A set of refactorings to enable Kubernetes watch.

[igorpeshansky]

• Decouple metadata updates from polling.
• Factor out common functionality in Kubernetes API response processing.

[igorpeshansky]

@supriyagarg, would be great if you could review this as well.
The last change in the description probably deserves to be a separate PR, as it's not really semantics-preserving.

[bmoyles0117]

First pass, will comb through again.

[bmoyles0117]

Should this be GKE, are are we specifically talking about the compute platform? If the compute platform, I think a clarifying comment would help since the rename.

[igorpeshansky]

No, this is the platform of the instance on which the node is running on. We'll probably want to remove this anyway, because it's already present in the node metadata.

[bmoyles0117]

SGTM

[bmoyles0117]

Should we be returning out of this, so that we don't assume that the entity we're looking at is a pod?

[igorpeshansky]

I think in this case, assuming that it's a pod is fairly harmless and won't break anything downstream. We do log an error in case someone wanted to investigate. Not worth terminating the poll (i.e., throwing an exception) for.

[bmoyles0117]

SGTM

[bmoyles0117]

Fits on previous line.

[igorpeshansky]

I'm keeping this as one parameter per line, for readability.

[bmoyles0117]

SGTM

[bmoyles0117]

Building and using these labels seems heavily shared between containers and pods, can we recycle some code here?

[igorpeshansky]

We already share the label values. Unfortunately, once you start dynamically building arrays, this stops looking like a literal, which was the whole purpose.

[bmoyles0117]

SGTM

[bmoyles0117]

Caution, pretty sure the legacy resource type is using the namespace uid here, not the name. Just had to deal with this with the integration tests.

[igorpeshansky]

Hmm. The logging agent uses the namespace name (and pod name, for that matter) in the legacy resources, as I recall. If anything, I should be changing the pod id to pod name instead...
Good catch, but I think it's orthogonal to this refactoring. Let's open a bug and follow up.

[bmoyles0117]

SGTM, I'll file the bug and we'll address these issues there.

[bmoyles0117]

Wasn't there a strange hack around using the gke_container resource to monitor instances? Do we need to be capturing those as well?

[igorpeshansky]

I think you mean s/instances/nodes/. Yes, there was a hack for nodes (and pods), but it relied on setting the container name appropriately, so we don't have to worry about this -- this code deals with actual containers.

[bmoyles0117]

SGTM

[bmoyles0117]

Do I understand correctly that you are logging an error when the kubernetes pod spec containers array doesn't match the number of pods that actually exist within the pod? If so, it's important to note that this SHOULD be expected. The pod should only not conflict with its parent replicaset, but it doesn't need to be consistent with its parent deployment as it might be undergoing an active change.

[igorpeshansky]

Nope, this checks that the containers and container_specs arrays have the same size within a single pod returned by a single API call. If they don't, something's gone terribly wrong.

[bmoyles0117]

Is this even possible to occur? If it's such an extreme scenario, are we essentially validating the Kubernetes API at this point?

[igorpeshansky]

Yes, kind of. I don't know if it's possible. This is basically an assertion. I didn't want to crash when this occurs, because there's an obvious recovery path, so I just log an error and continue.

[bmoyles0117]

Nit: I understand the naming, but pod_metadata still led me to believe this was just metadata for pod resource types.

[igorpeshansky]

Renamed.

[bmoyles0117]

Why not just use api_version and kind here?

[igorpeshansky]

I'm confused. The path_component is based on api_version and kind, but there's more to it.

[bmoyles0117]

Sorry, I didn't realize how much KindPath was doing. SGTM.

[igorpeshansky]

Yeah, the joys of the Kubernetes Master API spec...

[bmoyles0117]

Unfamiliarity with C++ here, will there be any implications when using move when we start cleaning up resource metadata after being synced? Should resource callback get a copy? Perhaps it already is, just airing concerns.

[igorpeshansky]

std::move hands off the ownership of result to the callback. From here on, result does not own any memory.

[bmoyles0117]

My concern is that previously you passed in result.resource, and used std::move only on the metadata, whereas now you're moving the entire object and sharing it. Will that have any negative ramifications for the resource callback?

