KEP-5284: beta #5886
KEP-5284: beta #5886
Conversation
Signed-off-by: Monis Khan <mok@microsoft.com>
|
@enj: GitHub didn't allow me to assign the following users: qiujian16. Note that only kubernetes members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
kind/kep
| These will be expanded to include metrics that cover the impersonation handler | ||
| to give an overall sense for the cost of impersonation: | ||
|
|
||
| - apiserver_impersonation_attempts_total (success per mode or failure) |
There was a problem hiding this comment.
because we're planning to check the new modes first, existing users of legacy impersonation would show up as metric failures for the constrained modes, right?
There was a problem hiding this comment.
or are you suggesting we would only record success-per-mode, or failure (not failure-per-mode)?
There was a problem hiding this comment.
or are you suggesting we would only record success-per-mode, or failure (not failure-per-mode)?
talked offline, this was the intent
update this to make that clearer, then lgtm
| These will be expanded to include metrics that cover the impersonation handler | ||
| to give an overall sense for the cost of impersonation: | ||
|
|
||
| - apiserver_impersonation_attempts_total (success per mode or failure) |
There was a problem hiding this comment.
can we answer the question "how many requests successfully impersonated" and "how many requests attempted impersonation and failed impersonation" without regard for the constrained-mode → legacy fallback? because we do fallbacks (associated-node → any-node → legacy), I'm trying to figure out how we would interpret failure counts per mode
for example, if failed impersonations prior to this feature are at X% and failed impersonations with the feature enabled are at 2X%, that would seem significant
There was a problem hiding this comment.
talked offline, failure metrics weren't per-mode... update this to make it clearer (explicitly listing the labels and values will help), then lgtm
| - apiserver_impersonation_attempts_total | ||
| - apiserver_impersonation_duration_seconds | ||
| - apiserver_impersonation_authorization_attempts_total | ||
| - apiserver_impersonation_authorization_duration_seconds |
There was a problem hiding this comment.
it's helpful to include the labels and possible values here if we know them (here and in the markdown)
for example https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3221-structured-authorization-configuration#monitoring and https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/3221-structured-authorization-configuration/kep.yaml#L31
|
Once updates already noted are made, lgtm. |
Signed-off-by: Monis Khan <mok@microsoft.com>
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
github-project-automation
bot
moved this from Needs Triage
to Closed / Done
in SIG Auth
4 participants
/assign deads2k liggitt qiujian16