-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reports aggregation in a separate process #32
base: main
Are you sure you want to change the base?
Conversation
You've got some relics from another KDP you used as a template in here :) |
8244e13
to
05028a7
Compare
Fixed the one in the |
05028a7
to
f9d0c2d
Compare
Removed |
1. At admission time, all policies running in audit mode are run against the admission request and produce report results. | ||
1. When a policy is created/updated/deleted, if the policy can run in background mode, reports are updated according to the policy changes. | ||
1. Periodically, policies running in background mode are re eveluated against resources present in the cluster and reports are updated accordingly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Index:
1.
2.
3.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will appear correctly in md viewer.
# Proposal | ||
|
||
In this proposal, we study the possibility to change the way reports are generated by: | ||
- creating one report per resource |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is report here a report change request or a policy report?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested with RCR but could be a policy report as well.
@eddycharly If you align the reports and TTL with each resource, then it seems like we could just populate the report in the status of the resource itself. I would think that would simplify the architecture. Aggregation would occur by reading the resource status. |
@Boojapho The status of analysed resources ? |
Just realized when you asked this that Kyverno doesn't own the status fields of the analyzed resources. So, this wouldn't work. You could achieve a similar effect using annotations on the analyzed resource. But, that would require you to have write access to all resources, so that's not going to work either. |
Yeah, basically we want a report, makes sense that it lives in it's own type. |
It seems that creating a 1:1 mapping of resource:report could really put a squeeze on Kubernetes' data store (etcd). To me, it still seems like splitting reports per policy (and overflowing to more if the need arises) may be more efficient. |
Splitting per policy has some advantages too but we won't be able to use k8s native garbage collection. |
Initially I thought we were going to set ownerReference for RCRs (to solve the current RCR cleanup issue), and generate a report per namespace when we discussed offline. |
That's what i have now. This doesn't make a real difference for @chipzoller point though, it's still a one:one mapping. |
I meant to generate an RCR per resource, and merge RCRs to a single policy report for one namespace. |
True but I don't know if it's an issue, when managing a large cluster you usually size the control plane adequately. |
Do you expect that we remove the RCR once merged into the report ? |
No, per this proposal, the RCR shares the same lifecycle with the resource. Just that in addition to creating the RCR per resource, we will merge RCRs into one report per namespace. But this could increase the size by x2 as we duplicate the data. |
Are you suggesting that we don't need to aggregate at the namespace level ? ;-) |
You should consider minimizing the Kubernetes API call load in the solution. The more you can aggregate in memory and then write to the report once, the less probability of hitting throttling issues. |
Definitely. On the other hand, The solution we have now is not perfect, we are constantly creating/deleting RCRs instead of keeping them around and updating them when necessary. |
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
f9d0c2d
to
8529ac0
Compare
This has already been completed, yes? |
This PR proposes to change the way we generate reports by generating per resource reports, let Kubernetes take care of reports lifecycle, and aggregate reports into higher level reports in a separate process/controller.
It is aligned with other KDPs meant to decompose Kyverno in multiple processes.