[igorpeshansky]

Nope, the callbacks are invoked sequentially, and the resource callback doesn't modify the result (and, in fact, doesn't touch result.metadata). After the metadata callback is invoked, the result's metadata is gone. As for moving the whole result as opposed to result.metadata, that support is added in dc2e1d3.

[bmoyles0117]

SGTM.

[igorpeshansky]

Addressed feedback. PTAL.

[igorpeshansky]

No, this is the platform of the instance on which the node is running on. We'll probably want to remove this anyway, because it's already present in the node metadata.

[igorpeshansky]

I think in this case, assuming that it's a pod is fairly harmless and won't break anything downstream. We do log an error in case someone wanted to investigate. Not worth terminating the poll (i.e., throwing an exception) for.

[igorpeshansky]

I'm keeping this as one parameter per line, for readability.

[igorpeshansky]

We already share the label values. Unfortunately, once you start dynamically building arrays, this stops looking like a literal, which was the whole purpose.

[igorpeshansky]

I think you mean s/instances/nodes/. Yes, there was a hack for nodes (and pods), but it relied on setting the container name appropriately, so we don't have to worry about this -- this code deals with actual containers.

[igorpeshansky]

Hmm. The logging agent uses the namespace name (and pod name, for that matter) in the legacy resources, as I recall. If anything, I should be changing the pod id to pod name instead...
Good catch, but I think it's orthogonal to this refactoring. Let's open a bug and follow up.

[igorpeshansky]

std::move hands off the ownership of result to the callback. From here on, result does not own any memory.

[igorpeshansky]

Nope, this checks that the containers and container_specs arrays have the same size within a single pod returned by a single API call. If they don't, something's gone terribly wrong.

[igorpeshansky]

Renamed.

[igorpeshansky]

I'm confused. The path_component is based on api_version and kind, but there's more to it.

[igorpeshansky]

Responded. PTAL.

[igorpeshansky]

Yes, kind of. I don't know if it's possible. This is basically an assertion. I didn't want to crash when this occurs, because there's an obvious recovery path, so I just log an error and continue.

[igorpeshansky]

Yeah, the joys of the Kubernetes Master API spec...

[igorpeshansky]

Nope, the callbacks are invoked sequentially, and the resource callback doesn't modify the result (and, in fact, doesn't touch result.metadata). After the metadata callback is invoked, the result's metadata is gone. As for moving the whole result as opposed to result.metadata, that support is added in dc2e1d3.

[bmoyles0117]

I can't think of a use-case where this would be helpful for now. It's simply enough to add the resource identifier later on that we might as well remove it for now.

[igorpeshansky]

Removed.

[bmoyles0117]

Nit: Rename to is_deleted or rename is_deleted in the container section to container_deleted for consistency.

[igorpeshansky]

Done.

[bmoyles0117]

Confused by the name, can this be container_statuses instead?

[igorpeshansky]

Done. Also renamed c_element.

[bmoyles0117]

Can you clarify, are we only running subqueries for pods, for the node that we're running on? I can't seem to find where we would list pods that may not be associated to a node due to scheduling restrictions by Kubernetes due to CPU / Memory / Host Ports / etc... Not having a local resource ID to query for is fine, but not syncing metadata would be bad from an observability point of view.

[igorpeshansky]

Correct. Unscheduled pods are out of scope for the current iteration. For now we only require metadata for pods/containers that have either logs or metrics associated with them, and all of those would have been scheduled to a node.

[bmoyles0117]

SGTM

[bmoyles0117]

SGTM.

[igorpeshansky]

Addressed comments. PTAL.

[igorpeshansky]

Removed.

[igorpeshansky]

Done.

[igorpeshansky]

Done. Also renamed c_element.

[igorpeshansky]

Correct. Unscheduled pods are out of scope for the current iteration. For now we only require metadata for pods/containers that have either logs or metrics associated with them, and all of those would have been scheduled to a node.

[igorpeshansky]

Pulled out owner memoization into #46.

[qingling128]

Just curious, why is this second map not keyed by resource_id as well?

[igorpeshansky]

Because that map is sent to to the Resource Metadata API, which neither knows nor cares about the local resource ids.

