k8s.io/apiserver@v0.31.1/pkg/authorization/cel/metrics.go

k8s.io/apiserver@v0.31.1/pkg/authorization/cel/metrics.go (about)

     1  /*
     2  Copyright 2024 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package cel
    18  
    19  import (
    20  	"context"
    21  	"sync"
    22  	"time"
    23  
    24  	"k8s.io/component-base/metrics"
    25  	"k8s.io/component-base/metrics/legacyregistry"
    26  )
    27  
    28  // MatcherMetrics defines methods for reporting matchCondition metrics
    29  type MatcherMetrics interface {
    30  	// RecordAuthorizationMatchConditionEvaluation records the total time taken to evaluate matchConditions for an Authorize() call to the given authorizer
    31  	RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration)
    32  	// RecordAuthorizationMatchConditionEvaluationFailure increments if any evaluation error was encountered evaluating matchConditions for an Authorize() call to the given authorizer
    33  	RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string)
    34  	// RecordAuthorizationMatchConditionExclusion records increments when at least one matchCondition evaluates to false and excludes an Authorize() call to the given authorizer
    35  	RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string)
    36  }
    37  
    38  type NoopMatcherMetrics struct{}
    39  
    40  func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration) {
    41  }
    42  func (NoopMatcherMetrics) RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string) {
    43  }
    44  func (NoopMatcherMetrics) RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string) {
    45  }
    46  
    47  type matcherMetrics struct{}
    48  
    49  func NewMatcherMetrics() MatcherMetrics {
    50  	RegisterMetrics()
    51  	return matcherMetrics{}
    52  }
    53  
    54  const (
    55  	namespace = "apiserver"
    56  	subsystem = "authorization"
    57  )
    58  
    59  var (
    60  	authorizationMatchConditionEvaluationErrorsTotal = metrics.NewCounterVec(
    61  		&metrics.CounterOpts{
    62  			Namespace:      namespace,
    63  			Subsystem:      subsystem,
    64  			Name:           "match_condition_evaluation_errors_total",
    65  			Help:           "Total number of errors when an authorization webhook encounters a match condition error split by authorizer type and name.",
    66  			StabilityLevel: metrics.ALPHA,
    67  		},
    68  		[]string{"type", "name"},
    69  	)
    70  	authorizationMatchConditionExclusionsTotal = metrics.NewCounterVec(
    71  		&metrics.CounterOpts{
    72  			Namespace:      namespace,
    73  			Subsystem:      subsystem,
    74  			Name:           "match_condition_exclusions_total",
    75  			Help:           "Total number of exclusions when an authorization webhook is skipped because match conditions exclude it.",
    76  			StabilityLevel: metrics.ALPHA,
    77  		},
    78  		[]string{"type", "name"},
    79  	)
    80  	authorizationMatchConditionEvaluationSeconds = metrics.NewHistogramVec(
    81  		&metrics.HistogramOpts{
    82  			Namespace:      namespace,
    83  			Subsystem:      subsystem,
    84  			Name:           "match_condition_evaluation_seconds",
    85  			Help:           "Authorization match condition evaluation time in seconds, split by authorizer type and name.",
    86  			Buckets:        []float64{0.001, 0.005, 0.01, 0.025, 0.1, 0.2, 0.25},
    87  			StabilityLevel: metrics.ALPHA,
    88  		},
    89  		[]string{"type", "name"},
    90  	)
    91  )
    92  
    93  var registerMetrics sync.Once
    94  
    95  func RegisterMetrics() {
    96  	registerMetrics.Do(func() {
    97  		legacyregistry.MustRegister(authorizationMatchConditionEvaluationErrorsTotal)
    98  		legacyregistry.MustRegister(authorizationMatchConditionExclusionsTotal)
    99  		legacyregistry.MustRegister(authorizationMatchConditionEvaluationSeconds)
   100  	})
   101  }
   102  
   103  func ResetMetricsForTest() {
   104  	authorizationMatchConditionEvaluationErrorsTotal.Reset()
   105  	authorizationMatchConditionExclusionsTotal.Reset()
   106  	authorizationMatchConditionEvaluationSeconds.Reset()
   107  }
   108  
   109  func (matcherMetrics) RecordAuthorizationMatchConditionEvaluationFailure(ctx context.Context, authorizerType, authorizerName string) {
   110  	authorizationMatchConditionEvaluationErrorsTotal.WithContext(ctx).WithLabelValues(authorizerType, authorizerName).Inc()
   111  }
   112  
   113  func (matcherMetrics) RecordAuthorizationMatchConditionExclusion(ctx context.Context, authorizerType, authorizerName string) {
   114  	authorizationMatchConditionExclusionsTotal.WithContext(ctx).WithLabelValues(authorizerType, authorizerName).Inc()
   115  }
   116  
   117  func (matcherMetrics) RecordAuthorizationMatchConditionEvaluation(ctx context.Context, authorizerType, authorizerName string, elapsed time.Duration) {
   118  	elapsedSeconds := elapsed.Seconds()
   119  	authorizationMatchConditionEvaluationSeconds.WithContext(ctx).WithLabelValues(authorizerType, authorizerName).Observe(elapsedSeconds)
   120  }