From 97c75d320af9e4b5c1a9082342135c1c94b5eb81 Mon Sep 17 00:00:00 2001 From: David Eads Date: Mon, 14 Jun 2021 13:57:35 -0400 Subject: [PATCH] UPSTREAM: : annotate audit events for requests during unready phase and graceful termination phase OpenShift-Rebase-Source: 9f6dcf376da --- .../k8s.io/apiserver/pkg/server/patch_genericapiserver.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/staging/src/k8s.io/apiserver/pkg/server/patch_genericapiserver.go b/staging/src/k8s.io/apiserver/pkg/server/patch_genericapiserver.go index 1fe3b7e5ef901..46a734b29a0d2 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/patch_genericapiserver.go +++ b/staging/src/k8s.io/apiserver/pkg/server/patch_genericapiserver.go @@ -17,6 +17,7 @@ limitations under the License. package server import ( + "fmt" "net" "net/http" "strings" @@ -26,6 +27,7 @@ import ( "go.uber.org/atomic" corev1 "k8s.io/api/core/v1" + "k8s.io/apiserver/pkg/audit" "k8s.io/klog/v2" netutils "k8s.io/utils/net" ) @@ -80,8 +82,10 @@ func WithLateConnectionFilter(handler http.Handler) http.Handler { if late { if pth := "/" + strings.TrimLeft(r.URL.Path, "/"); pth != "/readyz" && pth != "/healthz" && pth != "/livez" { if isLocal(r) { + audit.AddAuditAnnotation(r.Context(), "openshift.io/during-graceful", fmt.Sprintf("loopback=true,%v,readyz=false", r.URL.Host)) klog.V(4).Infof("Loopback request to %q (user agent %q) through connection created very late in the graceful termination process (more than 80%% has passed). This client probably does not watch /readyz and might get failures when termination is over.", r.URL.Path, r.UserAgent()) } else { + audit.AddAuditAnnotation(r.Context(), "openshift.io/during-graceful", fmt.Sprintf("loopback=false,%v,readyz=false", r.URL.Host)) klog.Warningf("Request to %q (source IP %s, user agent %q) through a connection created very late in the graceful termination process (more than 80%% has passed), possibly a sign for a broken load balancer setup.", r.URL.Path, r.RemoteAddr, r.UserAgent()) // create only one event to avoid event spam. @@ -118,9 +122,11 @@ func WithNonReadyRequestLogging(handler http.Handler, hasBeenReadySignal lifecyc if pth := "/" + strings.TrimLeft(r.URL.Path, "/"); pth != "/readyz" && pth != "/healthz" && pth != "/livez" { if isLocal(r) { if !isKubeApiserverLoopBack(r) { + audit.AddAuditAnnotation(r.Context(), "openshift.io/unready", fmt.Sprintf("loopback=true,%v,readyz=false", r.URL.Host)) klog.V(2).Infof("Loopback request to %q (user agent %q) before server is ready. This client probably does not watch /readyz and might get inconsistent answers.", r.URL.Path, r.UserAgent()) } } else { + audit.AddAuditAnnotation(r.Context(), "openshift.io/unready", fmt.Sprintf("loopback=false,%v,readyz=false", r.URL.Host)) klog.Warningf("Request to %q (source IP %s, user agent %q) before server is ready, possibly a sign for a broken load balancer setup.", r.URL.Path, r.RemoteAddr, r.UserAgent()) // create only one event to avoid event spam.