[qingling128]

Ah, got it. Makes sense.

[supriyagarg]

Curious - how is the local resource_id different from the monitored resource ID?

[igorpeshansky]

The local resource_id is an easily discoverable identifier for the resource that is unique within the current context (e.g., a Kubernetes node), but may not be globally unique, whereas the monitored resource (which actually is an id, so "monitored resource id" is redundant) is globally unique.

[igorpeshansky]

Rebased. PTAL.

[qingling128]

LGTM (Learning how to use github more efficiently LOL)

[bmoyles0117]

Would renaming this to container_status cause a bunch if line formatting issues? I got confused below when we sent the status metadata and provided the container, would have been more clear if it were container_status. Also throughout.

[igorpeshansky]

We'll have to change this code anyway to fix the list ordering issue -- it would make sense to change this in that PR. WDYT?

[bmoyles0117]

SGTM.

[bmoyles0117]

Container labels will never vary from the pod labels, should we really be sending this up? Is this simply a feature request for simplicity on the UI side?

[igorpeshansky]

This is an artifact of treating each container as a separate resource, so that's what the API expects.

[bmoyles0117]

I'm confused, the node doesn't need to send labels, these are raw kubernetes labels in the raw metadata, not resource labels.

[bmoyles0117]

When I say "node doesn't need to", I'm specifically referring to the part way above where the node sends off the raw metadata blob.

[igorpeshansky]

Both nodes and pods get the full Kubernetes object metadata, which includes the labels. Containers, on the other hand, have an artificially constructed metadata blob, which, instead of "raw", includes "spec", "status", and "labels" -- that's just the way it was defined. All of these are, in fact, redundant, because they're present in the pod metadata, but because containers are stored separately, the information is replicated. Note that this the way it's been since the start, and is orthogonal to this refactoring.

[bmoyles0117]

Alright, agreed that it's orthogonal. SGTM.

[bmoyles0117]

Shouldn't this be using the container ID instead of pod_id name? If not, can we rename the variable? I know this will likely be deprecated, but caught my eye for now.

[igorpeshansky]

Renamed.

[bmoyles0117]

SGTM

[igorpeshansky]

Addressed feedback. PTAL.

[igorpeshansky]

We'll have to change this code anyway to fix the list ordering issue -- it would make sense to change this in that PR. WDYT?

[igorpeshansky]

This is an artifact of treating each container as a separate resource, so that's what the API expects.

[igorpeshansky]

Renamed.

[bmoyles0117]

LGTM 🐿

[bmoyles0117]

Alright, agreed that it's orthogonal. SGTM.

[bmoyles0117]

SGTM.

[supriyagarg]

Curious - how is the local resource_id different from the monitored resource ID?

[supriyagarg]

What does "metadata mapping" mean. Is just "mapping" sufficient?

[igorpeshansky]

The metadata agent maintains two mappings:

• local resource map, from a locally unique id to the monitored resource (there may be multiple locally unique ids, all referring to the same monitored resource), which is exposed via a local endpoint to other agents so they don't have to discover all parts of the monitored resource themselves, and
• metadata map, from the monitored resource to the metadata blob, which is sent to the Resource Metadata API.

[supriyagarg]

legacy resource -> legacy container metadata?

[igorpeshansky]

There will be no actual metadata in the returned object (see the next line), so this is intentional.

[igorpeshansky]

@supriyagarg, responded to your comments. PTAL.

[igorpeshansky]

The local resource_id is an easily discoverable identifier for the resource that is unique within the current context (e.g., a Kubernetes node), but may not be globally unique, whereas the monitored resource (which actually is an id, so "monitored resource id" is redundant) is globally unique.

[igorpeshansky]

The metadata agent maintains two mappings:

• local resource map, from a locally unique id to the monitored resource (there may be multiple locally unique ids, all referring to the same monitored resource), which is exposed via a local endpoint to other agents so they don't have to discover all parts of the monitored resource themselves, and
• metadata map, from the monitored resource to the metadata blob, which is sent to the Resource Metadata API.

[igorpeshansky]

There will be no actual metadata in the returned object (see the next line), so this is intentional.

[supriyagarg]

Thanks for the clarifications Igor.

LGTM.