInfoFactory info.MachineInfoFactory, fsInfo fs.FsInfo, rootFs string, ignoreMetrics container.MetricSet) (container.ContainerHandler, error) {
+func newRktContainerHandler(name string, rktClient rktapi.PublicAPIClient, rktPath string, cgroupSubsystems *libcontainer.CgroupSubsystems, machineInfoFactory info.MachineInfoFactory, fsInfo fs.FsInfo, rootFs string, ignoreMetrics container.MetricSet, enforceLabelWhitelist bool, labelWhitelist []string) (container.ContainerHandler, error) {
 	aliases := make([]string, 1)
 	isPod := false
 
@@ -110,7 +110,8 @@ func newRktContainerHandler(name string, rktClient rktapi.PublicAPIClient, rktPa
 		pid = int(resp.Pod.Pid)
 		apiPod = resp.Pod
 	}
-	labels = createLabels(annotations)
+
+	labels = createLabels(annotations, enforceLabelWhitelist, labelWhitelist)
 
 	cgroupPaths := common.MakeCgroupPaths(cgroupSubsystems.MountPoints, name)
 
@@ -164,10 +165,25 @@ func findAnnotations(apps []*rktapi.App, container string) ([]*rktapi.KeyValue,
 	return nil, false
 }
 
-func createLabels(annotations []*rktapi.KeyValue) map[string]string {
-	labels := make(map[string]string)
+func createLabels(annotations []*rktapi.KeyValue, enforceLabelWhitelist bool, labelWhitelist []string) map[string]string {
+	containerLabels := make(map[string]string)
+
 	for _, kv := range annotations {
-		labels[kv.Key] = kv.Value
+		containerLabels[kv.Key] = kv.Value
+	}
+
+	if !enforceLabelWhitelist {
+		return containerLabels
+	}
+
+	labels := make(map[string]string)
+	for _, whitelistedLabel := range labelWhitelist {
+		label, present := containerLabels[whitelistedLabel]
+		if !present {
+			continue
+		}
+
+		labels[whitelistedLabel] = label
 	}
 
 	return labels

diff --git a/docs/runtime_options.md b/docs/runtime_options.md
@@ -39,6 +39,16 @@ From [glog](https://github.com/golang/glog) here are some flags we find useful:
 --vmodule=: comma-separated list of pattern=N settings for file-filtered logging
 ```
 
+## Labels
+
+Both Docker and Rkt labels support restricting the amount of labels collected by `cadvisor`. 
+
+```
+--enforce_label_whitelist=false: whether or not to enforce whitelisting of labels
+--label_whitelist="": comma-separated list of label keys that are allowed to be collected
+```
+
+
 ## Docker
 
 ```

diff --git a/manager/manager.go b/manager/manager.go
@@ -53,6 +53,8 @@ import (
 
 var globalHousekeepingInterval = flag.Duration("global_housekeeping_interval", 1*time.Minute, "Interval between global housekeepings")
 var logCadvisorUsage = flag.Bool("log_cadvisor_usage", false, "Whether to log the usage of the cAdvisor container")
+var enforceLabelWhitelist = flag.Bool("enforce_label_whitelist", false, "enforces label whitelisting")
+var labelWhitelist = flag.String("label_whitelist", "", "comma-separated list of label keys that are allowed to be collected for docker and rkt containers")
 var eventStorageAgeLimit = flag.String("event_storage_age_limit", "default=24h", "Max length of time for which to store events (per type). Value is a comma separated list of key values, where the keys are event types (e.g.: creation, oom) or \"default\" and the value is a duration. Default is applied to all non-specified event types")
 var eventStorageEventLimit = flag.String("event_storage_event_limit", "default=100000", "Max number of events to store (per type). Value is a comma separated list of key values, where the keys are event types (e.g.: creation, oom) or \"default\" and the value is an integer. Default is applied to all non-specified event types")
 var applicationMetricsCountLimit = flag.Int("application_metrics_count_limit", 100, "Max number of application metrics to store (per container)")
@@ -255,12 +257,14 @@ type manager struct {
 
 // Start the container manager.
 func (self *manager) Start() error {
-	err := docker.Register(self, self.fsInfo, self.ignoreMetrics)
+	labelsWhiteList := strings.Split(*labelWhitelist, ",")
+
+	err := docker.Register(self, self.fsInfo, self.ignoreMetrics, *enforceLabelWhitelist, labelsWhiteList)
 	if err != nil {
 		glog.Warningf("Docker container factory registration failed: %v.", err)
 	}
 
-	err = rkt.Register(self, self.fsInfo, self.ignoreMetrics)
+	err = rkt.Register(self, self.fsInfo, self.ignoreMetrics, *enforceLabelWhitelist, labelsWhiteList)
 	if err != nil {
 		glog.Warningf("Registration of the rkt container factory failed: %v", err)
 	} else {