-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
annotation metrics, what is the future direction? #941
Comments
Should this be a BUG actually? The commit that was reverted is this one, which alongside the older |
Thanks for this, sorry we missed to respond to this. We should find a solution for this ASAP. I believe allow-listing like we do with other things might be good approach. Thoughts? cc @tariq1890 @brancz |
I think listing individual annotations that would be converted into metrics sounds appropriate. |
That would be great, it would fix the issue for our use case. |
@kirkharris1 with conferences coming up, we probably won't have time to work on this right now. But if you want to write up a short proposal for this and then start working on it, you are most welcome to! Do you want me to assign this issue for you? :) |
I can't do it, but i will ask around internally. |
Hi @lilic @kirkharris1, in our company we are also affected by this. I am more than happy to work on this if you can't find anyone etc |
@jw-s thank you |
@lilic I suggest sticking with the previous (old) implementation of having one metric with each whitelisted annotation included as labels in this metric. With this proposal, we'd have to create a new cli flag specifically for this annotation unfortunately, or we go with a new metric per annotation then we can re-use the existing whitelist/blacklist cli flags. Thoughts? |
@jw-s Yes we would need at least one new flag to specify the resource/annotation to whitelist, we do not want to blacklist approach here. cc @brancz @tariq1890 for thoughts |
Yes. I agree with @lilic in that we choose the approach of having a white(Allow) list. That way, users are not at the mercy of Kubernetes implementations that use annotations to store sensitive information. This provides users more control over what annotation metrics they want to allow/block as opposed to exposing all annotations and risk leaking sensitive data when they least expect it. While adding a new CLI flag may be unfortunate, it's worth making that tradeoff for security. |
Hello there, good people at Kubernetes :) |
We threw this together to get by in the meantime: https://github.com/utilitywarehouse/kube-namespace-annotations-exporter image: https://quay.io/repository/utilitywarehouse/kube-namespace-annotations-exporter |
I should have it finished this weekend! |
Note we do want to reintroduce this feature but due to the various security concerns we want to make sure each annotation exposed is explicitly white listed. |
@brancz My understanding was we introduce a new cli flag which is a whitelist for all annotation related metrics and of course, re-introduce the annotation related metrics as discussed. Is this not the case? |
Yes as that way the user consciously chooses the annotations to expose. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Hello, we are using old(not so reliable) version due to lack of annotation metrics. Is there any chance to implement solution described above? Should we find another way how to get annotations? |
There are various approaches outlined/in progress that are linked to this issue, please contribute to move this forward :) |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
My two cents on this: Adding annotation metrics can be possible if we use the same approach as we did with labels metrics, so e.g. kube_pod_labels. So we could have the same allow mechanism as is being now implemented for those metrics, see PR #1301 (comment). So for annotation metrics it could be Note that this will not go into 2.0 release but we can already start the work and can be merged into master and can be included into the next release. @brancz @tariq1890 and anyone on this thread, would this work for you? |
Completely agree on this. I don't think using Labels for this is the best approach and I would rather use annotations... so +1 for this feature. |
@lilic your suggestion sounds perfect. 💯 |
What is the status of this issue? I have exactly the same use-case as @calexandre (only for cron jobs). |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
This feature was implemented in #1468 and is now available in kube-state-metrics v2.2.0 so we can close this issue. /close |
@dgrisonnet: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
What happened:
We make extensive use of
kube_namespace_annotations
which has been removed. This PR #859 says "rethink the annotation metrics in a separate PR". Reading around the PRs and Issues, the main concern seems to be that annotations can be numerous/large and security concerns. Would it be acceptable to reinstate annotation metrics, but with them off by default and enabled in the startup args? Making it optional would allow users that don't have security concerns and do not have a large number of annotations to use it.If metrics carrying annotations will not be returning, then we will have to find another way internally so that we can upgrade beyond v1.6.0. For example, write an annotations exporter to run alongside kube-state. Before starting on that, i thought I would check to see if there are any plans/timescales that you can share.
Thanks
Environment:
kubectl version
): v1.15.3The text was updated successfully, but these errors were encountered: